Hidden Service (mysql, apache, php)
Could anybody tell me what the security risks are runngin a hidden service with Hidden Service (mysql, apache, php) behind a router? Low, Low, Low Rates! Check out Yahoo! Messenger's cheap PC-to-Phone call rates.
Re: Hidden Service (mysql, apache, php)
On 10/31/06, tormailinglist tormailinglist [EMAIL PROTECTED] wrote: Could anybody tell me what the security risks are runngin a hidden service with Hidden Service (mysql, apache, php) behind a router? They are no different from running a Hidden Service without the router, since in the Tor network, the existance of routers is effectively ignored. http://tor.eff.org/docs/tor-hidden-service.html.en#four should be able to help you out on that.. HTH HAND, Nils -- Simple guidelines to happiness: Work like you don't need the money, Love like your heart has never been broken and Dance like no one can see you.
Re: reporter from The Economist in Thailand seeks help / new Tor guide is up
On 10/31/06, George Shaffer [EMAIL PROTECTED] wrote: On Mon, 2006-10-30 at 21:46, Tim McCormack wrote: Chris Willis wrote: NO browser (cept maybe a text browser in BSD or something) is really 100% safe on its own.Firefox has lots of vulnerabilities, just like IE. . . . I agree about the text browser -- I should really familiarize myself with Lynx.Continuing now OT thread:Lynx has its uses, but anyone used to modern browsers is likely to find it frustrating. Lynx is not just text only in that it does not displaygraphics but is text based and runs in a text window (terminal). It doesnot recognize tables, and most modern web pages are built in tables, allowing the standard page and navigation elements, to be arranged aboveor to the left of the main page content. This means as you read thesource, these come before the main text content. That is how Lynxdisplays the page (as it is sequentially arranged in the source file) ; the main page content is usually between a screenful or more of standarditems and links and more of this at the bottom. A page as simple asGoogle's home page takes 13 tabs or down arrows to reach the search field. Yahoo, on the other hand recognizes it has received a requestfrom a text browser, and sends a different page where the search fieldis the first item on the page after Yahoo. Lynx takes some getting used to.Lynx is not simple. It's default configuration file is 140K, but mostlyexplanatory comments. It has about 135 options. I don't know that youcan assume it's 100% safe. If you eliminate all active content from your current browser, or install an alternate browser (e.g., Netscape, Opera)and disable all active content, and severely control cookies, wouldn'tthat do what Lynx is intended to do while still seeing most web pages, more or less as intended?George ShafferContinuing the OT: and what about links?? it has graphical support, such as frames, pics...Ricardo Lee
Re: reporter from The Economist in Thailand seeks help
Hello, if the person only wants surfing the web, torpark is the best thing. It can be found here: http://www.torrify.com/download.php Something to the stuff I read here: Its great that you write howtos for newbies with nice pictures and so on. But if you write a howto, keep in mind what peaple want to do. They dont wanna set up a server. They wanna _use_ Tor. So a good idea is to make simple and straight howtos that only show how to install Tor (or Torpark) and set up the Browser. The rest is only confusing 95% of the users. I know the problem: If I write things like this, I always feel like an idiot. But I learned to igonre this to get better relults ;) Enigma, thaks for your work. its a nice howto! Till Westermann FoeBuD e.V. www.foebud.org Admin of Tornode FoeBuD2 Am 29.10.2006 um 12:45 schrieb Shava Nerad: Hello, I am The Economist's South-East Asia correspondent, based in Bangkok, and my colleague Ben Sutherland said you might be able to arrange for me to get some information on how to use TOR's network to work around the considerable amount of internet censorship in this part of the world. I don't expect that Thailand's new, military government is going to ease up on blocking sites, so I suspect my need for proxy servers is likely to increase! I am reasonably proficient in IT matters, so perhaps all I need is an e-mail explaining how to set up my PC (which runs Windows XP) to use the network. Then if I have any problems, maybe I could e- mail for advice. Many thanks, in anticipation, for your help, and I look forward to hearing from you,
Re: reporter from The Economist in Thailand seeks help
