Re: Tor Desktop
Here are a few other virtual anonymity machines: - JanusVM [http://www.vmware.com/appliances/directory/392], - xB Machine [http://xerobank.com/software.php], I may be wrong but I thought one of the major problems with someone creating a anonymity virtual machine has been keeping them up to date with the latest version of Tor especially when a security fix comes out. So it's not that they're bad ideas, they're just really high maintenance to do as a distributable project. It all depends on how you setup your system and what you're using Tor for but personally, I think it's much easier to maintain security and privacy having a VM separate from your regular system if you're switching between using Tor and not. But that's just me... ~ROC Tor Admin On Fri, Jun 6, 2008 at 11:32 PM, Kasimir Gabert <[EMAIL PROTECTED]> wrote: > On Fri, Jun 6, 2008 at 8:58 PM, defcon <[EMAIL PROTECTED]> wrote: > > why would u need a seperate tor machine, when all you need is tor and > some > > firefox extensions? > > The idea is to prevent any unknown security breeches from compromising > your anonymity. If, say, Firefox has a zero day exploit that will, > even with Torbutton, leak the saved sites, usernames, and passwords to > a script (this is unlikely, but an example) they having an entirely > separate Firefox installation would save your anonymity. The same > idea applies outwards to the operating system. > > Kasimir > > -- > Kasimir Gabert >
Re: Tor Desktop
On Fri, Jun 6, 2008 at 8:58 PM, defcon <[EMAIL PROTECTED]> wrote: > why would u need a seperate tor machine, when all you need is tor and some > firefox extensions? The idea is to prevent any unknown security breeches from compromising your anonymity. If, say, Firefox has a zero day exploit that will, even with Torbutton, leak the saved sites, usernames, and passwords to a script (this is unlikely, but an example) they having an entirely separate Firefox installation would save your anonymity. The same idea applies outwards to the operating system. Kasimir -- Kasimir Gabert
Re: Tor Desktop
why would u need a seperate tor machine, when all you need is tor and some firefox extensions? On Fri, Jun 6, 2008 at 7:56 PM, Chris Burge <[EMAIL PROTECTED]> wrote: > No, I mean the project at: > http://wiki.noreply.org/noreply/VirtualPrivacyMachine. It uses TOR but > allows you to have a separate machine using QEMU or something like (i.e. > VMWare, VirtualBox, etc). So does this mean that no one knows? > > Thanks, > Chris > > > On Fri, Jun 6, 2008 at 9:38 PM, <[EMAIL PROTECTED]> wrote: > >> On Fri, Jun 06, 2008 at 10:30:21AM -0400, [EMAIL PROTECTED] wrote 1.3K >> bytes in 24 lines about: >> : I'm trying to implement the Tor Desktop as shown at freehaven on a >> Xubuntu >> : VMWare install. First, is this project dead? Secondly, how can I tell >> if >> >> Perhaps you mean Tor at https://www.torproject.org/ ? >> >> : this is working. I'm a noob in Linux so any help is good. I didn't >> want to >> : use the Virtual Privacy Machine on metropipe as it seems too integrated >> with >> : their service and didn't want to accidently uninstall something that I >> : need. LOL. Besides, I'd like to be able to do this on my own. >> >> >> https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#IsMyConnectionPrivate >> >> -- >> Andrew >> > > > > -- > Interested in selling your home? Ask me!
Re: Tor Desktop
No, I mean the project at: http://wiki.noreply.org/noreply/VirtualPrivacyMachine. It uses TOR but allows you to have a separate machine using QEMU or something like (i.e. VMWare, VirtualBox, etc). So does this mean that no one knows? Thanks, Chris On Fri, Jun 6, 2008 at 9:38 PM, <[EMAIL PROTECTED]> wrote: > On Fri, Jun 06, 2008 at 10:30:21AM -0400, [EMAIL PROTECTED] wrote 1.3K > bytes in 24 lines about: > : I'm trying to implement the Tor Desktop as shown at freehaven on a > Xubuntu > : VMWare install. First, is this project dead? Secondly, how can I tell > if > > Perhaps you mean Tor at https://www.torproject.org/ ? > > : this is working. I'm a noob in Linux so any help is good. I didn't want > to > : use the Virtual Privacy Machine on metropipe as it seems too integrated > with > : their service and didn't want to accidently uninstall something that I > : need. LOL. Besides, I'd like to be able to do this on my own. > > > https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#IsMyConnectionPrivate > > -- > Andrew > -- Interested in selling your home? Ask me!
Re: Tor Desktop
On Fri, Jun 06, 2008 at 10:30:21AM -0400, [EMAIL PROTECTED] wrote 1.3K bytes in 24 lines about: : I'm trying to implement the Tor Desktop as shown at freehaven on a Xubuntu : VMWare install. First, is this project dead? Secondly, how can I tell if Perhaps you mean Tor at https://www.torproject.org/ ? : this is working. I'm a noob in Linux so any help is good. I didn't want to : use the Virtual Privacy Machine on metropipe as it seems too integrated with : their service and didn't want to accidently uninstall something that I : need. LOL. Besides, I'd like to be able to do this on my own. https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#IsMyConnectionPrivate -- Andrew
Re: How do we defeat exit node sniffing?
