Re: Bit of justice, all charges dropped against Tor-operator
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 This is great news, thanks for posting it to the list. As previous posters said: document, document, document. And don't cooperate! Ringo Ok, I'll try to document the events. I'll tell when theres updates. Thanks for the support! M -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkk3uIwACgkQeaKwdrf2V0pSbACfcScruaUDL2+r0wkcE6tMIy8/ NyUAoI+05bfysZFrvCagN9UEgawFb9eF =JKvM -END PGP SIGNATURE-
More info on my own tor problems
I have had a long-running problem upgrading to tor-0.2.1.7-alpha. I usually use Tork as my tor manager (version 0.29.2 rpm - I can't build the latest because I am using kde 4 and it wont build on such a system) and run the configuation wizard after every tor upgrade. This has worked perfectly up until 0.2.1.7-alpha. The problem is that no matter what I do, be it configure tor via Tork or do it manually with a text editor, I cannot get tor to run. It crashes very quickly and, from Tork, produces no useful log information. It just stops. I have now tried with vidalia and I am still unable to run tor but I am getting useful log data: Dec 04 08:05:41.407 [Notice] Tor v0.2.1.7-alpha (r17216). This is experimental software. Do not rely on it for strong anonymity. (Running on Linux i686) Dec 04 08:05:41.409 [Warning] Unable to open configuration file /etc/tor/torrc. Dec 04 08:05:41.410 [Error] Reading config failed--see warnings above. Dec 04 08:06:24.666 [Notice] Tor v0.2.1.7-alpha (r17216). This is experimental software. Do not rely on it for strong anonymity. (Running on Linux i686) Dec 04 08:06:24.669 [Warning] Skipping obsolete configuration option 'Group' Dec 04 08:06:24.673 [Notice] Initialized libevent version 1.4.7-stable using method epoll. Good. Dec 04 08:06:24.675 [Notice] Opening OR listener on 0.0.0.0:9001 Dec 04 08:06:24.679 [Notice] Opening Socks listener on 127.0.0.1:9050 Dec 04 08:06:24.682 [Notice] Opening Control listener on 127.0.0.1:9051 Dec 04 08:06:24.686 [Warning] Error setting configured groups: Operation not permitted Dec 04 08:06:24.689 [Warning] Failed to parse/validate config: Problem with User value. See logs for details. Dec 04 08:06:24.693 [Error] Reading config failed--see warnings above. I have no idea what the problem is with the torrc file. I merely took the sample provided with the software and uncommented the applicable parts (after Tork failed to configure it) and copy it to torrc. What is the deal with tor-0.2.1.7? What has changed vis a vis configuration that appears to break it compared to the any and all of the previous versions? Most important of all, how do I get past this so I can start running tor again? praedor
Re: More info on my own tor problems
Forgot to add: I saw the unable to open /etc/tor/torrc message and fixed that and tried again. I get essentially the same messages except lacking the above statement: Dec 04 08:13:34.430 [Notice] Tor v0.2.1.7-alpha (r17216). This is experimental software. Do not rely on it for strong anonymity. (Running on Linux i686) Dec 04 08:13:34.431 [Warning] Linelist option '__HashedControlSessionPassword' has no value. Skipping. Dec 04 08:13:34.432 [Warning] Skipping obsolete configuration option 'Group' Dec 04 08:13:34.432 [Warning] ControlPort is open, but no authentication method has been configured. This means that any program on your computer can reconfigure your Tor. That's bad! You should upgrade your Tor controller as soon as possible. Dec 04 08:13:34.433 [Notice] Initialized libevent version 1.4.7-stable using method epoll. Good. Dec 04 08:13:34.433 [Notice] Opening OR listener on 0.0.0.0:9001 Dec 04 08:13:34.434 [Notice] Opening Socks listener on 127.0.0.1:9050 Dec 04 08:13:34.434 [Notice] Opening Control listener on 127.0.0.1:9051 Dec 04 08:13:34.434 [Warning] Error setting configured groups: Operation not permitted Dec 04 08:13:34.435 [Warning] Failed to parse/validate config: Problem with User value. See logs for details. Dec 04 08:13:34.435 [Error] Reading config failed--see warnings above. On Thursday 04 December 2008 08:17:18 Praedor Atrebates wrote: I have had a long-running problem upgrading to tor-0.2.1.7-alpha. I usually use Tork as my tor manager (version 0.29.2 rpm - I can't build the latest because I am using kde 4 and it wont build on such a system) and run the configuation wizard after every tor upgrade. This has worked perfectly up until 0.2.1.7-alpha. The problem is that no matter what I do, be it configure tor via Tork or do it manually with a text editor, I cannot get tor to run. It crashes very quickly and, from Tork, produces no useful log information. It just stops. I have now tried with vidalia and I am still unable to run tor but I am getting useful log data: Dec 04 08:05:41.407 [Notice] Tor v0.2.1.7-alpha (r17216). This is experimental