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Till, Good point, I will cut out the server part and add it as a seperate howto guide. Till Westermann schrieb: Hello, if the person only wants surfing the web, torpark is the best thing. It can be found here: http://www.torrify.com/download.php Something to the stuff I read here: Its great that you write howtos for newbies with nice pictures and so on. But if you write a howto, keep in mind what peaple want to do. They dont wanna set up a server. They wanna _use_ Tor. So a good idea is to make simple and straight howtos that only show how to install Tor (or Torpark) and set up the Browser. The rest is only confusing 95% of the users. I know the problem: If I write things like this, I always feel like an idiot. But I learned to igonre this to get better relults ;) Enigma, thaks for your work. its a nice howto! Till Westermann FoeBuD e.V. www.foebud.org Admin of Tornode FoeBuD2 Am 29.10.2006 um 12:45 schrieb Shava Nerad: Hello, I am The Economist's South-East Asia correspondent, based in Bangkok, and my colleague Ben Sutherland said you might be able to arrange for me to get some information on how to use TOR's network to work around the considerable amount of internet censorship in this part of the world. I don't expect that Thailand's new, military government is going to ease up on blocking sites, so I suspect my need for proxy servers is likely to increase! I am reasonably proficient in IT matters, so perhaps all I need is an e-mail explaining how to set up my PC (which runs Windows XP) to use the network. Then if I have any problems, maybe I could e-mail for advice. Many thanks, in anticipation, for your help, and I look forward to hearing from you, - -- German Tor mailing list / observation and its risks: http://www.anti1984.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIVAwUBRUd42qwicbNgJJLqAQJWxhAAjDZoCaXz3YewcYNFO2H77Dhkv4bKwXnV M1LQvP3LUK8EbjJRz1vd2wUDYuNL90l2vL2glbjjFr7oSoi3+gNo9ZSGF2SngyP2 LuHQDfpVs9HmCRGlpft29il57uTrQrkpn0bOcLl3NZrFUv4dHBi8KWvKHEUive2p J/XY/ce/obeuZ8gS5rNRFAktW63W5TzUK7r2wOzLQBKekIugY6GqQwz28+Ihn0Kb Ozycb+Qm7t5JgOmjIEyYkvRuw2K080xUXLyJGIkaFIlr5ukcQyOGaFjvi4bX7MBg ncNimlJDto+4AUUJNRNV19Zb1WYxEPa7q7GCM+gHd/vdwcdzaEi5EF3+uSa/RKTB okz5qC9+zfJE7fV9RK94qAzlf4i2w8dKo+zsztoTeRA8ZFUkXisvKSjQCdAc/IqM EaFQDSOn1R/Exi1VvUErT+y6he4Gn9c0dBxi6/Dh1uEIMKvrvuwAPT+FWNaOsm1S RzQ2GXbmA0wJ2BLpi9TKzWbZxKFplffcmOCcP0mCVii/fkQBn0fmXPj1DJ5mPFbP lLcxQ0Gy64mx6umoeXL9LHOzyYvFFfaXQuEhwdDm3zmoLv+mdJkTyZSD+1P6mBHG D2D6cLLkoMui9hjGhWEm2gqR18IaCWClwfCdO7gMSzj8eXNXlYN/tQrKdXb/JVcP bBtvJb+Ek0s= =KSKy -END PGP SIGNATURE-
Re: Practical onion hacking: finding the real address of Tor clients
On Tue, 2006-10-31 at 09:49, Fabian Keil wrote: George Shaffer [EMAIL PROTECTED] wrote: To go to a malicious site you need to encounter a site whose security has been compromised, be tricked into going to a site, be the victim of poisoned DNS, receive an email with a macro based Outlook virus that uses IE functionality, or deliberately browse fringe web sites. Or you can use Tor and give every Tor exit node operator the chance to render every trusted site that doesn't use encryption into a source of malware. If your only point is I forgot to list this, I'm guilty. Other than that, this seems to be an argument against using Tor. I was making the point that many web surfers who use poor security with their browsers don't actually encounter malicious software. I agree with your restated then they shouldn't act surprised if they run into problems. I wish all sites would allow SSL to all pages. Sometimes I switch http:// to https:// on non forms pages but few major sites accept SSL across all their pages; Amazon seems to. On Thu, 2006-10-26 at 15:05, Fabian Keil wrote: If the target IP address is unused, the scanner gets an error message send from the router located one hop before the target. If the scanner doesn't get this error message, it's safe to assume that the target system is running. . . . Perhaps someone could provide a URL that describes this. http://www.ietf.org/rfc/rfc792.txt Thank you. Regarding systrace: Looking at man, it does appear that it would be useful for controlling developmental software on a very secure OpenBSD system. It's useful to control software in general. In general I agree but there are costs as well as benefits to all security measures. Rational people can reach a wide range of conclusions regarding how much to invest and where. I suspect you might be rather uneasy with controlling software, as in preventing customers from using Skype, as the Narus tools linked to below can. There are several valid reason not to run a Tor server at all, I just don't think that local security or ISP terms of service are among them. We will obviously continue to disagree about these. I recently came across http://www.narus.com/products/index.html which describes a line of products that allow large ISPs and broadband carriers to monitor everything that flows across their network. Virtually every protocol can be identified, and everything from any IP can be assembled into a stream and it's contents examined. That barely begins to describe what the Narus tools can do. If you care about privacy, this is really creepy. Partly this is to allow carriers to conform to the wiretap laws that are being applied in the US and other countries, but Narus makes clear the carriers can use these tools for their own purposes. While resources should prevent an ISP or carrier from monitoring all their customers all the time, tools like this will allow them to focus on protocols banned by terms of service and identify the customers using the banned protocol. In the case of a cable provider, there is only one in any specific area. If you loose your access, then you have to hope DSL is available, and you will normally pay more for comparable download speeds. Personally I want to be careful about my ISPs terms of service. George Shaffer
