Re: Tor & application-firewall support
On Tue, Apr 24, 2012 at 5:40 PM, Sam Smith wrote: > Isn't Android Linux based? Just because it's loosely based on Linux does not mean it is close to the same Linux, same type of Linux or even close to the same build of Linux. Though with this latest release of the Linux kernel we are step closer to them being a bit closer to the same and with the next even closer but they will never be even close to the same Linux. -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
RE: Tor & application-firewall support
Isn't Android Linux based? Whisper Monitor is an application firewall that is designed for Android. Can't this be adapted for ubuntu? Twitter purchased Whisper Systems and reports are that they plan to open source the products http://www.andhrabreakingnews.com/twitter-plans-to-open-source-android-security-products/ Date: Tue, 24 Apr 2012 08:58:20 -0500 From: gut...@earthlink.net To: ubuntu-devel-discuss@lists.ubuntu.com Subject: Re: Tor & application-firewall support On 2012-04-24 8:03 AM, John Moser wrote: On 04/24/2012 08:49 AM, Paul Campbell wrote: There's been some discussion on this mailing list about application-firewalls, and I wanted to say a word about Ubuntu's inability to filter internet connections at the application-level. It's doable, just not pretty. -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Tor & application-firewall support
On 2012-04-24 8:03 AM, John Moser wrote: On 04/24/2012 08:49 AM, Paul Campbell wrote: There's been some discussion on this mailing list about application-firewalls, and I wanted to say a word about Ubuntu's inability to filter internet connections at the application-level. It's doable, just not pretty. I work as a freelance journalist. On many occasions I recommend the use of Tor to sources in middle eastern and southeast Asian countries. For their own safety, they need an anonymous way to upload things to the internet and in general to communicate online. Immediately assuming you've got the technical profile of a ZDNet columnist. When needing to use Tor, the source will activate the firewall software's user-created "Tor Profile" and then start a Tor browsing session. When finished browsing, the source will close Tor and change the firewall settings from the "Tor Profile" back to the default profile which in general allows all applications to connect to the internet. This setup ensures that no other applications "accidentally" connect to the internet during an active Tor session and "reveal" the source's true IP address. Vacuous. A connection from your IP address doesn't "reveal" your source address. The source address from your computer is stamped on every TOR packet: it's possible to determine that you're using TOR, regardless. Blocking other connections unrelated to TOR won't hide what you're doing under TOR; and having other connections (say to your e-mail, IRC, P2P, non-sensitive Web sites, etc.) doesn't jeopardize the secrecy of your TOR connection. Aside, has anyone considered that actively aiding a sovereign nation's population in accessing materials restricted from the general population's view is an active attack on that nation's procedurally declared national security, and a direct act of war? Not defending tyranny, just saying: you are committing an act of war. Rubbish. It's not even hacking, and only tyrannies claim hacking is an act of war. This is merely working around threats to minimal privacy. If we have extradition treaties with these people, it's perfectly reasonable for you to be arrested and shipped over there; and if our government refuses to do so, then the logical response in kind is for them to start bombing our soil. More rubbish. Who is "our", kemosabe? You need to get over that militarism. Some things are worth getting bloody for, and some things carry the implications but in practice those implications never pan out. You probably won't get extradited and nobody is going to start lobbing nukes just because of people helping crack the Great Arab Firewall. They could though; it's actually a reasonable response. No, these claims are literally hysterical. Also wrongheaded: we have a civic duty to help people whose civil liberties are compromised. PB - Sincerely, Paul Campbell -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: hang in failsafe.conf on precise
On Tue, Apr 24, 2012 at 6:39 AM, Christoph Mathys wrote:
> I just encountered some problems with very long boottimes on precise.
> failsafe.conf just hangs until the timeout has elapsed.
>
> The culprit seems to be that I define interfaces in
> /etc/network/interfaces that do not exist when I'm testing in kvm
> (ifup -a fails). This then seems to prevent static-network-up to be
> emitted. I'm not quite sure why this event is never emitted. Is
> static-network-up only emitted, if the job networking ("exec ifup -a")
> runs successfully? (I've disable network-interface.conf)
>
The static-network-up event is emitted by ifup using the
/etc/network/if-up.d/upstart script, and I believe it's only emitted when
all the 'auto' interfaces in /etc/network/interfaces are successfully
brought up (upstart is more my area than networking). The event is
necessary for boot to proceed safely, so if it doesn't happen, nothing past
that point will run until the failsafe kicks in after 120 seconds (which is
what you're seeing).
> As a workaround I think I'll just disable failsafe.conf and write my
> own job which immediately emits the static-network-up event.
