Re: Lynx leaks DNS
I realize this needs a fix not a workaround, but if a workaround is enough for now you could try running lynx via proxychains --> tor Proxychains might grab all the DNS requests. You could also probably leave privoxy in the proxy chain or test it with and without. I haven't tried this with lynx, but proxychains does work with tor.
Re: A Few Random Thoughts...
Roger Dingledine wrote: On Fri, Jun 26, 2009 at 08:16:00AM -0400, Michael wrote: What I *am* doing is deploying a couple of heavy iron closed relays on OC3 or better bandwidth. The first is now deployed after a lot of up and down testing, and I'll get to the second in due time. Sounds great. Let us know if you have any questions or run into any problems. Roger, Come to think of it I have a question about best practices. My first Tor server is racked in the same datacenter as apparently two other Tor servers, one is an exit. Should I name these as family in my config? I'm thinking yes. But since I don't own the other servers I'm hesitant. But at face value it might make sense to disallow building circuits through them. Michael
Suggested IT Text... Edit or destroy as fitting.
Not to jump in with both feet, but here's some possible starting text ideas for the "IT People Use Tor" section... Ahem... "IT Professionals use Tor: * To verify IP based firewall rules: A firewall may have some policies that only allow certain IP addresses or ranges. Tor can be used to verify those configurations by using an IP number outside of the company's alloted IP block. * To bypass their own security systems for sensitive professional activities: For instance, a company may have a strict policy regarding the material employees can view on the internet. A log review reveals a possible violation. Tor can be used to verify the information without an exception being put into corporate security systems. * To connect back to deployed services: A network engineer can use Tor to remotely connect back to services, without the need for an external machine and user account, as part of operational testing. * To access internet resources: Acceptable use policy for IT Staff and normal employees is usually different. Tor can allow unfettered access to the internet while leaving standard security policies in place. * To work around ISP network outages: Sometimes when an ISP is having routing or DNS problems, Tor can make internet resources available, when the actual ISP is malfunctioning. This can be invaluable is crisis situations. * The CTO is an asshat: Your CTO is a golf loving moron who hasn't spent any time in front of a computer since 1988. He bought some crappy appliance, which sits at the edge of your network, tracking your activity, while you track everyone else's activity- including his. This Mongolian Cluster Fuck never seems to end. Root Cause Analysis sessions go on for days on end. Plans are made to DDOS his Comcast cable connection, one of your assistants claims he can bed the CTOs wife, and the accounting system is missing data (really- it's the CTOs missing porn collection). Cooler heads prevail... you just install Tor and read Slashdot. Ok, maybe the last one isn't salvageable. I gave it my best shot. Michael
Re: A Few Random Thoughts...
On Fri, June 26, 2009 16:45, Roger Dingledine wrote: > Yep. The next step is to come up with some really good clean simple > example sentences for our new category. Those examples will dictate the > title we give it -- "Security experts use Tor", "Sysadmins use Tor", > "Computer experts use Tor", or something else. Maybe you could try to tickle the listener working on the idea of a server with no exposed listening ports: a client-only Tor node could still export hidden services like http or ssh. the latter is quite cool if the user will survive the lag ;-) -- Marco Bonetti BT3 EeePC enhancing module: http://sid77.slackware.it/bt3/ Slackintosh Linux Project Developer: http://workaround.ch/ Linux-live for powerpc: http://workaround.ch/pub/rsync/mb/linux-live/ My GnuPG key id: 0x86A91047
Re: Lynx leaks DNS
Fabian Keil wrote: > > Jim McClanahan wrote: > > > Quite by accident I discovered that the lynx browser is leaking DNS > > addresses. I have verified this on: > > > >Lynx Version 2.8.4dev.7 (03 Aug 2000) and > >Lynx Version 2.8.5rel.1 (04 Feb 2004) > > Is there a reason why you aren't using a more recent build? That was what I had readily available. I just installed lynx on Ubuntu 8.04 LTS for more testing: lynx --version Lynx Version 2.8.6rel.4 (15 Nov 2006) libwww-FM 2.14, SSL-MM 1.4.1, GNUTLS 2.0.4, ncurses 5.6.20071124(wide) Built on linux-gnu Apr 8 2008 13:48:42 It shows the same behavior I saw before. But further investigation reveals this interesting twist: It does not leak if the URL with protocol is given. But if the http:// is omitted, it leaks, yet still loads the page. Without thinking, I had just been using p.p. When I used http://p.p, it did not leak. But it is not only p.p that leaks: tcpdump -nni eth0 udp port 53 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 08:22:23.435995 IP 192.168.2.102.45063 > 65.247.xx.xx.53: 46608+ A? p.p. (21) 08:22:23.437732 IP 65.247.xx.xx.53 > 192.168.2.102.45063: 46608 2/2/0 A 64.158.56.50, A 63.251.179.30 (109) 08:33:39.447099 IP 192.168.2.102.54845 > 65.247.xx.xx.53: 19107+ A? torcheck.xenobite.eu. (38) 08:33:39.679776 IP 65.247.xx.xx.53 > 192.168.2.102.54845: 19107 1/2/2 A 217.160.111.190 (137) (The returned addresses for p.p is bad behavior on the part of my ISP. They lead to a "not found" page with advertising.) Both of the above were without http:// . And When http:// was added, neither leaked. torcheck.xenobite.eu (both with a w/o http://) verified I was accessing via Tor. Not as bad as I thought when I originally posted. But still disconcerting, particularly considering that it will happily render the page w/o http:// . > > I can't reproduce the problem with: > > f...@tp51 ~ $lynx --version > Lynx Version 2.8.6rel.5 (09 May 2007) > libwww-FM 2.14, SSL-MM 1.4.1, OpenSSL 0.9.8k, ncurses 5.7.20081102(wide) > Built on freebsd8.0 Feb 27 2009 22:36:34
Re: A Few Random Thoughts...
