Re: netscan from exit-node
Am heiligen Montag, den 01. Oktober im Jahre 2007 schrieb Muelli [EMAIL PROTECTED] einmal: Hi, On 01.10.2007 16:15 Niels Laakmann wrote: I set up a tor-server with an Exit-Policy. A few weeks ago, my Server-Hoster shut down, my IP-Subnet because the Tor-Server has done some IP-scans. Mwhaha, you are hosting by Hetzner, right? ;-) I get those automaticly generated netscan-mails frequently. Some times they shut down the single Tor IP, some time they shutdown the whole subnet. Depends on their mood (or better: the mood of that IDS). Yeah .. Thats right :) But the funny thing is, that they claim, the netscan abused a *considerable* amount of ressources. So everytime I get this kind of email, I calculate the amount of generated traffic and look how long the scan lasted. Then I calculate the bandwidth and write them, that they can't be serious and I demand the freeing of my IPs. Pretty simple actually. To speed things up, you could write the Rechenzentrum your server is located in. The Problem with that game is, that we also installed a web and a mailserver on that subnet. Many times, they shut down the subnet for some hours. For me this time is too long. You are in right, but I can't afford that. Cheers, Muelli
Torbutton 1.1.8-alpha (Usability improvements)
This is the 1.1.8 alpha release of the Torbutton Firefox extension. It features significant usability and compatibility enhancements. However, it is still alpha software, so it may have some rough edges. If you notice issues or have usability complaints, now is the time to speak up while things are still easy to change. Please be specific. I have made a good effort to anticipate common usability complaints for this release from the feedback I have so far received, but I am not omniscient. Eventually, this Torbutton will be backported to the stable Tor release, so if you do not speak up soon, you will be perpetually suffering in silence and will be stuck uninstalling the extension every time you upgrade Tor (and leaving yourself vulnerable to numerous anonymity-compromising vulnerabilities in the process). See http://torbutton.torproject.org/dev for more information. Changes in 1.1.8 * bugfix: bug 510: Decouple cookie clearing from Clear Private Data settings * bugfix: bug 474: Decouple password+form saving from history writing * bugfix: bug 460: Rework handling of hooking based on global events+window lookup * bugfix: Hooking fixes for pages with nested frames/iframes * bugfix: Cookies are now properly synced before storing into a jar * misc: Tightened up the alerts a bit more for the javascript hooking * misc: Changed defaults to be less intrusive to non-tor usage * new: Added options to start in Tor and reload cookies after browser crash * new: Added ability to have both Tor and Non-Tor cookie jars http://torbutton.torproject.org/dev/releases/torbutton-1.1.8-alpha.xpi MD5: 39ce0dc3f6b20f79042aad2397baafb4 -- Mike Perry Mad Computer Scientist fscked.org evil labs pgpcodSU4YtZo.pgp Description: PGP signature
Re: Torbutton 1.1.8-alpha (Usability improvements)
--- Mike Perry [EMAIL PROTECTED] wrote: [snip] If you notice issues or have usability complaints, now is the time to speak up while things are still easy to change. Please be specific. I do not have issues or complaints but I do have a question and a possible feature request. a) Why is JavaScript not disabled by TorButton? Does hook dangerous javascript make using JavaScript safe with Tor? b) Would it be possible to have TorButton automatically clear the cache, unprotected Tor cookies, etc when a NewNym signal is sent (for example by Vidalia)? Thank you for your efforts Building a website is a piece of cake. Yahoo! Small Business gives you all the tools to get online. http://smallbusiness.yahoo.com/webhosting
Re: Torbutton 1.1.8-alpha (Usability improvements)
