Re: [tor-talk] tor-blocking sites
Sorry for my delayed response. I got a little behind in my email. Mr Dash Four wrote: Scroogle is currently having trouble scraping Google. Maybe Dash Fours problems with it are unrelated to Tor? Nope. I am well aware of this and it isn't an issue which just popped yesterday or a week ago - it has been going on for months (scraping Google, that is). I am also aware that Scroogle has a limited (I think about 6-7) number of servers. Yes. There is a clear difference between the two issues. When Scroogle is having trouble with Google you get a Sorry ... please wait ten minutes ... page rather than getting no response at all. What I meant with my initial post though is that Scroogle started blocking tor exit nodes recently - about a week or so ago. I know that, because I tried to access it at the same time (via different machines) and all requests which used Tor exit nodes were timing out (or giving me 502) - without exception, while the normal requests (using my own IP address) made at the same time passed through to Scroogle instantaneously! This cannot be a coincidence. My issues with Scroogle have been going on for over two months. (Irritatingly enough, I started having problems with Scroogle immediately after I finally got around to giving them a small donation.) My experience is that at any given time they are blocking most but (usually) not all Tor exits. If I am patient enough, Tor sometimes finds an exit that works. I have sometimes made a stab at what exit worked and used MapAddress to force that exit, which usually works for a while. I have also sometimes used Tor - Web Proxy - Scroogle, but usually before I get to that point I just use IxQuick (which is painfully slow on dial-up). Jim ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] tor-blocking sites
I must say that I believe tor should be working to try to defeat/get around tor blocking. You DO realise that as more and more sites block tor as a matter of course it makes tor less and less useful right? It then becomes very simple for governments to defeat anonymity services like tor entirely by simply requiring by law that tor exits be blocked by any number of important internet infrastructure sites. What use is tor if every site you want to connect to via tor blocks you? May as well simply terminate the tor project for all the use it is. On Monday, February 06, 2012 02:24:31 PM Mr Dash Four wrote: I am sick of them all! Initially, there was a small number of these in the wild, but now it is widely spread - google is the main offender, but youtube (which is, as we all know, google-owned) and now, wait for it, scroogle.org (a site I use a lot) is also at it! Tor-blocking could be very easily to implement by parsing cached-descriptors{.new} to see all exit nodes and then add them to a blacklist and start blocking. Is there anything which can be done to prevent this? I am thinking of something similar to what is currently in existence with the bridge system - you don't know them all, just a portion of it, enough to connect you to the network. Could something similar be implemented with tor? ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] tor-blocking sites
On Thu, Feb 9, 2012 at 16:22, Praedor prae...@yahoo.com wrote: I must say that I believe tor should be working to try to defeat/get around tor blocking. To me, the exit bridge concept mentioned by Roger Dingledine above sounds extremely attractive. On the surface of it, there doesn't have to be a complex relaying/discovery decoupling implementation, too — just a user-specified extra hop from the exit node. Transient entry bridges take care of government / organization-level anti-anonymity censorship, transient exit bridges handle site-level anti-anonymity censorship, and persistent core Tor network provides anonymity per se. -- Maxim Kammerer Liberté Linux (discussion / support: http://dee.su/liberte-contribute) ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] tor-blocking sites
Thus spake Maxim Kammerer (m...@dee.su): On Thu, Feb 9, 2012 at 05:44, Mike Perry mikepe...@torproject.org wrote: If you read the ticket, the design sketch does not require constant CPU burning. You would only use the CPU until you built up a sufficient pile of tokens, and you would only do that intermittently. Not to raise unnecessary skepticism, but have proof-of-work ever been successfully deployed for anything in the real world (besides for proof-of-work per se — i.e., Bitcoin)? As far as I know, no one has ever tried it. Some academics once pointed out that proof-of-work would not work for email, but that was primarily because email is often one-to-many. They did not consider one-to-one activity (like web page access) in their analysis. Perhaps everyone simply read their work and just assumed proof-of-work could never work for anything? https://trac.torproject.org/projects/tor/ticket/4666#comment:6 Did you try to estimate how much CPU work would get one a token once such system is deployed full-scale, with spammers (possibly with botnets) competing for resources? E.g., you can get a rule-of-thumb estimate by putting some dollar value on a token, and looking at the generic-CPU work required for an equivalent Bitcoin amount. The proposed system has two knobs that site admins can use: computation quantity, and computation freshness. As scraping abuse increases, admins would be free to set the price higher as needed, and require more recent, fresh computation as needed. When abuse is low, the requirements can be turned down. I created these two knobs because what we have seen over the years is that scraping abuse over Tor is not constant. Every few months, some jerk decides Hey, I know, I'll scrape $SITEX and resell the data and make MEEELIONS, until the bans or captchas go up and they shut down. Then, all is quiet until the bans expire and the next jerk gets the idea a few months later. At least, this is the pattern that the Scroogle admin sees. I assume the situation is similar with Google directly, but they are very tight lipped. Perhaps captchas might look more appealing after that. Captchas currently cost anywhere from $0.01 to $0.001 to solve. Yes, that's 1/10 of 1 US cent each: https://krebsonsecurity.com/2012/01/virtual-sweatshops-defeat-bot-or-not-tests/ If they are working at all now, they work only because they marginally raise the cost of bulk scraping enough to slow scraping crawls and reduce the server load back to acceptable levels. I think tunable proof-of-work could easily beat this very low bar, with much less hassle for users. -- Mike Perry signature.asc Description: Digital signature ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] tor-blocking sites
