Re: Soliciting Opinions on xB Browser "How To Build" doc
How about instead of Make, we use Scons? It should be easier for people
to read and modify.
Additionally, for the list of tor 3rd party devs...
I figured out how to implement the (more) secure persistent settings in
firefox. This will be useful for others trying a similar approach to xB
Browser.
1. Keep prefs.js with the normal user settings.
2. Load this user.js on top of it, to keep the network settings persistent.
This way the user can change their settings like cache, saving
passwords, etc, but not risk messing up their network settings.
Tested and it works.
Files below, including settings.
Regards,
Steve
-- BEGIN PREFS.JS --
# Mozilla User Preferences
/* Do not edit this file.
* XEROBANK BROWSER CONFIGURATION SOFTCODE SETTINGS
*
* If you make changes to this file while the application is running,
* the changes will be overwritten when the application exits.
*
* To make a manual change to preferences, you can visit the URL
about:config
* For more information, see
http://www.mozilla.org/unix/customizing.html#prefs
*/
user_pref("accessibility.typeaheadfind.flashBar", 0);
user_pref("app.update.auto", false);
user_pref("app.update.lastUpdateTime.addon-background-update-timer",
1195327847);
user_pref("app.update.lastUpdateTime.background-update-timer", 1195327847);
user_pref("app.update.lastUpdateTime.blocklist-background-update-timer",
1195327847);
user_pref("app.update.lastUpdateTime.search-engine-update-timer",
1195327853);
user_pref("app.update.url.override",
"https://aus2.mozilla.org/update/2/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/en-US/%CHANNEL%/%OS_VERSION%/update.xml";);
user_pref("browser.cache.disk.capacity", 0);
user_pref("browser.download.lastDir", "C:\\Documents and
Settings\\Administrator\\Desktop");
user_pref("browser.download.manager.retention", 0);
user_pref("browser.formfill.enable", false);
user_pref("browser.history_expire_days", 0);
user_pref("browser.history_expire_days.mirror", 9);
user_pref("browser.preferences.advanced.selectedTabIndex", 1);
user_pref("browser.send_pings", false);
user_pref("browser.sessionstore.enabled", false);
user_pref("browser.shell.checkDefaultBrowser", false);
user_pref("browser.startup.homepage", "https://support.xerobank.com/IPSpy";);
user_pref("browser.startup.homepage_override.mstone", "rv:1.8.1.8");
user_pref("browser.tabs.warnOnClose", false);
user_pref("dom.storage.enabled", false);
user_pref("intl.accept_languages",
"en-US,en,chrome://global/locale/intl.properties");
user_pref("intl.charsetmenu.browser.cache", "ISO-8859-1, UTF-8");
user_pref("layout.css.report_errors", false);
user_pref("network.cookie.lifetime.days", 0);
user_pref("network.cookie.lifetimePolicy", 2);
user_pref("network.cookie.prefsMigrated", true);
user_pref("network.dns.disableIPv6", true);
user_pref("network.http.keep-alive.timeout", 1000);
user_pref("network.http.max-connections-per-server", 16);
user_pref("network.http.max-persistent-connections-per-proxy", 24);
user_pref("network.http.max-persistent-connections-per-server", 16);
user_pref("network.http.pipelining", true);
user_pref("network.http.pipelining.maxrequests", 8);
user_pref("network.http.proxy.pipelining", true);
user_pref("network.http.use-cache", false);
user_pref("network.proxy.backup.ftp", "");
user_pref("network.proxy.backup.ftp_port", 0);
user_pref("network.proxy.backup.gopher", "");
user_pref("network.proxy.backup.gopher_port", 0);
user_pref("network.proxy.backup.socks", "localhost");
user_pref("network.proxy.backup.socks_port", 9050);
user_pref("network.proxy.backup.ssl", "");
user_pref("network.proxy.backup.ssl_port", 0);
user_pref("network.proxy.failover_timeout", 0);
user_pref("network.proxy.no_proxies_on", "");
user_pref("network.proxy.share_proxy_settings", true);
user_pref("network.proxy.socks", "localhost");
user_pref("network.proxy.socks_port", 9050);
user_pref("network.proxy.socks_remote_dns", true);
user_pref("network.proxy.type", 1);
user_pref("pref.privacy.disable_button.view_cookies", false);
user_pref("privacy.item.cookies", true);
user_pref("privacy.item.passwords", true);
user_pref("privacy.sanitize.didShutdownSanitize", true);
user_pref("privacy.sanitize.promptOnSanitize", false);
user_pref("privacy.sanitize.sanitizeOnShutdown", true);
user_pref("security.disable_button.openDeviceManager", false);
user_pref("security.warn_entering_secure", false);
user_pref("security.warn_entering_secure.show_once", false);
user_pref("security.warn_leaving_secure.show_once", false);
user_pref("security.warn_submit_insecure", false);
user_pref("security.xpconnect.plugin.unrestricted", false);
user_pref("signon.rememberSignons", false);
user_pref("xpinstall.whitelist.add", "");
user_pref("xpinstall.whitelist.add.103", "");
-- END PREFS.JS --
-- BEGIN USER.JS --
# Mozilla User Preferences
/* Do not edit this file.
