Re: How to use Google Gadgets with Tor? - Is this possible?
On Sat, Jan 15, 2011 at 7:02 PM, Mike Perry wrote: > > > You could also install an addon to observe the requests your browser > uses in both non-Tor and Tor accesses of this gadget to see if the > requests appear different for some reason. That may help diagnose the > cause: > https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/ > https://addons.mozilla.org/en-US/firefox/addon/tamper-data/ > > On a side note, i had asked the group before about the google gadgets and whether if there is some security issue with using it wit TOR> I receive the response that it had not really been tested before. Should i understand its safe now?
[announce] T(A)ILS specification and security design document
Hi, we — T(A)ILS developers — just released a document that presents the specification of a "Privacy Enhancing Live Distribution" (PELD) as well as an actual implementation of it: T(A)ILS. By writing this document we intend to help third-parties do security analyses of any given PELD and specifically of T(A)ILS. We also wish to help establish best practices in the field of PELD design and implementation, and thus raise the baseline for all similar projects out there. The canonical URL for this document is: https://amnesia.boum.org/contribute/design/ Bye, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc | We're dreaming of something else. | Something more clandestine, something happier. *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: How to use Google Gadgets with Tor? - Is this possible?
On 15/01/11 19:02, Mike Perry wrote: Thus spake Matthew (pump...@cotse.net): To cut a long story short after having removed TorButton, NoScript, and HTTPS-Everywhere and therefore leaving just Tor I still cannot get Twitter to work from Gmail. I am using Firefox. The Twitter icon and drop-down box partially loads (but not as normal when I am not using Tor). Clicking on it appears to load some Twitter functions e.g. "transfering data from twittergadget.appspot.com" but Twitter does not load. Eventually all loading messages just stop and the screen stays as Gmail. I've noticed that some mashup services mysteriously break when Google decides to give them/you a captcha. This could be happening to you. You could try to solve a google captcha by issuing some queries and/or using Google maps first, to see if this makes any difference. Usually once you have the cookies for a session that solves a captcha, Google does not make you solve another. Mike - thanks for your advice. This is not an issue for me. I do not get a captcha. You could also install an addon to observe the requests your browser uses in both non-Tor and Tor accesses of this gadget to see if the requests appear different for some reason. That may help diagnose the cause: https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/ I installed this add-on. I wiped my cache and cookies and used the headers and generator tabs with just Polipo and Tor running (no TorButton, NoScript, etc). Then I logged into Gmail and waited until everything fully loaded then clicked the Twitter icon and waited until Twitter fully loaded (although as mentioned one does not see the Twitter screen when using Tor). There were two "warnings" from the headers that looked like this: Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.1.6 Set-Cookie: PHPSESSID=crm7nfld6en7aei64tnhmkif72; path=/ Pragma: no-cache Content-Type: text/html; charset=UTF-8 Age: 1 Connection: keep-alive Warning: 110 localhost:8118 Object is stale These warnings did not appear in the headers when doing the same action in a non-Tor state. I can only find this exact text once and it does not refer to Tor: http://www.visualwebripper.com/forum/yaf_postst223_Add-option-to-change-the-request-header-on-link-templates-input-data-etc-.aspx The HTTP-headers addon generated 120K of text from the "headers" and "generator" tabs simply from attempting to load Twitter with Tor. Therefore there may well be other content of interest which I did not notice but the two warnings were the most overt. Any ideas? Thanks! https://addons.mozilla.org/en-US/firefox/addon/tamper-data/ *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: BHDC11 - De-anonymizing Live CDs through Physical Memory Analysis
Hi, intrigeri wrote (13 Jan 2011 11:37:51 GMT) : >> explicit ordered zeroisation is handy. (starting with keys and key >> schedules, working cipher state, then on to user data, before >> completing a full pass or three. this takes a smart kexec or other >> ham fisted - still worth the effort.) > The kexec idea seems brilliant to me: this is the best way I can > think of to run the memory wipe process inside an environment where > almost all of the memory is considered as being free. > I have thus started implementing this idea in T(A)ILS. Thanks to > Debian's initramfs-tools and kexec-tools, drafting an early > prototype was quite easy. Stay tuned, more to come soon. Now implemented in T(A)ILS "devel" Git branch (this email will probably reach the list before I am able to push a few bugfixes and polishing commits to the online repository, though => reviewers: you are obviously welcome but please wait until you can fetch 14d9d824..8163695d). Next steps are (help is warmly welcome): - test this code on bare metal (not done yet :/) - move this code into a new Debian package that would not depend on T(A)ILS at all; doing so would offer protection against memory recovery attacks to non-Live (GNU/Linux) systems users. I had this future step in mind while implementing this feature in T(A)ILS, so this should not be too hard a thing to do. - make the kexec-tools Debian package's initscripts behavior customizable enough so that we have less code to maintain ourselves. Bye, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc | Every now and then I get a little bit restless | and I dream of something wild. *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: How to use Google Gadgets with Tor? - Is this possible?
Thus spake Matthew (pump...@cotse.net): > To cut a long story short after having removed TorButton, NoScript, and > HTTPS-Everywhere and therefore leaving just Tor I still cannot get Twitter > to work from Gmail. I am using Firefox. > > The Twitter icon and drop-down box partially loads (but not as normal when > I am not using Tor). Clicking on it appears to load some Twitter functions > e.g. "transfering data from twittergadget.appspot.com" but Twitter does not > load. Eventually all loading messages just stop and the screen stays as > Gmail. I've noticed that some mashup services mysteriously break when Google decides to give them/you a captcha. This could be happening to you. You could try to solve a google captcha by issuing some queries and/or using Google maps first, to see if this makes any difference. Usually once you have the cookies for a session that solves a captcha, Google does not make you solve another. You could also install an addon to observe the requests your browser uses in both non-Tor and Tor accesses of this gadget to see if the requests appear different for some reason. That may help diagnose the cause: https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/ https://addons.mozilla.org/en-US/firefox/addon/tamper-data/ -- Mike Perry Mad Computer Scientist fscked.org evil labs pgpeLNswVxLSQ.pgp Description: PGP signature
How to use Google Gadgets with Tor? - Is this possible?
This post is similar to the problems people have been having with cookies and Gmail when using TorButton. In this case within Gmail I enabled "add any gadget by URL" and then added Twitter (https://twittergadget.appspot.com/gadget-gmail.xml). Without Tor when I click on the Twitter icon the Twitter feed appears in place of whatever Gmail folder I was currently browsing. (This happens once I have logged in to Twitter for the first time and therefore connected the accounts). To cut a long story short after having removed TorButton, NoScript, and HTTPS-Everywhere and therefore leaving just Tor I still cannot get Twitter to work from Gmail. I am using Firefox. The Twitter icon and drop-down box partially loads (but not as normal when I am not using Tor). Clicking on it appears to load some Twitter functions e.g. "transfering data from twittergadget.appspot.com" but Twitter does not load. Eventually all loading messages just stop and the screen stays as Gmail. The only about:config entry about Twitter is extensions.https_everywhere.Twitter which is presumably irrelevant if I have removed HTTPS-Everywhere. Can anyone suggest what modifications are needed to achieve a workaround or if what I am trying to do is not viable. Thanks.