Re: Practical onion hacking: finding the real address of Tor clients
George Shaffer [EMAIL PROTECTED] wrote: On Thu, 2006-10-26 at 15:05, Fabian Keil wrote: George Shaffer [EMAIL PROTECTED] wrote: On Mon, 2006-10-23 at 08:22, Fabian Keil wrote: George Shaffer [EMAIL PROTECTED] wrote: . . . many web surfers, even knowledgeable ones, like the rich experience and are willing to sacrifice security and privacy for it. And they constantly get what they deserve. . . If a member of your family is sick with a contagious disease, and you tend to them, do you deserve to get the disease? It might be smarter to stay away and call a doctor, but perhaps you get infected before you knew a doctor was needed, or while waiting for the doctor, or can't afford a doctor. I fail to see the similarities between willingly sacrificing security and privacy for 'rich experience' and caring about ones family. It may have been a poor analogy (I was thinking of computer viruses which suggested disease) but my objection is to the use of the word deserve. Lets replace it with shouldn't act surprised if they run into problems then. What is so often forgotten about malicious web attacks is that nearly all web operators have a large investment in their sites and malicious software hurts them as much or more as victim client computers. To go to a malicious site you need to encounter a site whose security has been compromised, be tricked into going to a site, be the victim of poisoned DNS, receive an email with a macro based Outlook virus that uses IE functionality, or deliberately browse fringe web sites. Or you can use Tor and give every Tor exit node operator the chance to render every trusted site that doesn't use encryption into a source of malware. Anyone interested whether or not your IP address is currently in use only needs to do a port scan. Are you sure? By stealth I mean . . . If the target IP address is unused, the scanner gets an error message send from the router located one hop before the target. If the scanner doesn't get this error message, it's safe to assume that the target system is running. By unused to you mean unassigned or will simply turned off result in such a message? I don't have enough computers to test this and know of no legal way to do so. I guess I have to take your word, though I've never heard this before. Perhaps someone could provide a URL that describes this. http://www.ietf.org/rfc/rfc792.txt And if you can't trust your firewall enough to work in cases where someone knows that your IP address is in use, you should get a firewall that actually works anyway. One might conclude, if one assumed these couple smart alec remarks represented your entire knowledge of firewalls, that you don't seem to know that once you open a port in a firewall to a server, e.g., Tor and port 80, that the firewall cannot protect that server. The packet filter can still protect all other ports and increase the chances that the packets arriving at the Tor running server are valid. The Tor server's host system can make sure that a compromised Tor server doesn't cause too much damage. As a OpenBSD user you will be aware of systrace, other systems have similar tools. While I'm generally familiar with most of your points, and the one about a firewall only allowing valid packets is a good one, in the context of this discussion, your final sentence grates. Perhaps this comes from the way German translates to English, but it would be much easier to read If you are not familiar with, then you should look up systrace rather than saying you will be aware of. If I ever knew it I've completely forgotten it. Looking at man, it does appear that it would be useful for controlling developmental software on a very secure OpenBSD system. It's useful to control software in general. Fabian, please make this the last time you suggest that I run a Tor server whether locally or hosted. This is the third time you've suggested that I run a server and the third time I said I'm not going to. I thought we were discussing the (dis)advantaged of running a Tor server in general. I don't intend to convince you personally to run a Tor server, especially not if you don't even use the Tor client regularly. There are several valid reason not to run a Tor server at all, I just don't think that local security or ISP terms of service are among them. Fabian -- http://www.fabiankeil.de/ signature.asc Description: PGP signature
Re: reporter from The Economist in Thailand seeks help / new Tor guide is up