* XEROBANK TOR CONFIGURATION HARDCODE SETTINGS
*
* If you make changes to this file while the application is running,
* the
Re: encrypting your communications?!
How about this?
Tor protects you by bouncing your communications around a distributed
network of relays run by volunteers all around the world: it prevents
the sites you visit from learning where you're coming from, and it
prevents somebody watching your Internet connection from learning what
sites you visit. Even the Tor relay you connect to doesn't learn that.
However, Tor is NOT a "Solve-everything" -- proper use of Tor requires
protection of cookies and Javascript (either of which, without any
other tool, can be used to reveal you to the destination node).
Finally, Tor exposes you to a new type of Man-In-The-Middle attack --
the last Tor node used will see everything that the destination site
sees. [bold] Never send a password over Tor unless you are using an
https connection. If your site only uses https for the login password,
but uses a cookie authentication and normal http after that, then your
login may still be stolen; always log out from the site you are
talking to when finished. [/bold]
It is recommended that you use a separate profile for your tor-based
anonymous browsing, with cookies cleared after each session, and
javascript disabled. "Noscript", for firefox, can safely permit
scripts on a site-by-site basis, after determining that it is safe.
Additionally, a plugin or tool to remove "referer" information is
absolutely essential, or third party sites -- such as advertisers --
can track your every move. Tor is normally used with Privoxy to both
remove referer information, and block advertisers.
("Referer" is the proper spelling -- the original http standard
misspelled "referrer", and the misspelling is too ingrained in the web
to be fixed now.)
Re: court trial against me - the outcome
Wilfred L. Guerin wrote: > I am sincerely concerned about the following issue: > > "address and identity used are from the cow town next door" > > Please explain for us the failures of your tor implementation to > properly mix and distribute the content, and why (moreso how) such an > event occured? Are you sure you read Mirko's mail? The *entire* mail? If so, I would advise you to go back and read it *again*. Slowly this time. Pay close attention to who did what. Sorry if I'm being rude, but your mail shows you have neither understood the original post, nor read the follow ups. You really should consider doing so before posting on a mailing list. Saves a lot of valuable time for the rest of the world. Now back to topic, please. This issue is far too serious to lose track of. Andrew
Re: Installing TOR on CentOS
On Sat, Nov 17, 2007 at 06:07:25AM -0500, [EMAIL PROTECTED] wrote 0.7K bytes in 26 lines about: : What must I do, or (better!) is there a rpm already for centOS?? There are rpms for centos/redhat 4 and 5. Right now, they are just the -alpha branch. -- Andrew
Re: new perspektive for tor
Michael Schmidt wrote: > „§ 113a Speicherungspflichten für Daten > > (6) Wer Telekommunikationsdienste erbringt und hierbei die nach Maßgabe > dieser Vorschrift zu speichernden Angaben verändert, ist zur Speicherung > der ursprünglichen und der neuen Angabe sowie des Zeitpunktes der > Umschreibung dieser Angaben nach Datum und Uhrzeit unter Angabe der > zugrunde liegenden Zeitzone verpflichtet. how should this apply to tor? The application doesn't generate any session data. Right? Thus there are no "original data" I could alter before storing. Supposed you are right and to store data would imply the obligation to collect those data before. This means every router in the German part of the Internet would have to run some kind of data collection like Cisco's Netflow. Furthermore beneath IP layer 3 lies an entire universe of layer 1 and 2 CWDM, DWDM, and SDH network stuff which is completely transparent to the Internet user. Since this new law applies to telecommunication in general and not only to Internet in specific, one would have to collect data from those systems, too. How exactly to you collect and store data from a 80-color DWDM system transmitting 10 GBit/s on each color? regards, Olaf DWDM dense wavelength division multiplexing CWDM coarse wavelength division multiplexing
Re: new perspektive for tor
„§ 113a Speicherungspflichten für Daten
(6) Wer Telekommunikationsdienste erbringt und hierbei die nach Maßgabe
dieser Vorschrift zu speichernden Angaben verändert, ist zur Speicherung der
ursprünglichen und der neuen Angabe sowie des Zeitpunktes der Umschreibung
dieser Angaben nach Datum und Uhrzeit unter Angabe der zugrunde liegenden
Zeitzone verpflichtet.
http://dip.bundestag.de/btd/16/058/1605846.pdf
2007/11/17, Olaf Selke <[EMAIL PROTECTED]>:
>
>
> >
> > You need to logg the traffic, you have time to get the log tools till.