software. Do not rely on it for strong anonymity. (Running on Linux i686) Dec 04 08:05:41.409 [Warning] Unable to open configuration file /etc/tor/torrc. Dec 04 08:05:41.410 [Error] Reading config failed--see warnings above. Dec 04 08:06:24.666 [Notice] Tor v0.2.1.7-alpha (r17216). This is experimental software. Do not rely on it for strong anonymity. (Running on Linux i686) Dec 04 08:06:24.669 [Warning] Skipping obsolete configuration option 'Group' Dec 04 08:06:24.673 [Notice] Initialized libevent version 1.4.7-stable using method epoll. Good. Dec 04 08:06:24.675 [Notice] Opening OR listener on 0.0.0.0:9001 Dec 04 08:06:24.679 [Notice] Opening Socks listener on 127.0.0.1:9050 Dec 04 08:06:24.682 [Notice] Opening Control listener on 127.0.0.1:9051 Dec 04 08:06:24.686 [Warning] Error setting configured groups: Operation not permitted Dec 04 08:06:24.689 [Warning] Failed to parse/validate config: Problem with User value. See logs for details. Dec 04 08:06:24.693 [Error] Reading config failed--see warnings above. I have no idea what the problem is with the torrc file. I merely took the sample provided with the software and uncommented the applicable parts (after Tork failed to configure it) and copy it to torrc. What is the deal with tor-0.2.1.7? What has changed vis a vis configuration that appears to break it compared to the any and all of the previous versions? Most important of all, how do I get past this so I can start running tor again? praedor
Re: Exceeding connection limit
On Wed, 3 Dec 2008 19:40:54 -0500 [EMAIL PROTECTED] wrote On Wed, Dec 03, 2008 at 11:44:13PM +0100, [EMAIL PROTECTED] wrote 2.4K bytes in 54 lines about: : is there any easy way, how to limit connections for Tor? Thousands of : connections often breaks my lowcost ADSL router at home and I have to : restart it. This is a FAQ answer, https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#CablemodemCrashes : I think it should be similar option like Bandwidth rate. Or is there any : reason, why there must be thousands of connection from point of Tor network : design? In the manual page, there is: ConnLimit NUM The minimum number of file descriptors that must be available to the Tor process before it will start. Tor will ask the OS for as many file descriptors as the OS will allow (you can find this by ulimit -H -n). If this number is less than ConnLimit, then Tor will refuse to start. You probably don't need to adjust this. It has no effect on Windows since that platform lacks getrlimit(). (Default: 1000) This may or may not work to fix the problems with a poorly designed ADSL router. This appears to be a problem on many/all electronics store routers. My suspicion is that these routers have fairly tight memory restrictions and can support only small tables for state, NAT, and so forth. Linksys routers, for example, typically choke when their NAT/RDR capacity is exceeded, refusing thereafter to allow any new outbound NATed connections until they have been rebooted. All small routers I've used with tor when running a relay have never allowed more than 200 - 400 simultaneously open connections. I now have my FreeBSD 6.3 system connected directly to the cable modem with pf handling the RDRs, and the relay no longer encounters limits that low. After the relay has been running for several days, the number of connections has usually slowly grown to hover in the 1000 - 1400 range. I don't know why it stops there, but it may just be a consequence of the limited transmission rate of my Internet link. It's certainly not due to memory or CPU speed limitations. As for the design questions, I'll let someone else answer that as I can't find the details as to why right now. I thought this issue had come up several times on this list already and that a torrc option was now available to set a maximum number of connections. I don't see such an option in the 0.2.1.7-alpha man page, however. Perhaps it's one of those undocumented options. Scott Bennett, Comm. ASMELG, CFIAG ** * Internet: bennett at cs.niu.edu * ** * A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army. * *-- Gov. John Hancock, New York Journal, 28 January 1790 * **
Tor bridges email discovery...
Hey everyone, Is the email based bridge discovery mechanism described here* not functional? I've tried from a few valid gmail accounts but have received no responses. * https://www.torproject.org/bridges#FindingMore
Commercial tor offering?
Hello, I am sure someone had digested this before but what would be some issues with purchasing (say) twenty different boxes around the USA with good pipes and allowing people to use them as tor relays/exit nodes (while charging a monthly fee for it)? The way I see it, greatest obstacle to using tor every day is speed, but I might be wrong. Thanks, Ognen P.S. My apologies if this emails is duplicated, I had some emailer issues.