It also depends on what you are using Tor for. If you are checking your e-mail (or whatever) that is associated with your real identity, then use only HTTPS. But if you are checking a different e-mail account that you have (1) setup over Tor and (2) only use for anonymous purposes, then you run a very small risk of being associated with the activity of that account. Remember, just because your traffic is anonymous doesn't mean it's private. So if you say "This is John Smith and my SSN is xxx-xx-" or whatever over an anonymous connection to a blog or forum, then you are asking for trouble. You have to be in control of your privacy. - Kyle On Thu, Jun 5, 2008 at 7:20 PM, defcon <[EMAIL PROTECTED]> wrote: > for http connections im worried about cookie sidejacking as well since some > sites only authenticate via https and set a cookie, what can we do in this > regard? > > > On Thu, Jun 5, 2008 at 7:08 PM, Xizhi Zhu <[EMAIL PROTECTED]> wrote: > >> you have to try to do the authentication with SSL/TLS. if not, your >> username and your password will be sent to the exit nodes first, and that's >> really terrible! >> >> 2008/6/6, defcon <[EMAIL PROTECTED]>: >> >>> so what do you all suggest if I must authenticate to a non ssl >>> connection? How do I do it anonymously and safely? >>> >>> On Thu, Jun 5, 2008 at 5:37 PM, Christopher Davis <[EMAIL PROTECTED]> >>> wrote: >>> On Thu, Jun 05, 2008 at 05:01:34PM -0700, defcon wrote: > What are some good ways to defeat exit node sniffing? Is there a listing of > good exit nodes that do not sniff? > Thanks, > defcon Prefer TLS-enabled services, and mind the authenticity of server certs. Or use Tor hidden services. -- Christopher Davis >>> >>> >> >> >> -- >> Use Tor to secure your surfing trace: >> http://www.torproject.org/ >> >> My blog: http://xizhizhu.blogspot.com/ > > >
Re: How do we defeat exit node sniffing?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 defcon @ 2008/06/06 02:20: > for http connections im worried about cookie sidejacking as well since > some sites only authenticate via https and set a cookie, what can we do > in this regard? > there's nothing to do in this case either. you have to be prepared for your session to be hijacked. at least, in this case, your password cannot be changed since most sites require re-authenticating to change the password (and that will be done via https). always be sure to use the "log out"/etc. link when done, to update the cookie accordingly. again, personally, this hasn't happened to me (that i'm aware of). from what i've casually seen in vidalia, if you are able to switch to https, cookies are probably also exchanged via https even if they are set to use "any type of connection" (as opposed to "encrypted connections only"). i can hypothesize this because i no longer see connections to port 80 after switching to https. if the cookies were being exchanged in the clear there would still be connections to port 80, right? it seems wondering about this is mostly moot, though, since the only way to be sure your information is secure is to use https all the time with cookies set to use "encrypted connections only". even then you are placing trust in a CA, which is a third party also subject to attack. oh my! -BEGIN PGP SIGNATURE- iD8DBQFISaqaXhfCJNu98qARCFEEAKCXzvJqMM7whLMRNjjEK4/qP++uggCgkmzO 0m31S0h/obTqCmZBg43myhc= =d9h/ -END PGP SIGNATURE-
Re: How do we defeat exit node sniffing?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 defcon @ 2008/06/06 01:35: > so what do you all suggest if I must authenticate to a non ssl > connection? How do I do it anonymously and safely? > to do it anonymously, i recommend creating a new account using a new, anonymous e-mail (if required), all via Tor of course. as for safely, you can always try changing the url to https, sometimes a site supports https but doesn't use it by default. ensure your browser warns you if parts of the page are unencrypted and when you are submitting unencrypted information, check to especially make sure the form submission links will use https. otherwise, there is no safe way to do it. you have to be prepared in this case for your login credentials and entire account to be compromised. of course changing your password is futile as that is probably done in the clear as well. at least you will remain anonymous. to me, personally, (to my knowledge) this has not happened. -BEGIN PGP SIGNATURE- iD8DBQFISaRgXhfCJNu98qARCFC0AKCVShLjKMkt31mZF5kMKie5GIu+owCg5BfX nBYwVJSpT213/IWnqg2bFmY= =IHLI -END PGP SIGNATURE-
Re: Tor with secure Gmail
[Second try, now with a subscribed address ...] "Man Man" <[EMAIL PROTECTED]> wrote: > I am using Gmail at https://mail.google.com/ with tor. > > When I am at login, browser will state that the connection is only > partially secure, ie. some items (I do not know what) are not > encrypted. However, once I untor, I am able to get into the fully > secure Gmail login page. If you "untor" by switching from Privoxy+Tor to a direct connection, you may be hitting the problem described in: https://sourceforge.net/tracker/index.php?func=detail&aid=1943422&group_id=8&atid=18 Fabian signature.asc Description: PGP signature
Tor Desktop
I'm trying to implement the Tor Desktop as shown at freehaven on a Xubuntu VMWare install. First, is this project dead? Secondly, how can I tell if this is working. I'm a noob in Linux so any help is good. I didn't want to use the Virtual Privacy Machine on metropipe as it seems too integrated with their service and didn't want to accidently uninstall something that I need. LOL. Besides, I'd like to be able to do this on my own. Thanks, Chris
Re: Is tor-resolve required to run an Exit node.