> > 1.1.2009, so one year from beginning in 2008.
>
> do I? According the law one has to store ("speichern") collected
> ("erzeugte") or processed ("verarbeitete") data for six months. From my
> understanding there's no obligation to collect any data. Obviously data
> not collected can't be stored.
>
> I've just asked a friend working for the BSI about his opinion. He
> promised to check and provide me with feedback regarding Dark Side's
> perspective of the terms "collect" and "store".
>
> Did any of my German colleagues on this list really bothered with
> reading the law?
>
> regards, Olaf
>
Re: new perspektive for tor
Michael Schmidt wrote:
>
> You need to logg the traffic, you have time to get the log tools till.
> 1.1.2009, so one year from beginning in 2008.
do I? According the law one has to store ("speichern") collected
("erzeugte") or processed ("verarbeitete") data for six months. From my
understanding there's no obligation to collect any data. Obviously data
not collected can't be stored.
I've just asked a friend working for the BSI about his opinion. He
promised to check and provide me with feedback regarding Dark Side's
perspective of the terms "collect" and "store".
Did any of my German colleagues on this list really bothered with
reading the law?
regards, Olaf
Re: court trial against me - the outcome
On Sat, 17 Nov 2007 12:26:07 -0500 "Wilfred L. Guerin"
<[EMAIL PROTECTED]> top-posted, so as to make it more difficult
to understand what he was referring to:
>I am sincerely concerned about the following issue:
>
>"address and identity used are from the cow town next door"
>
>Please explain for us the failures of your tor implementation to
>properly mix and distribute the content, and why (moreso how) such an
>event occured?
I thought Mirko made it perfectly clear. He has been running an
exit server. Some credit card fraud artist did his/her thing via that
exit node, providing stolen identity information to amazon.de, which
logged the IP address of the exit node. The exit node operator, Mirko,
was then accused of committing the fraud. The court was uninterested in,
and/or incapable of comprehending, explanations of why Mirko was as
innocent as his ISP.
>
>I will assume at this point that an IP identification, (each session
>should be on seperate nodes by design), would be compared to a
>database of exploitables and thus select a local proximity target.
>
>In all, this is completely assinine. Under no circumstances except an
>idiot implementation that has all nodes in the same room, could this
>be possible.
>
What the hell are you writing about? Just go back and reread
Mirko's description of what happened. You might also read some tor
documentation before spouting off like that.
>Please explain further how your machine was the sole liability, the
>mail.box was set up using the exact same node, and how the responding
>ip (which i recall is NOT reported?) was gleaned from the amazon
>registration process.
As reiterated above, the source IP address from which amazon.de
and the prosecution claim that the fraudulent transaction originated
was, in fact, not the true source, but rather Mirko's exit server's
IP address. (Note that it is an IP address, not an "ip".)
>
>These coincidences, unless you were entered locally with a very small
>mixer, are not plausible unless there is a very explicit route / exit
>node, external proxy which forwarded "illegitimate packets" or
>otherwise.
Define "mixer". In terms of computer software, "mixer" to me means
a program that allows one to control volumes of audio inputs and outputs.
>
>please show us a technical diagram (flowchart) of how this process
>occured, and what is known about the use of the gift card / final
>address.
>
>-Wilfred
>[EMAIL PROTECTED]
>
>
>
>On Nov 14, 2007 9:22 AM, Mirko Thiesen <[EMAIL PROTECTED]> wrote:
>> Good morning,
>>
>> I've been operating a Tor node (NetWorkXXIII) for quite some years now
>> (although it was down for several months as it was facing repeated DDoS
>> attacks earlier this year).
>>
>> In June the local police informed me about preliminary proceedings against
>> me by asking me (by mail) to "visit" them. The letter mentioned computer
>> fraud (actually it was "Computerbetrug in Tateinheit mit Faelschung
>> beweiserheblicher Daten gemaess Paragrafen 263a, 269, 52 StGB"), but since I
>> hadn't done anything I followed the general advice in such situations: You
>> have the right to remain silent. Use it. So I decided not to go to the
>> police - if you haven't done anything and you don't even have a clue what
>> they are talking about, it usually can only get worse. Apart from that, the
>> day they wanted me to come I was not even in town.