Re: Tor bridges email discovery...
On Thu, Dec 04, 2008 at 10:42:09AM -0600, Jon McLachlan wrote: Is the email based bridge discovery mechanism described here* not functional? I've tried from a few valid gmail accounts but have received no responses. * https://www.torproject.org/bridges#FindingMore Earlier today there was a commit from Jake: http://archives.seul.org/or/cvs/Dec-2008/msg00056.html with the phrase some fixes / improvements and is lightly broken :). That might be our hint. I'll let Jake follow-up with more details. --Roger
Re: More info on my own tor problems
On Thu, 4 Dec 2008 08:17:18 -0500 Praedor Atrebates [EMAIL PROTECTED] wrote: I have had a long-running problem upgrading to tor-0.2.1.7-alpha. I usually use Tork as my tor manager (version 0.29.2 rpm - I can't build the latest because I am using kde 4 and it wont build on such a system) and run the configuation wizard after every tor upgrade. This has worked perfectly up until 0.2.1.7-alpha. The problem is that no matter what I do, be it configure tor via Tork or do it manually with a text editor, I cannot get tor to run. It crashes very quickly and, from Tork, produces no useful log information. It just stops. I have now tried with vidalia and I am still unable to run tor but I am getting useful log data: Dec 04 08:05:41.407 [Notice] Tor v0.2.1.7-alpha (r17216). This is experimental software. Do not rely on it for strong anonymity. (Running on Linux i686) Dec 04 08:05:41.409 [Warning] Unable to open configuration file /etc/tor/torrc. Dec 04 08:05:41.410 [Error] Reading config failed--see warnings above. Dec 04 08:06:24.666 [Notice] Tor v0.2.1.7-alpha (r17216). This is experimental software. Do not rely on it for strong anonymity. (Running on Linux i686) Dec 04 08:06:24.669 [Warning] Skipping obsolete configuration option 'Group' Dec 04 08:06:24.673 [Notice] Initialized libevent version 1.4.7-stable using method epoll. Good. Dec 04 08:06:24.675 [Notice] Opening OR listener on 0.0.0.0:9001 Dec 04 08:06:24.679 [Notice] Opening Socks listener on 127.0.0.1:9050 Dec 04 08:06:24.682 [Notice] Opening Control listener on 127.0.0.1:9051 Dec 04 08:06:24.686 [Warning] Error setting configured groups: Operation not permitted Dec 04 08:06:24.689 [Warning] Failed to parse/validate config: Problem with User value. See logs for details. Dec 04 08:06:24.693 [Error] Reading config failed--see warnings above. I have no idea what the problem is with the torrc file. I merely took the sample provided with the software and uncommented the applicable parts (after Tork failed to configure it) and copy it to torrc. What is the deal with tor-0.2.1.7? What has changed vis a vis configuration that appears to break it compared to the any and all of the previous versions? Most important of all, how do I get past this so I can start running tor again? The problem may not actually be in the torrc file. Check to see whether you have a startup/shutdown script, perhaps run by /etc/rc on your system, that specifies --user and --group. If you do, try removing those arguments from the command line that starts tor in the script. The error messages could be more accurate. Scott Bennett, Comm. ASMELG, CFIAG ** * Internet: bennett at cs.niu.edu * ** * A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army. * *-- Gov. John Hancock, New York Journal, 28 January 1790 * **
Re: More info on my own tor problems
I can look but don't think that could be the issue. I don't start tor as a service when I boot, I manually start it (via Tork or Vidalia). If I don't start tor up via script in the rc directories, how could such a script have any effect on tor started on command? praedor On Thursday 04 December 2008 12:27:50 Scott Bennett wrote: I have no idea what the problem is with the torrc file. I merely took the sample provided with the software and uncommented the applicable parts (after Tork failed to configure it) and copy it to torrc. What is the deal with tor-0.2.1.7? What has changed vis a vis configuration that appears to break it compared to the any and all of the previous versions? Most important of all, how do I get past this so I can start running tor again? The problem may not actually be in the torrc file. Check to see whether you have a startup/shutdown script, perhaps run by /etc/rc on your system, that specifies --user and --group. If you do, try removing those arguments from the command line that starts tor in the script. The error messages could be more accurate.