dante <[EMAIL PROTECTED]> wrote: > I'm reading the tor code and (if I've understood it) it looks like the > "tor" binary is sufficient for running either a relay or exit node. Correct. > i.e. tor-resolve is simply an "extra" utility for the end user to do DNS > resolution via tor rather than via one's DNS server as defined in > /etc/resolv.conf. (tor-resolve is the tor equivalent of nslookup). My "Tor nslookup equivalent" of choice is nslookup: [EMAIL PROTECTED] ~ $sockstat -4l | grep _tor _tor tor1643 5 tcp4 10.0.0.2:9050 *:* _tor tor1643 6 tcp4 10.0.0.2:9040 *:* _tor tor1643 7 udp4 10.0.0.2:53 *:* _tor tor1643 8 tcp4 10.0.0.2:9051 *:* [EMAIL PROTECTED] ~ $nslookup www.torproject.org tor-jail Server: tor-jail Address:10.0.0.2#53 Non-authoritative answer: Name: www.torproject.org Address: 86.59.21.36 That may not be possible with stable releases yet, though. Fabian signature.asc Description: PGP signature
Re: Tor with secure Gmail
Man Man schrieb: > Hi! Aloha! > I am using Gmail at https://mail.google.com/ with tor. > > When I am at login, browser will state that the connection is only > partially secure, ie. some items (I do not know what) are not > encrypted. However, once I untor, I am able to get into the fully > secure Gmail login page. What browser are you using? Can you tell us the exact words of the error-message? Does it say something like "self-signed certificate", "security certificate belongs to other hostname", "certificate expired" or what? Click the little button which looks like a lock on your browser's lower right side (for IE and Mozilla-clones). > I tried this for many times and got this result each time. As I live > in an unsafe country, I am worried my government is adding code to > network traffic to identify users. So please state what exact error-messages you're getting. > Thanks in advance. Alex. signature.asc Description: OpenPGP digital signature
Tor with secure Gmail
Hi! I am using Gmail at https://mail.google.com/ with tor. When I am at login, browser will state that the connection is only partially secure, ie. some items (I do not know what) are not encrypted. However, once I untor, I am able to get into the fully secure Gmail login page. I tried this for many times and got this result each time. As I live in an unsafe country, I am worried my government is adding code to network traffic to identify users. Thanks in advance.
Tor with secure Gmail
Hi! I am using Gmail at https://mail.google.com/ with tor. When I am at login, browser will state that the connection is only partially secure, ie. some items (I do not know what) are not encrypted. However, once I untor, I am able to get into the fully secure Gmail login page. I tried this for many times and got this result each time. As I live in an unsafe country, I am worried my government is adding code to network traffic to identify users. Thanks in advance.
Re: Is tor-resolve required to run an Exit node.
Hi, dante wrote: I'm reading the tor code and (if I've understood it) it looks like the "tor" binary is sufficient for running either a relay or exit node. i.e. tor-resolve is simply an "extra" utility for the end user to do DNS resolution via tor rather than via one's DNS server as defined in /etc/resolv.conf. (tor-resolve is the tor equivalent of nslookup). Can someone confirm this? Am asking because I want to be certain about what binaries to include in this ramdisk image I'm buidling. Your assumption is correct; you don't need tor-resolve in order to run a server. rgds Marco
Is tor-resolve required to run an Exit node.
Hi, I'm reading the tor code and (if I've understood it) it looks like the "tor" binary is sufficient for running either a relay or exit node. i.e. tor-resolve is simply an "extra" utility for the end user to do DNS resolution via tor rather than via one's DNS server as defined in /etc/resolv.conf. (tor-resolve is the tor equivalent of nslookup). Can someone confirm this? Am asking because I want to be certain about what binaries to include in this ramdisk image I'm buidling. --Tony
RE: How do we defeat exit node sniffing?
Why do you think it would be embarrassing? I'm fairly certain that some exit nodes have been setup as "research" projects. On Thu, 2008-06-05 at 21:49 -0700, Wesley Kenzie wrote: > > Or BostonUCompSci? It would be kind of embarrassing to Boston > University wouldn't it, if they were found to be sniffing? > > It is probably too much to expect at this point, though, that a list > of trusted exit nodes will be publicly compiled. I think you have to > do your own investigations and come up with your own list.
Re: How do we defeat exit node sniffing?
defcon wrote: so what do you all suggest if I must authenticate to a non ssl connection? How do I do it anonymously and safely? Apply the same security measures necessary to authenticate a non-SSL connection without the use of Tor.