Try links. You can find it at http://links.sourceforge.net/ It is a better text only browser than Lynx. I always use it when searching things on the web. Fast (even faster with keyboard), reliable and secure! /K --- George Shaffer skrev: On Mon, 2006-10-30 at 21:46, Tim McCormack wrote: Chris Willis wrote: NO browser (cept maybe a text browser in BSD or something) is really 100% safe on its own. Firefox has lots of vulnerabilities, just like IE. . . . I agree about the text browser -- I should really familiarize myself with Lynx. Continuing now OT thread: Lynx has its uses, but anyone used to modern browsers is likely to find it frustrating. Lynx is not just text only in that it does not display graphics but is text based and runs in a text window (terminal). It does not recognize tables, and most modern web pages are built in tables, allowing the standard page and navigation elements, to be arranged above or to the left of the main page content. This means as you read the source, these come before the main text content. That is how Lynx displays the page (as it is sequentially arranged in the source file) ; the main page content is usually between a screenful or more of standard items and links and more of this at the bottom. A page as simple as Google's home page takes 13 tabs or down arrows to reach the search field. Yahoo, on the other hand recognizes it has received a request from a text browser, and sends a different page where the search field is the first item on the page after Yahoo. Lynx takes some getting used to. Lynx is not simple. It's default configuration file is 140K, but mostly explanatory comments. It has about 135 options. I don't know that you can assume it's 100% safe. If you eliminate all active content from your current browser, or install an alternate browser (e.g., Netscape, Opera) and disable all active content, and severely control cookies, wouldn't that do what Lynx is intended to do while still seeing most web pages, more or less as intended? George Shaffer
Possible fishing attempt for eBay
Maybe slightly off topic (btw, is OT = Off Topic or On Topic?) but because I newer had anything to do with eBay and still get this, perhaps other on this list also received it as some strange effect of being into this list, where any member see all others addresses? The following email appeared two times (25 and 26 octobre) sent from [EMAIL PROTECTED] with a subject of Security Service Notification. Both have exactly the same content, except for two different email addresses when looking at the full headers. One ends with @trigno.com and the other ends with @franc2.mit.edu (if this is some mistake or illegitime use off innocent addresses, I should´nt expose them here). The headers also show different IP´s than the one in the email text. I don´t really understand what it says, but did´nt click on the links. The mail body is as follows: -- This message only has an HTML part -- this is a text generated representation eBay sent this message to member of ebay Your registered name is included to show this message originated from eBay. [1]Learn more. [hdrLeft_13x39.gif] Ebay Security -- Security Service Notification eBay [s.gif] eBay sent this message on behalf of an eBay member via My Messages. Responses sent using email will go to the eBay member directly and will include your email address. Click the Respond Now button below to send your response via My Messages (your email address will not be included). [s.gif] [s.gif] [s.gif] Security Service Notification [s.gif] Dear eBay Member, We recently noticed one or more attempts to log in to your eBay account from a foreign IP address and we have reasons to believe that your account was used by a third party without your authorization. If you recently accessed your account while traveling, the unusual login attempts may have been initiated by you. The login attempt was made from: IP address: 172.25.210.66 ISP Host: cache-66.proxy.aol.com By now, we used many techniques to verify the accuracy of the information our users provide us when they register on the Site. However, because user verification on the Internet is difficult, eBay cannot and does not confirm each user's purported identity. Thus, we have established an offline verification system o help you evaluate with who you are dealing with. click on the link below, fill the form and then submit as we will verify : [2][respondNowButton_117x21.gif] -- The rest of it is only some listings of picture names and standard looking phrases, and finally a bunch of links. If you reply on this post, please erase the main part of it (easyer to read and don´t take that much space on the or-talk archive), especially because it is maybe a little off topic, thanks. -- http://www.fastmail.fm - The professional email service
Re: Possible fishing attempt for eBay