Tor 0.2.0.32 is released
Tor 0.2.0.32 fixes a major security problem in Debian and Ubuntu packages (and maybe other packages) noticed by Theo de Raadt, fixes a smaller security flaw that might allow an attacker to access local services, further improves hidden service performance, and fixes a variety of other issues. https://www.torproject.org/download.html Or use our new https://www.torproject.org/easy-download page. Changes in version 0.2.0.32 - 2008-11-20 o Security fixes: - The User and Group config options did not clear the supplementary group entries for the Tor process. The User option is now more robust, and we now set the groups to the specified user's primary group. The Group option is now ignored. For more detailed logging on credential switching, set CREDENTIAL_LOG_LEVEL in common/compat.c to LOG_NOTICE or higher. Patch by Jacob Appelbaum and Steven Murdoch. Bugfix on 0.0.2pre14. Fixes bug 848 and 857. - The ClientDNSRejectInternalAddresses config option wasn't being consistently obeyed: if an exit relay refuses a stream because its exit policy doesn't allow it, we would remember what IP address the relay said the destination address resolves to, even if it's an internal IP address. Bugfix on 0.2.0.7-alpha; patch by rovv. o Major bugfixes: - Fix a DOS opportunity during the voting signature collection process at directory authorities. Spotted by rovv. Bugfix on 0.2.0.x. o Major bugfixes (hidden services): - When fetching v0 and v2 rendezvous service descriptors in parallel, we were failing the whole hidden service request when the v0 descriptor fetch fails, even if the v2 fetch is still pending and might succeed. Similarly, if the last v2 fetch fails, we were failing the whole hidden service request even if a v0 fetch is still pending. Fixes bug 814. Bugfix on 0.2.0.10-alpha. - When extending a circuit to a hidden service directory to upload a rendezvous descriptor using a BEGIN_DIR cell, almost 1/6 of all requests failed, because the router descriptor has not been downloaded yet. In these cases, do not attempt to upload the rendezvous descriptor, but wait until the router descriptor is downloaded and retry. Likewise, do not attempt to fetch a rendezvous descriptor from a hidden service directory for which the router descriptor has not yet been downloaded. Fixes bug 767. Bugfix on 0.2.0.10-alpha. o Minor bugfixes: - Fix several infrequent memory leaks spotted by Coverity. - When testing for libevent functions, set the LDFLAGS variable correctly. Found by Riastradh. - Avoid a bug where the FastFirstHopPK 0 option would keep Tor from bootstrapping with tunneled directory connections. Bugfix on 0.1.2.5-alpha. Fixes bug 797. Found by Erwin Lam. - When asked to connect to A.B.exit:80, if we don't know the IP for A and we know that server B rejects most-but-not all connections to port 80, we would previously reject the connection. Now, we assume the user knows what they were asking for. Fixes bug 752. Bugfix on 0.0.9rc5. Diagnosed by BarkerJr. - If we overrun our per-second write limits a little, count this as having used up our write allocation for the second, and choke outgoing directory writes. Previously, we had only counted this when we had met our limits precisely. Fixes bug 824. Patch from by rovv. Bugfix on 0.2.0.x. - Remove the old v2 directory authority 'lefkada' from the default list. It has been gone for many months. - Stop doing unaligned memory access that generated bus errors on sparc64. Bugfix on 0.2.0.10-alpha. Fixes bug 862. - Make USR2 log-level switch take effect immediately. Bugfix on 0.1.2.8-beta. o Minor bugfixes (controller): - Make DNS resolved events into CLOSED, not FAILED. Bugfix on 0.1.2.5-alpha. Fix by Robert Hogan. Resolves bug 807. -- Andrew signature.asc Description: Digital signature
Re: Firefox,Torbutton leaks real IP Address.
The Are you using Tor? page at http://check.torproject.org/ sometimes tells me that I am not using Tor, even with Tor and Torbutton running. It has only done that soon after starting Tor and the browser. From: Luis Maceira [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 3, 2008 2:15:27 PM Subject: Firefox,Torbutton leaks real IP Address. The combination Firefox-3.0.3(in fact,Iceweasel-3.0.3),Torbutton-1.2.0 leaks my real IP address.This happens BETWEEN when I initiate Tor-0.2.0.31 with the bash command /usr/local/tor/bin/tor and the moment when Tor effectively establishes a connection-circuit. This can be 60 seconds or more,and if in between we connect to the Internet with Firefox-Torbutton the real IP address is used(even with torbutton running-green) I tested with www.showmyip.com and others.My fear is if the same could happen when Tor changes circuit by ten-ten minutes or so,when leaves the previous circuit to the next one.(what happens in the transition moments).I did not test that situation. Thanks.
Re: Commercial tor offering?