>>
>> In early September I received a penalty order ("Strafbefehl") - from the
>> court. A judge found me guilty of having ordered a gift voucher (value: 51
>> EUR) on amazon.de, providing address details of a living person (but not
>> myself obviously), and using a Web.de email address registered specifically
>> for this purpose. I was sentenced to pay a fine of 500 EUR.
>>
>> Because I hadn't ordered the voucher, I appealed ("form- und fristgerechter
>> Einspruch") to that penalty order, which led - according to German laws - to
>> an actual trial. This trial was held today.
>>
>> While the penalty order listed four witnesses (the person whose address
>> details had been used, a police officer in a cow town near that person's
>> home hometown, a local police officer, and an employee of amazon.de), the
>> summoning ("Ladung") to the actual trial didn't list any witnesses at all. I
>> had been a lay assessor ("Schoeffe") for four years in Germany (but in a
>> different part of the country), so I knew that this usually would be a good
>> sign as the judge(s) during the actual trial wouldn't have much more than
>> the defendant's testimony (and of course the records) to rely on.
>>
>> Well, it turned out to be the exact opposite of what I had expected. They
>> had absolutely no doubts that I was at least somehow guilty. I explained in
>> great detail what Tor is and what it is used for, and the judge asked me:
>> "Is this illegal?" Wow - shouldn't she know?! I replied "No, of course not.
>> Otherwise I wouldn't do it."
>>
>> The judge and the public prosecutor real
Re: new perspektive for tor
2007/11/17, Olaf Selke <[EMAIL PROTECTED]>: > > > > > > in the total EU there will be NO TOR-Outproxy from begin of 1.1.2008: > > really? I don't intend to shut down my exit gateway located in Germany. > Is there any reason I'm supposed to do so? > > Olaf > You need to logg the traffic, you have time to get the log tools till. 1.1.2009, so one year from beginning in 2008. If you do not log, then you are aginst the law. Dunno, what the punsihment is... But as the german plice has raided several Tor servers, I would not run one, and as you are in law conflict, if you do not logg, then this is as well a problem.. so I guess in the next year more and more servers will vanish... Mike
Re: court trial against me - the outcome
I am sincerely concerned about the following issue:
"address and identity used are from the cow town next door"
Please explain for us the failures of your tor implementation to
properly mix and distribute the content, and why (moreso how) such an
event occured?
I will assume at this point that an IP identification, (each session
should be on seperate nodes by design), would be compared to a
database of exploitables and thus select a local proximity target.
In all, this is completely assinine. Under no circumstances except an
idiot implementation that has all nodes in the same room, could this
be possible.
Please explain further how your machine was the sole liability, the
mail.box was set up using the exact same node, and how the responding
ip (which i recall is NOT reported?) was gleaned from the amazon
registration process.
These coincidences, unless you were entered locally with a very small
mixer, are not plausible unless there is a very explicit route / exit
node, external proxy which forwarded "illegitimate packets" or
otherwise.
please show us a technical diagram (flowchart) of how this process
occured, and what is known about the use of the gift card / final
address.
-Wilfred
[EMAIL PROTECTED]
On Nov 14, 2007 9:22 AM, Mirko Thiesen <[EMAIL PROTECTED]> wrote:
> Good morning,
>
> I've been operating a Tor node (NetWorkXXIII) for quite some years now
> (although it was down for several months as it was facing repeated DDoS
> attacks earlier this year).
>
> In June the local police informed me about preliminary proceedings against
> me by asking me (by mail) to "visit" them. The letter mentioned computer
> fraud (actually it was "Computerbetrug in Tateinheit mit Faelschung
> beweiserheblicher Daten gemaess Paragrafen 263a, 269, 52 StGB"), but since I
> hadn't done anything I followed the general advice in such situations: You
> have the right to remain silent. Use it. So I decided not to go to the
> police - if you haven't done anything and you don't even have a clue what
> they are talking about, it usually can only get worse. Apart from that, the
> day they wanted me to come I was not even in town.
>
> In early September I received a penalty order ("Strafbefehl") - from the
> court. A judge found me guilty of having ordered a gift voucher (value: 51
> EUR) on amazon.de, providing address details of a living person (but not
> myself obviously), and using a Web.de email address registered specifically
> for this purpose. I was sentenced to pay a fine of 500 EUR.
>
> Because I hadn't ordered the voucher, I appealed ("form- und fristgerechter
> Einspruch") to that penalty order, which led - according to German laws - to
> an actual trial. This trial was held today.