Thus spake jeffery statin ([EMAIL PROTECTED]): I do not have issues or complaints but I do have a question and a possible feature request. a) Why is JavaScript not disabled by TorButton? Does hook dangerous javascript make using JavaScript safe with Tor? The combination of hook dangerous javascript and isolate dynamic content make javascript safe, modulo browser exploits. The main problems with javascript revolve around the ability to get timezone+OS info, and to install event handlers/timers to load content after you toggle Tor. These two issues are handled by those options respectively. For some Java plugin+OS combos, the Disable Plugins during Tor Usage is also required. http://ha.ckers.org/weird/tor.cgi claims that they are able to get Firefox 2.0 to call java functions from javascript. When I tested with the Sun JRE 5.0 on Windows, this was only possible up to and including Firefox 1.5, but not Firefox 2.0. However it appears that the new Sun JRE 6.0 has fixed this problem, and again allows you full access to Java from javascript. Brilliant work, impressive even for a company that has managed to give the same product 5 different version numbers at the same time. Note that allowing plugins is a lot more dangerous than just Java anyways, so you should not have this setting unchecked for normal usage unless you have some other type of upstream Tor-only firewall. b) Would it be possible to have TorButton automatically clear the cache, unprotected Tor cookies, etc when a NewNym signal is sent (for example by Vidalia)? This is logistically difficult. The easier route is to add a New Nym option to torbutton itself, and have it somehow communicate to either vidalia or the control port directly. Allegedly raw TCP is possible from privileged Firefox javascript, but it is likely less than pretty. I will look into it to see if it is technically possible before the 1.2 stable release. Usability complications also arise though. If the user says they want to keep their Tor cookies in a jar (or left alone entirely), should new nym still clear them? I think so, esp since cookies can be injected and stolen by exit nodes (even many https ones). But other people may disagree. Some people really like cookies. I wouldn't expect those people to also like Tor, but I'm sure they're out there. -- Mike Perry Mad Computer Scientist fscked.org evil labs pgpfPWjP3dO85.pgp Description: PGP signature
Re: latest svn rev 11720 become cpu hungry
On Tue, Oct 02, 2007 at 05:36:02PM +0800, Li-Hui Zhou wrote: I've noticed the bugfix and yeah, it's been a LOT better. Old bug? Why it not been triggered until recent svn? Short version: There was an optimization that worked around it, but that optimization no longer applied. Long version: The format of a router list, as we parsed it used to be: (ExtraInfo | RouterDesc)* In other words, it had any number of extrainfo and routerdesc documents, possibly scrambled up. The old code did: - If we start with the word extra-info, it's an extra-info and we're done. - If we start with the word router, it's a routerdesc and we're done. - Otherwise, scan for the first instance of the word router and scan for the first instance of the word extra-info. Whichever comes first is the next document. This was fine until we added annotations around r11680. The format became: (Annotation* (ExtraInfo | RouterDesc))* Now, the first two cases no longer applied when there were annotations, since the point where we were looking never started with the word router or the word extra-info, so we always did case 3. But in a list like the cached-descriptors list that has no extra-info documents, we wound up scanning the entire list looking for an extra-info that never existed, and we did this scan for every router in the cache. That's O(n^2) in cache size, and that's no good. For the fix, see the patch. :) yrs, -- Nick Mathewson pgpzXYFi77YSX.pgp Description: PGP signature
Re: Torbutton 1.1.8-alpha (Usability improvements)
Could you please also make it compatible with Thunderbird ? Torbutton 1.4 installs (and works) fine with Thunderbird after editing the config file in the xpi package to allow Thunderbird to install it. I suppose it should works as well with the new version ? Thanks. Mike Perry a écrit : This is the 1.1.8 alpha release of the Torbutton Firefox extension. It features significant usability and compatibility enhancements. However, it is still alpha software, so it may have some rough edges. If you notice issues or have usability complaints, now is the time to speak up while things are still easy to change. Please be specific. I have made a good effort to anticipate common usability complaints for this release from the feedback I have so far received, but I am not omniscient. Eventually, this Torbutton will be backported to the stable Tor release, so if you do not speak up soon, you will be perpetually suffering in silence and will be stuck uninstalling the extension every time you upgrade Tor (and leaving yourself vulnerable to numerous anonymity-compromising vulnerabilities