Your customer list (as well as yourself) would be a short list of suspects in investigations regarding your IP addresses. The personal details about them in your corporate database would be used against them without their knowledge. You would be powerless to stop it. From: OgnenD [EMAIL PROTECTED] To: or-talk@freehaven.net Sent: Thursday, December 4, 2008 11:54:51 AM Subject: Commercial tor offering? Hello, I am sure someone had digested this before but what would be some issues with purchasing (say) twenty different boxes around the USA with good pipes and allowing people to use them as tor relays/exit nodes (while charging a monthly fee for it)? The way I see it, greatest obstacle to using tor every day is speed, but I might be wrong. Thanks, Ognen P.S. My apologies if this emails is duplicated, I had some emailer issues.
Re: Tor 0.2.0.32 is released
On Thu, Dec 04, 2008 at 12:34:16PM -0500, [EMAIL PROTECTED] wrote 4.4K bytes in 97 lines about: For OS X users, there is a packaging bugfix in 0.2.0.32 labelled as 0.2.0.32a in the available packages. It turns out for years we've been shipping a Info.plist with an incorrect key. The issue was discovered and reported as bug 876, https://bugs.torproject.org/flyspray/index.php?id=876do=details. The commit to fix the problem in the 0_2_0 branch is r17472: http://archives.seul.org/or/cvs/Dec-2008/msg00037.html The commit to fix the problem in the Vidalia 0.1 branch is r3361: http://trac.vidalia-project.net/browser/vidalia/branches/vidalia-0.1/pkg/osx?order=datedesc=1 The bug is that the OS X Installer will prompt The chosen volume contains software which is newer then [sic] the software you are installing. The problem is that the Installer looks in the file /Library/Receipts/Vidalia.pkg/Contents/Info.plist for CFBundleShortVersionString. We mistakenly called it CFBundleSortVersionString, which Apple inserts 1 as the value. The upgrade to Vidalia from 0.1.9 to 0.1.10 apparently triggered the issue. The fix is to put the correct value in place for the future. The simplest way to do this is to have the users click Continue when prompted. We could have spent a lot of time trying to fix it for the user to hide the issue, but well, that is fraught with problems and complexities. A simple click of Continue is far simpler and less error prone. The difference between the released 0.2.0.32 Tor code is the inclusion of r17472. It's not really 0.2.0.32a per se, but since we lack package versions, I had to distinguish it in some way. -- Andrew signature.asc Description: Digital signature
Re: Tor 0.2.0.32 is released
Thank you, is a new version for OSX10.3.9 on the way? GD On 4 Dec 2008, at 17:48, [EMAIL PROTECTED] wrote: On Thu, Dec 04, 2008 at 12:34:16PM -0500, [EMAIL PROTECTED] wrote 4.4K bytes in 97 lines about: For OS X users, there is a packaging bugfix in 0.2.0.32 labelled as 0.2.0.32a in the available packages. It turns out for years we've been shipping a Info.plist with an incorrect key. The issue was discovered and reported as bug 876, https://bugs.torproject.org/flyspray/index.php?id=876do=details. The commit to fix the problem in the 0_2_0 branch is r17472: http://archives.seul.org/or/cvs/Dec-2008/msg00037.html The commit to fix the problem in the Vidalia 0.1 branch is r3361: http://trac.vidalia-project.net/browser/vidalia/branches/vidalia-0.1/ pkg/osx?order=datedesc=1 The bug is that the OS X Installer will prompt The chosen volume contains software which is newer then [sic] the software you are installing. The problem is that the Installer looks in the file /Library/Receipts/Vidalia.pkg/Contents/Info.plist for CFBundleShortVersionString. We mistakenly called it CFBundleSortVersionString, which Apple inserts 1 as the value. The upgrade to Vidalia from 0.1.9 to 0.1.10 apparently triggered the issue. The fix is to put the correct value in place for the future. The simplest way to do this is to have the users click Continue when prompted. We could have spent a lot of time trying to fix it for the user to hide the issue, but well, that is fraught with problems and complexities. A simple click of Continue is far simpler and less error prone. The difference between the released 0.2.0.32 Tor code is the inclusion of r17472. It's not really 0.2.0.32a per se, but since we lack package versions, I had to distinguish it in some way. -- Andrew
Re: Commercial tor offering?