You don't have to disable failsafe.conf. As long as something emits
static-network-up in a reasonable amount of time it won't cause any
problems, and it's useful to have active in other cases.
Writing another job that immediately emits the static-network-up event is
problematic in that it may be run before any network interfaces have
actually been brought up. This will cause all sorts of trouble for jobs
that start expecting to find active interfaces but then can't.
I believe the correct thing to do in this case is to remove the offending
entries from /etc/network/interfaces, since they're apparently unnecessary
in this particular environment. If there's some reason you'd rather not,
try sending an email to the upstart-devel [1] mailing list. Someone there
might know a better workaround.
Cheers,
Evan
[1] https://lists.ubuntu.com/mailman/listinfo/upstart-devel
--
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Tor & application-firewall support
On 04/24/2012 08:49 AM, Paul Campbell wrote: There's been some discussion on this mailing list about application-firewalls, and I wanted to say a word about Ubuntu's inability to filter internet connections at the application-level. It's doable, just not pretty. I work as a freelance journalist. On many occasions I recommend the use of Tor to sources in middle eastern and southeast Asian countries. For their own safety, they need an anonymous way to upload things to the internet and in general to communicate online. Immediately assuming you've got the technical profile of a ZDNet columnist. When needing to use Tor, the source will activate the firewall software's user-created "Tor Profile" and then start a Tor browsing session. When finished browsing, the source will close Tor and change the firewall settings from the "Tor Profile" back to the default profile which in general allows all applications to connect to the internet. This setup ensures that no other applications "accidentally" connect to the internet during an active Tor session and "reveal" the source's true IP address. Vacuous. A connection from your IP address doesn't "reveal" your source address. The source address from your computer is stamped on every TOR packet: it's possible to determine that you're using TOR, regardless. Blocking other connections unrelated to TOR won't hide what you're doing under TOR; and having other connections (say to your e-mail, IRC, P2P, non-sensitive Web sites, etc.) doesn't jeopardize the secrecy of your TOR connection. Aside, has anyone considered that actively aiding a sovereign nation's population in accessing materials restricted from the general population's view is an active attack on that nation's procedurally declared national security, and a direct act of war? Not defending tyranny, just saying: you are committing an act of war. If we have extradition treaties with these people, it's perfectly reasonable for you to be arrested and shipped over there; and if our government refuses to do so, then the logical response in kind is for them to start bombing our soil. Some things are worth getting bloody for, and some things carry the implications but in practice those implications never pan out. You probably won't get extradited and nobody is going to start lobbing nukes just because of people helping crack the Great Arab Firewall. They could though; it's actually a reasonable response. Sincerely, Paul Campbell -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Tor & application-firewall support
There's been some discussion on this mailing list about application-firewalls, and I wanted to say a word about Ubuntu's inability to filter internet connections at the application-level. I work as a freelance journalist. On many occasions I recommend the use of Tor to sources in middle eastern and southeast Asian countries. For their own safety, they need an anonymous way to upload things to the internet and in general to communicate online. I am a strong proponent of open-source software and am a fan of Debian and Ubuntu; however, I caution my sources against running the Tor client on Ubuntu because of Ubuntu's lack of support for application-firewalls. I often advise Microsoft Windows be used because application-firewall software exists that allows users to create a "Tor Profile": a firewall-settings profile that not only filters DNS lookups but also only allows outbound connections from the Tor client. All other applications are blocked from connecting to the internet while this profile is active. When needing to use Tor, the source will activate the firewall software's user-created "Tor Profile" and then start a Tor browsing session. When finished browsing, the source will close Tor and change the firewall settings from the "Tor Profile" back to the default profile which in general allows all applications to connect to the internet. This setup ensures that no other applications "accidentally" connect to the internet during an active Tor session and "reveal" the source's true IP address. I'm sharing this because I hope to see Ubuntu gain this valuable feature-set. There are many advantages to being able to filter at the application-level. It's a feature sadly missing from Ubuntu. Hopefully it's something Ubuntu developers will address in the near future. Sincerely, Paul Campbell-- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
hang in failsafe.conf on precise
I just encountered some problems with very long boottimes on precise.
failsafe.conf just hangs until the timeout has elapsed.
The culprit seems to be that I define interfaces in
/etc/network/interfaces that do not exist when I'm testing in kvm
(ifup -a fails). This then seems to prevent static-network-up to be
emitted. I'm not quite sure why this event is never emitted. Is
static-network-up only emitted, if the job networking ("exec ifup -a")
runs successfully? (I've disable network-interface.conf)
As a workaround I think I'll just disable failsafe.conf and write my
own job which immediately emits the static-network-up event.
Christoph
--
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