in the process). See http://torbutton.torproject.org/dev for more information. Changes in 1.1.8 * bugfix: bug 510: Decouple cookie clearing from Clear Private Data settings * bugfix: bug 474: Decouple password+form saving from history writing * bugfix: bug 460: Rework handling of hooking based on global events+window lookup * bugfix: Hooking fixes for pages with nested frames/iframes * bugfix: Cookies are now properly synced before storing into a jar * misc: Tightened up the alerts a bit more for the javascript hooking * misc: Changed defaults to be less intrusive to non-tor usage * new: Added options to start in Tor and reload cookies after browser crash * new: Added ability to have both Tor and Non-Tor cookie jars http://torbutton.torproject.org/dev/releases/torbutton-1.1.8-alpha.xpi MD5: 39ce0dc3f6b20f79042aad2397baafb4
Re: Torbutton 1.1.8-alpha (Usability improvements)
Thus spake MB ([EMAIL PROTECTED]): Could you please also make it compatible with Thunderbird ? Torbutton 1.4 installs (and works) fine with Thunderbird after editing the config file in the xpi package to allow Thunderbird to install it. I suppose it should works as well with the new version ? Hrmm, unlikely. Most of the stuff the new Torbutton does is very tightly coupled to Firefox 2.0 behavior and recently created unfrozen interfaces and events. Even just supporting Mozilla/Seamonkey properly would probably require a lot of rewriting, and a lot of luck wrt specific behaviors being the same, or even being possible. However, the one good thing we have going for us is that I would think email clients would be much more careful about running random code/plugins that are sent to them. If the thunderbird folks are actually careful about what they allow html email to do, it should be fine to continue running the standard Torbutton, and we probably should create a seperate stripped down Thunderbutton extension or something like this specifically for thunderbird (ie something not too much different than torbutton 1.0.4). What sort of security does thunderbird employ for html mail by default? Does it allow html mail to run javascript, post forms to random websites, run java applets, and/or arbitrary plugins (flash, quicktime, etc)? If it allows any of these things, 1.0.4 may not be enough. -- Mike Perry Mad Computer Scientist fscked.org evil labs pgpRVDwMRplR9.pgp Description: PGP signature
Re: Torbutton 1.1.8-alpha (Usability improvements)
Yes a torbutton for thunderbird would definitely be nice to have. So people won't have to search the web anymore for howtos on how to edit the xpi's config file to get v1.0.4 to install. I don't know how thunderbird handles java, as I have never received flash or form emails. Html email just works, that's all I know. The advanced settings in my thunderbird show: _javascript_.allow.mailnews false _javascript_.enabled true With torbutton enabled, thunderbird will pass everything through tor (http but also the smpt and pop connections). Thanks for the time you are spending on this. Mike Perry a écrit : Thus spake MB ([EMAIL PROTECTED]): Could you please also make it compatible with Thunderbird ? Torbutton 1.4 installs (and works) fine with Thunderbird after editing the config file in the xpi package to allow Thunderbird to install it. I suppose it should works as well with the new version ? Hrmm, unlikely. Most of the stuff the new Torbutton does is very tightly coupled to Firefox 2.0 behavior and recently created "unfrozen" interfaces and events. Even just supporting Mozilla/Seamonkey properly would probably require a lot of rewriting, and a lot of luck wrt specific behaviors being the same, or even being possible. However, the one good thing we have going for us is that I would think email clients would be much more careful about running random code/plugins that are sent to them. If the thunderbird folks are actually careful about what they allow html email to do, it should be fine to continue running the standard Torbutton, and we probably should create a seperate stripped down "Thunderbutton" extension or something like this specifically for thunderbird (ie something not too much different than torbutton 1.0.4). What sort of security does thunderbird employ for html mail by default? Does it allow html mail to run _javascript_, post forms to random websites, run java applets, and/or arbitrary plugins (flash, quicktime, etc)? If it allows any of these things, 1.0.4 may not be enough.