On Thursday 04 December 2008 12:21:04 Praedor Atrebates wrote: The point of tor isn't to lock people out by charging for service, it is to act as a totally open access system for ALL people regardless of economic status. Charging locks out a lot of people, especially in foreign countries with naughty governments and shitty economic situations. Thanks. You could still use the free infrastructure if you chose to do so. This would be an extra offering for people who want both anonymity and speed for a fee. Thanks for replying, it is not my intention to defend such an idea, just to see if it has been entertained before and if so, what was the conclusion. Ognen
Re: Tor 0.2.0.32 is released
On Thu, Dec 04, 2008 at 05:56:11PM +, [EMAIL PROTECTED] wrote 1.8K bytes in 43 lines about: Thank you, is a new version for OSX10.3.9 on the way? Yes. There is a tor-only package for 10.3.9 available at: https://www.torproject.org/dist/osx-old/Tor-0.2.0.32a-ppc-Bundle.dmg The vidalia bundle for PPC is coming shortly. The machine I use to make the ppc bundles is a G3 iMac. Qt 4.4.3 takes 23 hours to compile, assuming no errors. It appears Qt 4.4.3 doesn't support 10.3.9 anymore, so it has a slew of issues when compiling. I'm compiling qt 4.4.1 right now (because 4.4.2 had lots of issues) and well, it has another 10 hours of compiling to go. -- Andrew
Re: Commercial tor offering?
That point was just an extra. The major problem would be, as others chimed in about too, that you (person charging) would be royally screwed when the Feds decide to go on a witch hunt. You (the potential person charging for service) and all your paying customers would be, as stated previously, on the short list for investigation. You would definitely go on a watch list. praedor On Thursday 04 December 2008 13:00:44 OgnenD wrote: On Thursday 04 December 2008 12:21:04 Praedor Atrebates wrote: The point of tor isn't to lock people out by charging for service, it is to act as a totally open access system for ALL people regardless of economic status. Charging locks out a lot of people, especially in foreign countries with naughty governments and shitty economic situations. Thanks. You could still use the free infrastructure if you chose to do so. This would be an extra offering for people who want both anonymity and speed for a fee. Thanks for replying, it is not my intention to defend such an idea, just to see if it has been entertained before and if so, what was the conclusion. Ognen
Re: Tor 0.2.0.32 is released
On Thu, Dec 4, 2008 at 11:34 AM, [EMAIL PROTECTED] wrote: Tor 0.2.0.32 fixes a major security problem in Debian and Ubuntu packages (and maybe other packages) noticed by Theo de Raadt, fixes a smaller security flaw that might allow an attacker to access local services, further improves hidden service performance, and fixes a variety of other issues. Are there any bugs open with Debian/Ubuntu to get these merged into the security branches? I haven't checked Debian, but Ubuntu 8.10 is currently still at 0.31. https://www.torproject.org/download.html Or use our new https://www.torproject.org/easy-download page. Changes in version 0.2.0.32 - 2008-11-20 o Security fixes: - The User and Group config options did not clear the supplementary group entries for the Tor process. The User option is now more robust, and we now set the groups to the specified user's primary group. The Group option is now ignored. For more detailed logging on credential switching, set CREDENTIAL_LOG_LEVEL in common/compat.c to LOG_NOTICE or higher. Patch by Jacob Appelbaum and Steven Murdoch. Bugfix on 0.0.2pre14. Fixes bug 848 and 857. - The ClientDNSRejectInternalAddresses config option wasn't being consistently obeyed: if an exit relay refuses a stream because its exit policy doesn't allow it, we would remember what IP address the relay said the destination address resolves to, even if it's an internal IP address. Bugfix on 0.2.0.7-alpha; patch by rovv. o Major bugfixes: - Fix a DOS opportunity during the voting signature collection process at directory authorities. Spotted by rovv. Bugfix on 0.2.0.x. o Major bugfixes (hidden services): - When fetching v0 and v2 rendezvous service descriptors in parallel, we were failing the whole hidden service request when the v0 descriptor fetch fails, even if the v2 fetch is still pending and might succeed. Similarly, if the last v2 fetch fails, we were failing the whole hidden service request even if a v0 fetch is still pending. Fixes bug 814. Bugfix on 0.2.0.10-alpha. - When extending a circuit to a hidden service directory to upload a rendezvous descriptor using a BEGIN_DIR cell, almost 1/6 of all requests failed, because the router descriptor has not been downloaded yet. In these cases, do not attempt