>
> While the penalty order listed four witnesses (the person whose address
> details had been used, a police officer in a cow town near that person's
> home hometown, a local police officer, and an employee of amazon.de), the
> summoning ("Ladung") to the actual trial didn't list any witnesses at all. I
> had been a lay assessor ("Schoeffe") for four years in Germany (but in a
> different part of the country), so I knew that this usually would be a good
> sign as the judge(s) during the actual trial wouldn't have much more than
> the defendant's testimony (and of course the records) to rely on.
>
> Well, it turned out to be the exact opposite of what I had expected. They
> had absolutely no doubts that I was at least somehow guilty. I explained in
> great detail what Tor is and what it is used for, and the judge asked me:
> "Is this illegal?" Wow - shouldn't she know?! I replied "No, of course not.
> Otherwise I wouldn't do it."
>
> The judge and the public prosecutor realized soon that I probably wasn't the
> originator of the transaction in question. But instead of realizing the
> faults of the police and the public prosecutor's department (German laws say
> that they have to investigate *all* aspects of a crime and not just find
> someone that seems to be somehow guilty at first sight), they tried to
> construct a case of aiding and abetting ("Beihilfe") - they insisted that I
> most probably set up my node in order to help people committing crimes. Or
> at least I accepted that people would commit crimes using my Tor node. I
> asked "What about a postal service that delivers i.e. a bomb or a blackmail
> letter? Do they help people committing crimes as well?" They said that these
> two things could not be compared as a postal service offers transportation
> services whereas I offer anonymization services.
>
> To make a long story short: The judge as well as the public prosecutor
> refused to accept that I didn't do anything criminal, that I didn't and
> still don't want to help anyone committing a crime (at least not more than
> i.e. telco/ISP/postal service here> does), and that they should have investigated
> the issue further beforehand.
>
> They offered me to dismiss the actual court trial according to paragraph 153
> StP
Re: new perspektive for tor
"Michael Schmidt" <[EMAIL PROTECTED]> wrote: > 2007/11/17, Robert Hogan <[EMAIL PROTECTED]>: > > > > On Friday 16 November 2007 17:04:18 Michael Schmidt wrote: > > > Due to data retention logg needs/law in the EU, there will be no > > > outproxy and no forwarding-nodes in the EU anymore, if they do not > > > logg all traffic. > > > > Can someone point me to the EU directive on this? I thought this was just > > a > > German initiative. > in the total EU there will be NO TOR-Outproxy from begin of 1.1.2008: Unlikely. Fabian signature.asc Description: PGP signature
Re: new perspektive for tor
Michael Schmidt wrote: > > in the total EU there will be NO TOR-Outproxy from begin of 1.1.2008: really? I don't intend to shut down my exit gateway located in Germany. Is there any reason I'm supposed to do so? Olaf
Re: new perspektive for tor
On Saturday 17 November 2007 14:42:56 you wrote: > Hi Robert, > > On Sat, 17.11.2007, you wrote: > > Can someone point me to the EU directive on this? I thought this was just > > a German initiative. > > http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2006:105:0054:01 >:EN:HTML > > > felix If you go to the bottom of that link you can see many countries appear to be 'postponing' application of the directive indefinitely. signature.asc Description: This is a digitally signed message part.
Re: court trial against me - the outcome
"Mirko Thiesen" <[EMAIL PROTECTED]> wrote: > > > They offered me to dismiss the actual court trial according to > > > paragraph 153 StPO which is not the same as an acquittal (no > > > "Freispruch") which I eventually accepted. > > > > My German is not that fresh anymore, but it seems to say that if your > > guilt is low and they don't find any interest for society at large to > > prosecute you, they can choose not to prosecute. Is that what that > > paragraph says? > > Yes, this is what the paragraph says. Unfortunately it implies that I am > indeed somehow guilty. I don't think so. The first part of the paragraph talks about the guilt of the offender, the second part about dismissing the case with the approval of the accused. The accused doesn't have to be the offender and as being accused for itself doesn't imply any guilt I don't see why dismissing the case according of § 153 StPO would imply any guilt either. Fabian signature.asc Description: PGP signature
Re: encrypting your communications?!