On Fri, Jun 26, 2009 at 08:16:00AM -0400, Michael wrote: >What I *am* doing is deploying a couple of heavy iron closed relays > on OC3 or better bandwidth. The first is now deployed after a lot of up > and down testing, and I'll get to the second in due time. Sounds great. Let us know if you have any questions or run into any problems. Depending on how you're installing, you might like the development version (currently 0.2.1.16-rc). The 0.2.1.x series is going to become the new "stable" soon (it's already probably more stable in practice than 0.2.0.35), and it's way better in a number of other ways. But either 0.2.0.x or 0.2.1.x is fine, really. >On the "Who uses Tor?" section of the website, I see no mention of > IT people. I've used the Tor network for many practical uses as an IT > Director. That's a really good point. Especially since a lot of the people who really hate/fear Tor are IT folks who don't understand it. >Quite frankly Tor is an undervalued IT tool and it's capabilities > should be trumpeted loudly on the web page. You might also find IT guys > like me throwing up some relays in exchange. After all- who has the > bandwidth anyway? Yep. The next step is to come up with some really good clean simple example sentences for our new category. Those examples will dictate the title we give it -- "Security experts use Tor", "Sysadmins use Tor", "Computer experts use Tor", or something else. > So > if Tor as an organization had a partnership with a few server rental > whores (in multiple countries), it would simplify getting more exits. If anybody knows good places, please let us know. :) There's a small list being built here: https://wiki.torproject.org/noreply/TheOnionRouter/GoodBadISPs Another concern is that if we centralize all the exit relays in a few places, we reduce the anonymity that the Tor network can provide. But I don't think we're anywhere near doing that yet, so it's just something to keep in the back of our minds. >I read back about 6 months in the or-talk list and there were a > couple of suggestions inferring that *everyone* should be forced to be > an exit node. I think this is a very bad idea, Me too. Don't worry, we won't do it. But see also https://blog.torproject.org/blog/two-incentive-designs-tor --Roger
Re: A Few Random Thoughts...
On Fri, 26 Jun 2009 08:16:00 -0400 Michael wrote: > > Quite frankly Tor is an undervalued IT tool and it's capabilities > should be trumpeted loudly on the web page. You might also find IT > guys like me throwing up some relays in exchange. After all- who has > the bandwidth anyway? > I second this thought and have used Tor for many of the same things. Tor is immensely helpful when I was dealing with an ISP that had consistent DNS server problems. It is great for checking if my small web server is up (my current ISP blocks connections to oneself). I think that it would be an excellent Idea to have some of these uses of Tor promoted on the website. -- free...@gmail.com free...@yahoo.ca This e-mail has been digitally signed with GnuPG - ( http://gnupg.org/ ) signature.asc Description: PGP signature
A Few Random Thoughts...