to upload the rendezvous descriptor, but wait until the router descriptor is downloaded and retry. Likewise, do not attempt to fetch a rendezvous descriptor from a hidden service directory for which the router descriptor has not yet been downloaded. Fixes bug 767. Bugfix on 0.2.0.10-alpha. o Minor bugfixes: - Fix several infrequent memory leaks spotted by Coverity. - When testing for libevent functions, set the LDFLAGS variable correctly. Found by Riastradh. - Avoid a bug where the FastFirstHopPK 0 option would keep Tor from bootstrapping with tunneled directory connections. Bugfix on 0.1.2.5-alpha. Fixes bug 797. Found by Erwin Lam. - When asked to connect to A.B.exit:80, if we don't know the IP for A and we know that server B rejects most-but-not all connections to port 80, we would previously reject the connection. Now, we assume the user knows what they were asking for. Fixes bug 752. Bugfix on 0.0.9rc5. Diagnosed by BarkerJr. - If we overrun our per-second write limits a little, count this as having used up our write allocation for the second, and choke outgoing directory writes. Previously, we had only counted this when we had met our limits precisely. Fixes bug 824. Patch from by rovv. Bugfix on 0.2.0.x. - Remove the old v2 directory authority 'lefkada' from the default list. It has been gone for many months. - Stop doing unaligned memory access that generated bus errors on sparc64. Bugfix on 0.2.0.10-alpha. Fixes bug 862. - Make USR2 log-level switch take effect immediately. Bugfix on 0.1.2.8-beta. o Minor bugfixes (controller): - Make DNS resolved events into CLOSED, not FAILED. Bugfix on 0.1.2.5-alpha. Fix by Robert Hogan. Resolves bug 807. -- Andrew -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFJOBSYO50JPzGwl0sRAo63AJ9uVH8Rk0CSf9PXPlWfQuxqTt1IzQCeMtFB hvuayLifVdMBanIy2Za6y5M= =UkKO -END PGP SIGNATURE-
Re: Tor 0.2.0.32 is released
Standard install failed the same way. When I tried to install https://www.torproject.org/dist/osx-old/Tor-0.2.0.31-ppc-Bundle.dmg I got an 'unknown package error' before the install process began. Fortunately the https://www.torproject.org/dist/vidalia-bundles/vidalia-bundle -0.2.0.31-0.1.9-ppc.dmg still worked to restore the status-quo-ante. On 4 Dec 2008, at 18:20, Geoff Down wrote: That's a binary install? I tried it (custom install without the startup script) but got a 'There were errors, try reinstalling' message. I's broken my old version dyld: /usr/bin/tor can't open library: /usr/local/lib/libevent-1.4.2.dylib (No such file or directory, errno = 2) Trace/BPT trap GD On 4 Dec 2008, at 18:07, [EMAIL PROTECTED] wrote: On Thu, Dec 04, 2008 at 05:56:11PM +, [EMAIL PROTECTED] wrote 1.8K bytes in 43 lines about: Thank you, is a new version for OSX10.3.9 on the way? Yes. There is a tor-only package for 10.3.9 available at: https://www.torproject.org/dist/osx-old/Tor-0.2.0.32a-ppc-Bundle.dmg The vidalia bundle for PPC is coming shortly. The machine I use to make the ppc bundles is a G3 iMac. Qt 4.4.3 takes 23 hours to compile, assuming no errors. It appears Qt 4.4.3 doesn't support 10.3.9 anymore, so it has a slew of issues when compiling. I'm compiling qt 4.4.1 right now (because 4.4.2 had lots of issues) and well, it has another 10 hours of compiling to go. -- Andrew
Re: Commercial tor offering?
On Thu, Dec 04, 2008 at 11:54:51AM -0500, [EMAIL PROTECTED] wrote 0.4K bytes in 12 lines about: : I am sure someone had digested this before but what would be some issues with : purchasing (say) twenty different boxes around the USA with good pipes and Indeed. There are at least two commercial services that use Tor; IronKey and Xerobank come to mind. I've tried neither, nor seen their Tor configuration. So, others have had the same idea as you. -- Andrew
Re: Commercial tor offering?
Phobos, XeroBank's network doesn't use Tor. Common misnomer. But we did stay at a holiday inn express: XeroBank uses IPSec cascades and is distinguished by have additional anonymity features tor doesn't employ such as mixing, crowding optimization, channel multiplexing, traffic padding, fingerprint/watermark dropping, timing-attack resistance; and properties tor doesn't have such as immunity to sybil attacks and exit node traffic injection. :) http://xerobank.com/docs/onyx_whitepaper.pdf Steve [EMAIL PROTECTED] wrote: On Thu, Dec 04, 2008 at 11:54:51AM -0500, [EMAIL PROTECTED] wrote 0.4K bytes in 12 lines about: : I am sure someone had digested this before but what would be some issues with : purchasing (say) twenty different boxes around the USA with good pipes and Indeed. There are at least two commercial services that use Tor; IronKey and Xerobank come to mind. I've tried neither, nor seen their Tor configuration. So, others have had the same idea as you.