On Sat, Nov 17, 2007 at 07:35:10AM -0500, Roger Dingledine wrote: > On Sat, Nov 17, 2007 at 12:13:34PM +, Robert Hogan wrote: > > Gah. You're right. > > I've changed the offending sentence to: > > "Tor protects you by bouncing your communications around a distributed > network of relays run by volunteers all around the world: it prevents > somebody watching your Internet connection from learning what sites you > visit, and it prevents the sites you visit from learning where you're > coming from." > This is better. Although Much like the original concern that Robert raised, this could be interpreted as saying that using Tor prevents the sites you visit from learning where you're coming from (especially since it says just that ;>). The tricky thing is how to succinctly and clearly say to the general user that it is the networking address information implicit in the act of connecting that is hidden, but that's not the whole story. The onion routing project home page phrases it thus in the opening paragraph. The focus is on practical systems for low-latency Internet-based connections that resist traffic analysis, eavesdropping, and other attacks both by outsiders (e.g. Internet routers) and insiders (Onion Routing servers themselves). Onion Routing prevents the transport medium from knowing who is communicating with whom -- the network knows only that communication is taking place. In addition, the content of the communication is hidden from eavesdroppers up to the point where the traffic leaves the OR network. This is too geekspeakish for the intended purpose here. But it gives a hint perhaps of what could be said. Also, apropos to Robert's complaint the last sentence does two things: it does let people know that traffic is encrypted against eavesdroppers within the network. More importantly, even for people who aren't thinking about encryption one way or the other and for people that might have been confused by the sentence Robert noted, it succinctly and clearly tells them that there is a part of the communication path that is not encrypted against eavesdroppers---a part that is outside of Tor. So a suggested revision Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit. Even the Tor relay you connect to doesn't learn that. Tor comes bundled with other protections that combine with Tor to hide your location from the sites you visit too. And, Tor hides what you are saying from eavesdroppers anywhere between the point your connection leaves your computer to the point it leaves the Tor network and heads to the site you are visiting. I think the sentence about bundling lets even the people who can't look two short paragraphs down know that there is more to the story, but it still says there is a basic protection from responding sites that they get from Tor (And, it doesn't end with a preposition ;>) I'm torn about whether the last sentence is worth it. It's a really important point for the reasons that prompted this exchange and other reasons too, but maybe it is just one point too many for an opening paragraph. HTH, Paul
Re: new perspektive for tor
Felix Eckhofer wrote: Hi Robert,On Sat, 17.11.2007, you wrote: Can someone point me to the EU directive on this? I thought this was just a German initiative. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2006:105:0054:01:EN:HTMLfelix So a law which was said to be for protecting the privacy and rights ofa user was really a stalking horse for a law which would eventuallylegalise the complete invasion of our privacy and a removal of ourright to freedom of speech! Roll on the new world order - it stinks - we'll all be wearing badgesto identify ourselves soon. -K- - Never miss a thing. Make Yahoo your homepage.
Re: new perspektive for tor
Hi Robert, On Sat, 17.11.2007, you wrote: > Can someone point me to the EU directive on this? I thought this was just a > German initiative. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2006:105:0054:01:EN:HTML felix -- felix_eckhofer * http://tribut.de/kontakt * please encrypt "Ein Betriebssystem sie zu knechten, sie alle zu finden, ins Dunkle zu treiben und ewig zu binden..." signature.asc Description: Digital signature
Re: Swedish Police Swoop on Dan Egerstad
"Paul Ferguson" <[EMAIL PROTECTED]> wrote: > Not good. What's that? > Via TheAge.com.au. > The hack required little more than tools freely available on the > internet, and Egerstad maintains he broke no laws. I find it hard to believe that his "hack" didn't violate any laws in Sweden and I also have my doubts about the raid taking place in the way described in this poorly-researched article. Without more information I get the impression that he broke Swedish law and is now facing the consequences. Big deal. Fabian signature.asc Description: PGP signature
Re: new perspektive for tor