Hi all, As one of those lucky souls with access to almost limitless bandwidth and the skills (or stupidity) to use it, I suppose an apology is in order: I'm sorry- after reviewing what *could* be the consequences, I have to whimp out based on professional risk factors... I can't run an exit node. So I have to leave it to other folks who have a different situation to do the heavy lifting. What I *am* doing is deploying a couple of heavy iron closed relays on OC3 or better bandwidth. The first is now deployed after a lot of up and down testing, and I'll get to the second in due time. I've been watching Tor for a long time and just recently decided to get involved. The Iran situation cemented that decision. Anyhow, here are some random thoughts: On the "Who uses Tor?" section of the website, I see no mention of IT people. I've used the Tor network for many practical uses as an IT Director. These range from bypassing my own firewall to test incoming connections, to helping my legal department do research on a pending lawsuit without the opposition *knowing* we even looked at their website. Having a random and easily accessible IP to initiate connections from is a priceless testing tool. Especially when dealing with niggling routing problems. On one occasion my ISP was having routing/DNS problems, and Tor was able to find an entrance node and allow me to work even though I couldn't get to my remote servers directly. This saved my client a lot of downtime, and might have saved me the account. Also, my employer's R&D department sometimes needs to look at things they don't want anyone to know they looked at (All quite legal mind you). Quite frankly Tor is an undervalued IT tool and it's capabilities should be trumpeted loudly on the web page. You might also find IT guys like me throwing up some relays in exchange. After all- who has the bandwidth anyway? And before anyone accuses me of it, I'm not nearly stupid enough to do a port scan over Tor. Phew. One of the issues I ran into when looking into running an exit relay had to do with not only the legalities, but identifying a server vendor that was offshore from my home country and friendly to a Tor exit. In order for me to run an exit node, I have to be completely shielded. As it stands now, I can probably run an exit for instant messaging- and that's it. However, if Tor itself had a relationship with someone who rents hardware, perhaps a partnership, Tor could get the exit nodes it needs, and the server vendor could get lots of cash. From my standpoint, it doesn't matter whether I rent or colocate my hardware. So if Tor as an organization had a partnership with a few server rental whores (in multiple countries), it would simplify getting more exits. I need servers, Tor runs with little impact on my server, I could care less where my remote hardware is provisioned from. Bingo- more exits. I read back about 6 months in the or-talk list and there were a couple of suggestions inferring that *everyone* should be forced to be an exit node. I think this is a very bad idea, and hurts the security of the person trying to remain anonymous by causing an identifiable change in bandwidth usage that could infer Tor usage (Information leakage). Simply speaking, on a default Windows/Vidalia installation, outgoing Tor traffic usually looks like https traffic, but on a forced exit, now Tor is identified by relatively matched traffic on port 443 both in and out of the client's connection (Unless it's entrance node is a *nix variant). This could mean death (literal) for a political dissident who is now identified as having an in/out matching traffic pattern assuming his entrance node is on Windows. It is more likely, that a country monitoring it's citizens would miss simple https traffic. But even myself as a lowly IT director, would have alarm bells going off if https was initiating in two directions from the same machine. Alternative ports can also set off alarm bells. But given the nature of Onion Routing, two way traffic needs to be avoided in the most sensitive sensitive situations. Forcing exit nodes is a bad idea for users. It will also drive away anyone who cannot provide an exit node that's chasing away bandwidth as non exit relays run for the hills. Long post. Too much coffee and too much time staring at routing tables. Michael
Re: Lynx leaks DNS
Jim McClanahan wrote: > Quite by accident I discovered that the lynx browser is leaking DNS > addresses. I have verified this on: > >Lynx Version 2.8.4dev.7 (03 Aug 2000) and >Lynx Version 2.8.5rel.1 (04 Feb 2004) Is there a reason why you aren't using a more recent build? I can't reproduce the problem with: f...@tp51 ~ $lynx --version Lynx Version 2.8.6rel.5 (09 May 2007) libwww-FM 2.14, SSL-MM 1.4.1, OpenSSL 0.9.8k, ncurses 5.7.20081102(wide) Built on freebsd8.0 Feb 27 2009 22:36:34 Fabian signature.asc Description: PGP signature
Lynx leaks DNS
Hi, Quite by accident I discovered that the lynx browser is leaking DNS addresses. I have verified this on: Lynx Version 2.8.4dev.7 (03 Aug 2000) and Lynx Version 2.8.5rel.1 (04 Feb 2004) lynx is called from scripts with the following statements: export http_proxy=http://localhost:8119 export https_proxy=http://localhost:8119 export ftp_proxy=http://localhost:8119 export gopher_proxy=http://localhost:8119 export news_proxy=http://localhost:8119 export newspost_proxy=http://localhost:8119 export newsreply_proxy=http://localhost:8119 export snews_proxy=http://localhost:8119 export snewspost_proxy=http://localhost:8119 export snewsreply_proxy=http://localhost:8119 export nntp_proxy=http://localhost:8119 export wais_proxy=http://localhost:8119 export finger_proxy=http://localhost:8119 export cso_proxy=http://localhost:8119 Privoxy is listening on localhost:8119 and sends requests to tor in the standard way. I have verified from Privoxy's log that requests are received and http://torcheck.xenobite.eu verifies the request is coming through the Tor network. Supplying linx with the url of p.p (an alias that Privoxy understands) demonstrates that lynx does a DNS request and then ignores the result. Comments? Suggestions?
Re: ShutdownWaitLength vs. 'restart' in init scripts
I would go with the Debian init-script. I have used it for years without any problems. Much better that Tor's own contributed init-script. It is much nicer to wait the process to die than to kill -9 them and cut users active connections. I recommend that you take a look at the tor-debian-init-script and fix Fedoras init-script by using Debian's init-script as an example. You can find Debian Lenny's tor-init at http://tor-proxy.piirakka.com/debian-tor-init Oh jea, the script contains little local change by me but it's all in one place and start of local changes is marked by # START OF LOCAL CHANGES and the end of local changes is marked by # END OF LOCAL CHANGES. I had little problems with tor eating all memory and slowing the server to a crawl until it was impossible even to ssh to the server. Played with ulimit and found working values. M ps: I'd really want to run a tor exit-node but I have to think about my family. I don't want cops all over the place again, scared the shit out of my wife. If I lived alone it would be much easier.