Currently, what happens is that sites just ban/blacklist the IPs, often automatically and forever. Yep! Scroogle Scroogle is currently having trouble scraping Google. Maybe Dash Fours problems with it are unrelated to Tor? Nope. I am well aware of this and it isn't an issue which just popped yesterday or a week ago - it has been going on for months (scraping Google, that is). I am also aware that Scroogle has a limited (I think about 6-7) number of servers. What I meant with my initial post though is that Scroogle started blocking tor exit nodes recently - about a week or so ago. I know that, because I tried to access it at the same time (via different machines) and all requests which used Tor exit nodes were timing out (or giving me 502) - without exception, while the normal requests (using my own IP address) made at the same time passed through to Scroogle instantaneously! This cannot be a coincidence. If you do not believe me - see it for yourself - initiate at least a couple of simultaneous requests (so that you can engage as much of Scroogle's servers as possible at one time) using Tor exit nodes and do the same using your own IP address and see what happens. I would like to see a list of sites that block Tor. We can then try to contact them individually to discuss potential alternative strategies. I will try and prepare such a list of sites I have encountered blocking Tor and post it here. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] tor-blocking sites
On 09.02.2012 01:19, Mr Dash Four wrote: What I meant with my initial post though is that Scroogle started blocking tor exit nodes recently - about a week or so ago. One of the Scroogle guys posted on this list in the past about his efforts to allow legitimate Tor users. Probably a good idea to dig that up and email him so he can explain (and we can maybe find a solution together). -- Moritz Bartl https://www.torservers.net/ ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] tor-blocking sites
On Wed, 08 Feb 2012 23:13:44 +0100 Moritz Bartl mor...@torservers.net wrote: I believe it's more important to make it easy for people to detect Tor and deal with it differently in the first place. The second step then is to provide useful alternatives to blocking. Perhaps someone wants to implement nymble, http://cgi.soic.indiana.edu/~kapadia/nymble/index.php Currently, what happens is that sites just ban/blacklist the IPs, often automatically and forever. When people report abuse to us, I have a hard time helping them. All I can do is point them to the DNSBL and the Bulk List Exporter, and ask kindly to not block these IPs for too long, but most likely they will load it into their iptables and that's that. My vision would be a Wordpress plugin that lets me choose to deal with Tor users differently, say, automatically require moderation on comments. Lots of the sites I encounter with tor blocks are either using cloudflare[0], project honeypot/bad behavior[1], or some logic to determine an unacceptable threshold of queries per unit of time per ip address (see google, linkedin, yahoo, amazon, etc) [0] https://www.cloudflare.com/features-security [1] http://bad-behavior.ioerror.us/ -- Andrew http://tpo.is/contact pgp 0x74ED336B ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] tor-blocking sites
Thus spake Andrew Lewman (and...@torproject.org): On Wed, 08 Feb 2012 23:13:44 +0100 Moritz Bartl mor...@torservers.net wrote: I believe it's more important to make it easy for people to detect Tor and deal with it differently in the first place. The second step then is to provide useful alternatives to blocking. Perhaps someone wants to implement nymble, http://cgi.soic.indiana.edu/~kapadia/nymble/index.php I admit I haven't read all of the various iterations of the Nymble literature, but every one I've looked at so far seems to start with Assume you have some expensive, scare resource. Let's say IP address... Even if they blind it properly with some clever distributed trust scheme that requires multiple colluding parties to divulge the entire Tor userbase IP list, it seems to me that IPv4 addresses aren't really scarce when you're talking about one-time use only to obtain a Nym that can be used for a while. Therefore, my current thinking in https://trac.torproject.org/projects/tor/ticket/4666 is that if we can authenticate computation as the scarce resource, why do we even need a full Nymble server? At best it *might* ease implementation for account banning, but it probably would just add another point of failure and useless complexity. Am I wrong? -- Mike Perry signature.asc Description: Digital signature ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] tor-blocking sites