2007/11/17, Robert Hogan <[EMAIL PROTECTED]>: > > On Friday 16 November 2007 17:04:18 Michael Schmidt wrote: > > Due to data retention logg needs/law in the EU, there will be no > > outproxy and no forwarding-nodes in the EU anymore, if they do not > > logg all traffic. > > Can someone point me to the EU directive on this? I thought this was just > a > German initiative. in the total EU there will be NO TOR-Outproxy from begin of 1.1.2008: So the idea is to have only forwarders in the EU - based on a security friend to friend layer with trusted friends only (tor retroshare-plugin). The hybrid nodes (tor plugins connecting AS WELL to the normal tor network layer) though must be then Outside this law aerea. And: every forwarder inside needs to know a hybrid outside the law aerea. If this is given, he can forward the packet many time on the f2f layer of his trusted friends, until any of the f2f-friends know ANY PORT to go outside to a hybrid again. So this is Matrix Reloaded with Neo, needing a Port. - World outside: routing and routing - HYBRID: World outside, slides the packet over to F2F - World inside begin: ping pong Germany pong ping Germany ping pong Germany pong ping Germany ... and many hops forwarded - World inside end - HYBRID: World outside, a friend from inside is giving the packet to a hybrid node outside - Worldoutside: routing and routing to the destination. So the new approach is to have a world outside with tor routing, and a World inside with forwarding nodes. The World inside is based on the secure trusted friend encrypted layer of http://retroshare.sf.net . Each node inside the World needs friends either forwarding or a HYBRID-friend from Outside the law. We need a board for that, to bring people from inside and outside together, as the f2f chain may be broken quick, as not every f2f user is installing the tor-plugin. But three or four routing ways in the middle is enough for a start to haver the MIXER. Then different Ports or Hybrids outside the World start the routing, some ping pong inside over f2f layer and then back outside, ideally over a different hybrid node. So the goal for nodes inside is a) to have friends forwarding for free, and b) to have at least one or two hybrid- friends to mix here the Inside-World-Entry and Inside-World-Exit Nodes. (remember the exit node is the tor node to fetch the website and the iside-world-exit-node is the node in a country without data retention law and hybrid with F2F). Here are the laws: EU, Germany and some laywer discussions, UK and Ireland and some other already have, as well USA will step into this .. so.. Russia and India is the last resort for Tor, China as well of course not. So a protocol change is needed, or a mixer, which is based on acting against the law, but this will no one do. So the trusted friend inside and the trusted friend hybrid outside will help to get a mix chain inside the law-area. Regards Richtlinie 2006/24/EG: http://europa.eu.int/eur-lex/lex/LexUriServ/site/en/oj/2006/l_105/l_10520060413en00540063.pdf; Umgesetzt im deutschen Gesetzesentwurf: http://dip.bundestag.de/btd/16/058/1605846.pdf http://www.vorratsdatenspeicherung.de http://www.heise.de/newsticker/meldung/91627 vom 23.06.2007 http://www.bundestag.de/bic/analysen/2006/zulaessigkeit_der_vorratsdatenspeicherung_nach_europaeischem_und_deutschem_recht.pdf, dagegen: https://www.datenschutzzentrum.de/polizei/20070627-vorratsdatenspeicherung.pdf sowie das Bundesverfassungsgericht: http://www.bundesverfassungsgericht.de/pressemitteilungen/bvg07-082.html Bundesverfassungsgericht - Pressestelle - Pressemitteilung Nr. 82/2007 vom 27. Juli 2007 - 1 BvR 370/07; 1BvR 595/07 - http://www.bundesverfassungsgericht.de/pressemitteilungen/bvg07-082.html
Re: new perspektive for tor
On Friday 16 November 2007 17:04:18 Michael Schmidt wrote: > Due to data retention logg needs/law in the EU, there will be no > outproxy and no forwarding-nodes in the EU anymore, if they do not > logg all traffic. Can someone point me to the EU directive on this? I thought this was just a German initiative. signature.asc Description: This is a digitally signed message part.
Re: court trial against me - the outcome
don't keep the knowledge for yourself :) On Thursday 15 November 2007 22:54, Arrakis wrote: > I actually know of such a company that is interested in supplying tor > legal insurance in DE. Is anyone interested? > > Steve >
Re: Installing TOR on CentOS
>> What must I do, or (better!) is there a rpm already for centOS?? >Apparently, you don't have any development tools. "yum install libevent-devel" >should pull in everything you need to build Tor. Thanks, yes in fact I had to install openssl too :) Ok tor is running now, but where is the config file? "[notice] Configuration file "/usr/local/etc/tor/torrc" not present, using reasonable defaults." I want check and probably change some of the reasonable defaults!
Re: encrypting your communications?!
On Sat, Nov 17, 2007 at 12:13:34PM +, Robert Hogan wrote: > "Tor protects you by encrypting your communications and bouncing them around > a > distributed network of relays run by volunteers all around the world." > > I think this sentence is misleading. It is hard to interpret 'encrypting your > communications' as meaning anything other than exactly that: Tor somehow > encrypts all your communications, full stop. > > It should be changed to something like: > > "Tor protects you by hiding the origin of your communications. It does this > by > bouncing them around a distributed network of relays run by volunteers all > around the world." Gah. You're right. I've changed the offending sentence to: "Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning where you're coming from." I don't want to only say that it hides the origin of your communication, because a lot of people out there use Tor to gain protection from a local attacker, and "hides the origin" is only half the story. (Actually, it's only a third of the story -- the last third that I've left out is that Tor is resistant to any single relay learning both your location and your destination. But there's only so much you can fit into an introductory paragraph.) If anybody wants to propose alternate frontpage text, do feel free. :) Thanks! --Roger
encrypting your communications?!