Tor as a service OSX
Hi, can anyone tell me how to uninstall the Tor startup script to prevent it running Tor as a background service in OSX 10.3.9 please? An unsuccessful attempt to upgrade has left me with this enabled. Thanks. downie
Re: Tor 0.2.0.32 is released
On Fri, Dec 05, 2008 at 12:55:34AM +, [EMAIL PROTECTED] wrote 1.5K bytes in 40 lines about: Standard install failed the same way. You found another packaging bug. It's fixed. The Tor PowerPC-only binary is available at: https://www.torproject.org/dist/osx-old/Tor-0.2.0.32b-ppc-Bundle.dmg and .asc. The issue didn't show up during testing because I had a test version of libevent installed. Libevent 1.4.8 is compiled and installed according to the OS X build directions. And on a clean OS X 10.3.9 system, the b package installs correctly and without error. Thanks for reporting the issue. -- Andrew
Re: Tor as a service OSX
On Fri, Dec 05, 2008 at 01:49:35AM +, [EMAIL PROTECTED] wrote 0.3K bytes in 11 lines about: If there's more to it than deleting /Library/StartupItems/Tor that is :) That's it. On restart of your machine, Tor won't autostart. -- Andrew
Bypassing Internet Censorship
FLOSS Manuals Release Circumvention Book, How To Bypass Internet Censorship December 4, 2008, Amsterdam A new book released by FLOSS Manuals, How to Bypass Internet Censorship, describes circumvention tools and explains why you might want to use them, and honestly describes the risks you must consider before circumventing blockers or monitors. Blockers and monitors restrict access to areas of the Internet, and this book describes simple techniques for bypassing those restrictions. The book can be read or downloaded for free as a PDF from flossmanuals.net, or you can purchase a high-quality printed copy of the 200 page book through Lulu, an on-demand printer, at http://www.lulu.com/content/4904448 for €10.83 ($14.00). The growth of the Internet has been paralleled by attempts to control how people use it, motivated by a desire to protect children, businesses, personal information, the capacity of networks, or moral interests, for example. Some of these concerns involve allowing people to control their own experience of the Internet (for instance, letting people use spam-filtering tools to prevent spam from being delivered to their own e-mail accounts), but others involve restricting how other people can use the Internet and what those other people can and can't access. The latter case causes significant conflicts and disagreements when the people whose access is restricted don't agree that the blocking is appropriate or in their interest. Problems also arise when blocking mechanisms and filters reduce access to useful business, health, educational, and other information. Because of concerns about the effect of internet blocking mechanisms, and the implications of censorship, many individuals and groups are working hard to ensure that the Internet, and the information on it, are freely available to everyone who wants it. There is a vast amount of energy, from commercial, non-profit and volunteer groups, devoted to creating tools and techniques to bypass Internet censorship. Some techniques require no special software, just a knowledge of where to look for the same information. Programmers have developed a variety of more capable tools, which address different types of filtering and blocking. These tools, often called circumvention tools help Internet users access information that they might not otherwise be able to see. This book documents simple circumvention techniques such as a cached file or web proxy, and also describes more complex methods using Tor, which stands for The Onion Router, involving a sophisticated network of proxy servers. How to Bypass Internet Censorship was written by eight writers in a FLOSS Manuals 'book sprint' - a week-long intensive writing session, and it also includes content from many different authors' previous works on the subject. How to Bypass Internet Censorship will always be available for free from the FLOSS Manuals Website. Each sale of the book generates $2.50 (USD). 100% of this income goes back into the development of more manuals about free software. About FLOSS Manuals FLOSS Manuals is a non-profit foundation and community creating a collection of manuals that explain how to install and use a range of free and open source software. The manuals are friendly and simple, and they are intended to encourage people to explore the wide range of free and open source software. FLOSS stands for Free, Libre Open Source Software, and FLOSS Manuals intends to provide free manuals for free software. The manuals on FLOSS Manuals are written by a community of people, writers, editors, and technicians do a variety of things to keep the manuals as up to date and accurate as possible. The way in which FLOSS Manuals are written mirrors the way in which FLOSS software itself is written: by a community who contribute to and maintain the content. FLOSS Manuals produces printed books, PDF books, and HTML output. Each chapter from each manual can be recombined with other chapters to create a new manual, which we call remix capability. An embed API lets you use FLOSS Manuals to write the content and then embed the content into your website. For more information contact: Adam Hyde Founder, FLOSS Manuals [EMAIL PROTECTED] Please forward this announcement to interested parties. signature.asc Description: This is a digitally signed message part