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Tuesday, October 31, 2006 at 2:00:44 PM in Message [EMAIL PROTECTED], Total wrote: Maybe slightly off topic (btw, is OT = Off Topic or On Topic?) but because I newer had anything to do with eBay and still get this, perhaps other on this list also received it as some strange effect of being into this list, where any member see all others addresses? snip click on the link below, fill the form and then submit as we will verify : [2][respondNowButton_117x21.gif] It's bogus. Ebay and Paypal both will *NEVER* include a link in an email. Both will tell you to go to the site and log in to your account. ANY email that tells you to do anything else is bogus. Always type ebay and paypal urls yourself or use bookmarks you created yourself, *NEVER* use a link from an email. in Him, -Ed - -- The best way to get past my spam filter is to use pgp or gnupg to encrypt your Mail to me with RSA Key ID: 0x84D46604 (fingerprint: DA03 1EA4 7F5D DF74 B89F E871 757E 627C 84D4 6604) This key can be found on public keyservers such as http://keyserver.kjsl.com:11371/#extract - -=-=-=-=-=-=-=-=-=-=-= God's Resting Place http://lurasbookcase.com/gods-resting-place.shtml / \ \ / Join the ASCII-Ribbon Campaign to Stamp Out HTML Email ! X / \ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (MingW32) iQEVAwUBRUetqHV+YnyE1GYEAQg3rwgAh69bw5KNXeVap3jBrkotCEoKG95kl4dz IxPGdprcBhFDchTJ/FgNd4fQzOLG3hiebS0EgVpXv9jaCinM0774nGKYkr/GV/1e vB7V6thVuMaQWsGTJHdt/jAqJi1MbTMEhNivpi7QJ2Kr+oEbI/QU57myb1SHHJ54 7WL0cLhAtj3jWtVZlgQ/SWC+HfqMdRx/3ltu5un8ny8XRHceIhoCkZvdR+5mhwgf BkcuLMu+9gf204+YekTPi0of4Zzb9y2ho2iCHVvL3iJ9qkn/1YMFuH2VTlamnD7F YZdXZwrFc4nefS5NK6NkyaJe9A8CesI08igT6ADLKmtSZ5a6ur2jtg== =InRM -END PGP SIGNATURE-
Re: reporter from The Economist in Thailand seeks help / new Tor guide is up
Learn to read the whole thread before posting. I discussed links and said it was better than lynx, in response to what about links? about 7 hours before your post. George Shafferr On Tue, 2006-10-31 at 14:43, Kalevi Nyman wrote: Try links. You can find it at http://links.sourceforge.net/ It is a better text only browser than Lynx. I always use it when searching things on the web. Fast (even faster with keyboard), reliable and secure! /K --- George Shaffer skrev: On Mon, 2006-10-30 at 21:46, Tim McCormack wrote: Chris Willis wrote: NO browser (cept maybe a text browser in BSD or something) is really 100% safe on its own. Firefox has lots of vulnerabilities, just like IE. . . . I agree about the text browser -- I should really familiarize myself with Lynx. Continuing now OT thread: Lynx has its uses, but anyone used to modern browsers is likely to find it frustrating. Lynx is not just text only in that it does not display graphics but is text based and runs in a text window (terminal). It does not recognize tables, and most modern web pages are built in tables, allowing the standard page and navigation elements, to be arranged above or to the left of the main page content. This means as you read the source, these come before the main text content. That is how Lynx displays the page (as it is sequentially arranged in the source file) ; the main page content is usually between a screenful or more of standard items and links and more of this at the bottom. A page as simple as Google's home page takes 13 tabs or down arrows to reach the search field. Yahoo, on the other hand recognizes it has received a request from a text browser, and sends a different page where the search field is the first item on the page after Yahoo. Lynx takes some getting used to. Lynx is not simple. It's default configuration file is 140K, but mostly explanatory comments. It has about 135 options. I don't know that you can assume it's 100% safe. If you eliminate all active content from your current browser, or install an alternate browser (e.g., Netscape, Opera) and disable all active content, and severely control cookies, wouldn't that do what Lynx is intended to do while still seeing most web pages, more or less as intended? George Shaffer
Apology: was Re: reporter from The Economist in Thailand seeks help / new Tor guide is up
Sorry, the following was meant to be private. I thought I'd replaced [EMAIL PROTECTED] with the author's email but realized too late that I had not. On Tue, 2006-10-31 at 21:05, George Shaffer wrote: Learn to read the whole thread before posting. I discussed links and said it was better than lynx, in response to what about links? about 7 hours before your post. George Shafferr
Re: Possible fishing attempt for eBay
On Tue, 2006-10-31 at 15:00, Total Privacy wrote: The following email appeared two times (25 and 26 octobre) sent from [EMAIL PROTECTED] with a subject of Security Service Notification. Both have exactly the same content, They are bogus. I got exactly the two same emails and reported the first to [EMAIL PROTECTED] I wonder if it is pure coincidence that two people on this list got the same phishing emails. Did anyone else get these? George Shaffer
Re: Possible fishing attempt for eBay
Just a side-note: Please take the time to report these at: http://www.castlecops.com/pirt Cheers, - ferg -- George Shaffer [EMAIL PROTECTED] wrote: On Tue, 2006-10-31 at 15:00, Total Privacy wrote: The following email appeared two times (25 and 26 octobre) sent from [EMAIL PROTECTED] with a subject of Security Service Notification. Both have exactly the same content, They are bogus. I got exactly the two same emails and reported the first to [EMAIL PROTECTED] I wonder if it is pure coincidence that two people on this list got the same phishing emails. Did anyone else get these? George Shaffer -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/