From the front page: "Tor protects you by encrypting your communications and bouncing them around a distributed network of relays run by volunteers all around the world." I think this sentence is misleading. It is hard to interpret 'encrypting your communications' as meaning anything other than exactly that: Tor somehow encrypts all your communications, full stop. It should be changed to something like: "Tor protects you by hiding the origin of your communications. It does this by bouncing them around a distributed network of relays run by volunteers all around the world." signature.asc Description: This is a digitally signed message part.
Re: Installing TOR on CentOS
Hi, [EMAIL PROTECTED] wrote: What must I do, or (better!) is there a rpm already for centOS?? Apparently, you don't have any development tools. "yum install libevent-devel" should pull in everything you need to build Tor. Regards Marco
Re: How to ban bad tor node which would redirect http request to a certain ip tracker?
On 11/17/07, Roger Dingledine <[EMAIL PROTECTED]> wrote: > On Sat, Nov 17, 2007 at 02:29:09AM -0800, s s wrote: > > I recently found some "bad" tor node would redirect http request to a > > pre-configured address such as > >http://218.86.119.72/req.php?str1=xxx&&str2=url > > where xxx is a 18 digit number contain a Unix time stamp and url is > > the original url requested. > > then the host 218.86.119.72 will send back a cookie which named > > 'UniProclove' whose content is also a 18 digit number. > > > > Is it possible to configure tor to isolate such a "bad" tor node? > > or is it possible to configure tor to refuse to connect/relay to > > certain ip addresses? > > Yes, you can exclude the node by nickname (or better, by key fingerprint) > by adding an "ExcludeNodes" line to your torrc file. See the man page > for details. > > But even better, if you tell us which node it is, we'll a) try to contact > the operator to get him to fix it, as it's quite likely to be an innocent > misconfiguration, and b) blacklist it from the directory consensus in > the meantime, so other users won't stumble into it. > I dont know how to find which node did the redirect. Seems that it is difficult to track this node, it only occurs from time to time Now what i can do is to block browser cookies and/or configure Privoxy to block this kind of urls. > (I've been meaning for a while to come up with some mechanism for users to > report problems they see, while we wait for Mike Perry to get his TorFlow > application more automated. But there are enough false positives that I > don't think we should just say "mail tor-volunteers". I'm not sure what > the best plan should be.) > > Thanks! > --Roger > > Regards,
Installing TOR on CentOS
Hi, Would like to run a node on a centOS box. Got the source from http://www.torproject.org/dist/tor-0.2.0.12-alpha.tar.gz ./configure: I get an error message: [EMAIL PROTECTED] tor-0.2.0.12-alpha]# ./configure checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... yes checking for a thread-safe mkdir -p... //bin/mkdir -p checking for gawk... gawk checking whether make sets $(MAKE)... yes checking build system type... i686-pc-linux-gnu checking host system type... i686-pc-linux-gnu checking for gcc... no checking for cc... no checking for cl.exe... no configure: error: no acceptable C compiler found in $PATH What must I do, or (better!) is there a rpm already for centOS?? Thanks :)
Re: How to ban bad tor node which would redirect http request to a certain ip tracker?
On Sat, Nov 17, 2007 at 02:29:09AM -0800, s s wrote: > I recently found some "bad" tor node would redirect http request to a > pre-configured address such as >http://218.86.119.72/req.php?str1=xxx&&str2=url > where xxx is a 18 digit number contain a Unix time stamp and url is > the original url requested. > then the host 218.86.119.72 will send back a cookie which named > 'UniProclove' whose content is also a 18 digit number. > > Is it possible to configure tor to isolate such a "bad" tor node? > or is it possible to configure tor to refuse to connect/relay to > certain ip addresses? Yes, you can exclude the node by nickname (or better, by key fingerprint) by adding an "ExcludeNodes" line to your torrc file. See the man page for details. But even better, if you tell us which node it is, we'll a) try to contact the operator to get him to fix it, as it's quite likely to be an innocent misconfiguration, and b) blacklist it from the directory consensus in the meantime, so other users won't stumble into it. (I've been meaning for a while to come up with some mechanism for users to report problems they see, while we wait for Mike Perry to get his TorFlow application more automated. But there are enough false positives that I don't think we should just say "mail tor-volunteers". I'm not sure what the best plan should be.) Thanks! --Roger
How to ban bad tor node which would redirect http request to a certain ip tracker?
Hi, I recently found some "bad" tor node would redirect http request to a pre-configured address such as http://218.86.119.72/req.php?str1=xxx&&str2=url where xxx is a 18 digit number contain a Unix time stamp and url is the original url requested. then the host 218.86.119.72 will send back a cookie which named 'UniProclove' whose content is also a 18 digit number. Is it possible to configure tor to isolate such a "bad" tor node? or is it possible to configure tor to refuse to connect/relay to certain ip addresses?