On Wed, Feb 08, 2012 at 07:59:08PM -0800, Mike Perry wrote: Thus spake Andrew Lewman (and...@torproject.org): On Wed, 08 Feb 2012 23:13:44 +0100 Moritz Bartl mor...@torservers.net wrote: I believe it's more important to make it easy for people to detect Tor and deal with it differently in the first place. The second step then is to provide useful alternatives to blocking. Perhaps someone wants to implement nymble, http://cgi.soic.indiana.edu/~kapadia/nymble/index.php I admit I haven't read all of the various iterations of the Nymble literature, but every one I've looked at so far seems to start with Assume you have some expensive, scare resource. Let's say IP address... Just add to your sense of inadequacy, a nice new addition was presented at NDSS today https://www.cs.indiana.edu/~kapadia/publications.html#blacr But, yes if people can generate at virtually no cost arbitrary numbers of new IDs from which they can register, then it won't matter what controls are placed on the registered users by the nym system. Even if they blind it properly with some clever distributed trust scheme that requires multiple colluding parties to divulge the entire Tor userbase IP list, it seems to me that IPv4 addresses aren't really scarce when you're talking about one-time use only to obtain a Nym that can be used for a while. Therefore, my current thinking in https://trac.torproject.org/projects/tor/ticket/4666 is that if we can authenticate computation as the scarce resource, why do we even need a full Nymble server? At best it *might* ease implementation for account banning, but it probably would just add another point of failure and useless complexity. Am I wrong? Not sure in practice. Incentives and tolerance for users is tricky business. Note however that Nymble and its ilk are generally independent of what the scarce resource is, so if your suggestion works, it should be compatible. As to your question, a main contribution of work in this area is that one establishes revocable credentials for clients. So if computation is a scarce resource, it would be one that clients need spend only rarely. Once they have the credential, they can log in without that expense as long as they behave. I defer to others whether this advantage is worth the costs and risks for particular cases. aloha, Paul ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] tor-blocking sites
On Wed, Feb 8, 2012 at 9:19 PM, Mr Dash Four mr.dash.f...@googlemail.com wrote: Nope. I am well aware of this and it isn't an issue which just popped yesterday or a week ago - it has been going on for months (scraping Google, that is). I am also aware that Scroogle has a limited (I think about 6-7) number of servers. What I meant with my initial post though is that Scroogle started blocking tor exit nodes recently - about a week or so ago. I know that, because I tried to access it at the same time (via different machines) and all requests which used Tor exit nodes were timing out (or giving me 502) - without exception, while the normal requests (using my own IP address) made at the same time passed through to Scroogle instantaneously! This cannot be a coincidence. Scroogle may give 403 because of mod-evasive. Still, that doesn't explain the times out. :\ ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] tor-blocking sites
I am sick of them all! Initially, there was a small number of these in the wild, but now it is widely spread It was nice when things were not blocked as much. Keep in mind that in the last three years or so Tor has gained significant usage among the general public. That means more Joe/Jane jerkoffs harassing and generally making a mess of things via Tor. Cracking and spam have always been what they are, and are not much trouble. But being a turd invokes helpdesks and policy and management and even LE. Especially on social2.0 sites... facebook, twitter, dating, forums, etc. I don't think anyone really knows their blocking models. One would hope it is not blanket Tor. But per ticketed IP address with an expiry period. Better yet, just nuke the offending account so as to leave the IP's free for the good users. Torproject could speak up here as to the general contents of their dns exit query system logs... say, out of the 20 most popular social, dating, resource, etc sites... we see bulk queries from n of them. Not sure I agree with the provision of such a service other than it would be done anyways, so why not. And presumably any big service would inhouse it. You can always open a counter-ticket to unblock the IP, at least that way you force them to include that class in their monthly desk report :) And anyone who lives in the same city as the HQ of these sorts of sites may wish to inquire about making a presentation to their executive management on the matter, and on Tor itself. Torproject maintains a media archive that could be useful in your preparations. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] tor-blocking sites
On Mon, 2012-02-06 at 19:24 +, Mr Dash Four wrote: I am sick of them all! Initially, there was a small number of these in the wild, but now it is widely spread - google is the main offender, but youtube (which is, as we all know, google-owned) and now, wait for it, scroogle.org (a site I use a lot) is also at it! Tor-blocking could be very easily to implement by parsing cached-descriptors{.new} to see all exit nodes and then add them to a blacklist and start blocking. Is there anything which can be done to prevent this? I am thinking of something similar to what is currently in existence with the bridge system - you don't know them all, just a portion of it, enough to connect you to the network. Could something similar be implemented with tor? Yes. There are plenty of lists of open single-hop SOCKS proxies, and software exists to chain SOCKS proxies. Just create a chain in some such software that is Tor - any open proxy, and you've circumvented such a block. signature.asc Description: This is a digitally signed message part ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] tor-blocking sites
Yes. There are plenty of lists of open single-hop SOCKS proxies, and software exists to chain SOCKS proxies. Just create a chain in some such software that is Tor - any open proxy, and you've circumvented such a block. How? The exit node regularly changes and I'll be chasing shadows. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk