Re: or-talk list migration Feb 19, 2011
A final reminder that this migration occurs today. On Sun, 13 Feb 2011 21:35:14 -0500 Andrew Lewman wrote: > A reminder that this migration occurs this week. > > On Mon, 24 Jan 2011 15:05:03 -0500 > Andrew Lewman wrote: > > > Hello or-talk subscribers, > > > > On February 19, 2011, we are migrating or-talk from or-t...@seul.org > > to tor-t...@lists.torproject.org. We will migrate your e-mail > > address's subscription to the new list. You will receive a > > confirmation from the new mailing list software on the 19th. > > > > Current or-talk archives will be migrated. Roger plans to leave the > > current archives in place at seul.org as well. > > > > We're using this migration to spread administration out to Tor's > > sysadmin team rather than making Roger do everything himself. The > > secondary benefits of having the lists on the torproject.org domain > > include SSL-enabled login, archives, and easier account management. > > > > You can subscribe to the new list at > > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk > > > > I will send out a reminder on the day of the migration. > > > > Please e-mail tor-assista...@torproject.org with any questions. > > > > Thank you. > > > > > -- Andrew pgp 0x74ED336B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Where is vidalia config file?.MacOSX.
On Fri, Feb 18, 2011 at 10:52:57AM -0800, luis_a_mace...@yahoo.com wrote 0.9K bytes in 17 lines about: : I compiled/installed vidalia-0.2.10 from sources but I cannot find the vidalia configuration file(on Linux vidalia.conf) so I can change some things not available from the vidalia GUI interface. It's in ~/Library/Vidalia or /Users/username/Library/Vidalia. -- Andrew pgp key: 0x74ED336B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: or-talk list migration Feb 19, 2011
A reminder that this migration occurs this week. On Mon, 24 Jan 2011 15:05:03 -0500 Andrew Lewman wrote: > Hello or-talk subscribers, > > On February 19, 2011, we are migrating or-talk from or-t...@seul.org > to tor-t...@lists.torproject.org. We will migrate your e-mail > address's subscription to the new list. You will receive a > confirmation from the new mailing list software on the 19th. > > Current or-talk archives will be migrated. Roger plans to leave the > current archives in place at seul.org as well. > > We're using this migration to spread administration out to Tor's > sysadmin team rather than making Roger do everything himself. The > secondary benefits of having the lists on the torproject.org domain > include SSL-enabled login, archives, and easier account management. > > You can subscribe to the new list at > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk > > I will send out a reminder on the day of the migration. > > Please e-mail tor-assista...@torproject.org with any questions. > > Thank you. > -- Andrew pgp 0x74ED336B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Scroogle and Tor
On Sun, 13 Feb 2011 14:09:56 -0500 (EST) scroo...@lavabit.com wrote: > I've been fighting two different Tor users for a week. Each is > apparently having a good time trying to see how quickly they > can get results from Scroogle searches via Tor exit nodes. I've talked to a few services that do one of the following: - Run a Tor exit enclave, which would only allow exit through Tor to your webservers. There are a few services that run a tor client and simply block every IP in the consensus, except their exit enclave. - Run a hidden service. Due to the current state of hidden services, it'll slow down everything. - Run a tor exit enclave against one, non-load balanced server for tor users. If someone abuses it, the reality of slower response times is a self-enforcing feedback loop. Of course, this sucks for the non-abusers. - Rate limiting queries in the application. The Google solution of CAPTCHA. The Yahoo/Bing solution of throwing up a temporary error page when queries cross some threshold per IP address. -- Andrew pgp 0x74ED336B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Design Change Causing More Traffic?
On Mon, Feb 07, 2011 at 09:51:57PM -0700, jimmy...@copper.net wrote 0.6K bytes in 11 lines about: : I am on dialup and so I am very sensitive to the amount of traffic : overhead in the operation of Tor. Lately that seems to have increased : significantly. Assuming I am not just imagining it (I have no objective : measurements to back this up) is this just because of the build-out of : the network or has then there been a design change that would cause this? Which version of tor? -- Andrew pgp key: 0x74ED336B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Proposal for making Tor TLS stand out less
There is a fine thread on or-dev about this, starting here, http://archives.seul.org/or/dev/Jan-2011/msg00029.html -- Andrew pgp 0x74ED336B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Per-Tab Torbutton
On Tue, 25 Jan 2011 13:25:30 -0500 Jerzy Ćogiewa wrote: > Is it possible to have Torbutton activate Tor only on specified tabs > and not others? It would make Tor much more useful. Mike can answer this better, but I believe the main problem with this is that Firefox doesn't have a per-tab reference model. Meaning, a non-tor tab could reload some content in a tor-tab, de-anonymizing you in the process. Or some javascript/metarefresh can load between tabs and get your non-tor state and then your tor-state; which correlates your identity in both cases. -- Andrew pgp 0x74ED336B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Is "gatereloaded" a Bad Exit?
In my opinion, judging a relay based on exit policy is a slippery slope we don't want to go down. We never claim to make using Tor alone safer than using the Internet at large. Whether the creep is at Starbucks sniffing the wifi or running a relay is irrelevant to me. Encouraging people to use encrypted communications, the https everywhere firefox extension, and learn to be more secure online are some of our goals. The Tor Browser Bundle, while still a work in progress, is the best way to protect novice users and get them safer than they are without Tor. I personally run encrypted services on unencrypted ports, like 25, 80, 143, 110, etc. It's just a port number and only convention says port 80 has to be for http only. If people start doing deep packet inspection to enforce 80 is really http or running filters in some misguided attempt to block "bad things" through Tor, then those are reasons to 'badexit' relays. There are some obvious ways we can detect traffic manipulation through Tor relays. Today, we do detect them and badexit those relays. If we're going to start censoring Tor exits based on impressions, we might as well start blocking Tor relays that are rumoured to be run by national intelligence agencies, criminal organizations, martians, and other people we might not like. In fact, we might as well go back to the original model of "every Tor relay operator has met and gained Roger's trust". I want a diverse set of Tor relays. If people don't want to trust relays based on whatever heuristics they want to use, great, use ExcludeNodes in your torrc. Don't punish everyone based on rumors and impressions. -- Andrew pgp 0x74ED336B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Polipo bug reporting
On Mon, 31 Jan 2011 12:20:10 + "Geoff Down" wrote: > Thank you Juliusz, I appreciate your efforts. > Clearly Tor needs to ship with a working Polipo, so if this is a real > fault would the bundle developers please revert to the version which > was in the Vidalia 0.2.9 bundle, which is still working. The difference is that the PPC bundle with vidalia 0.2.9 was built on a 10.3.9 ppc mac. However, the 10.3.9 machine died a smelly, melty death during a build a few months ago. The current bundles are built on a 10.5 ppc mac with backwards compatibility for 10.3.9 (at least according to xcode/gcc). Clearly Apple's backwards compatibility options don't work. -- Andrew pgp 0x74ED336B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Question and Confirmation.
On Sun, 30 Jan 2011 23:15:17 + Matthew wrote: > I'm still not getting this. My understanding is that you have the > data and the header when using TCP. If only the data is encrypted > then what happens to the headers? Does this image help at all? https://svn.torproject.org/svn/projects/presentations/images/tor-keys.svg Your original data is tunnelled through tor. Your original packets are wrapped in onionskins and moved about the globe. -- Andrew pgp 0x74ED336B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Is "gatereloaded" a Bad Exit?
One could argue that recording traffic goes against the spirit of the tor project and anonymity in general. But even if people do monitor the traffic as long as they don't control both nodes there is little chance that the end user can really be tracked. There is also an onus on the end user to still practice safe internet habits and be careful about still using SSL, when they are entering passwords, or doing similar sensitive things. Tor was not designed to make internet browsing safe in a general sense, rather it is meant to provide away around firewalls and censorship so that people can access the "open" internet without a fear of getting tracked as easy. -Andrew On Jan 29, 2011, at 8:56 PM, grarpamp wrote: >> I dont see how to recognize if the traffic is recorded? > > I know people who record exit traffic, lots of it. And they > do all sorts of things with it too. Does that news trouble > you? If so, you need to readjust your thinking. > *** > To unsubscribe, send an e-mail to majord...@torproject.org with > unsubscribe or-talkin the body. http://archives.seul.org/or/talk/ *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Question and Confirmation.
On Fri, Jan 28, 2011 at 11:29:25PM +, pump...@cotse.net wrote 2.3K bytes in 53 lines about: : My understanding is that Tor encrypts both the content of a data : packet and also the header. It encrypts the packet and header three : times on the client (my computer) and then at each node one layer is : decrypted until the data packet and header are decrypted to : plaintext at the final exit node (except when TLS is used). Right? Actually, tor wraps the original traffic in encryption and tunnels it through the 3 hops of a circuit. We do not touch the original data. : The Tor FAQ says "Tor is not illegal anywhere in the world". Can : that really be the case? What about North Korea for example? Tor : as a specific tool might not be specifically illegal but surely it : would fall under the rubric of some kind of stupid prohibition? North Korea doesn't have Internet, much less personal computers connected to anything. As for the larger question, Tor itself is not illegal that we know of. Circumventing the state-run proxy/firewall may be illegal. However, I'm sure if a Ministry of Culture wants to trump up charges, "crimes against the common good or morals" is a fine charge to levy on someone in custody. A fine bit of legal research would be to discover in which countries circumventing a national firewall or blocklist is illegal. -- Andrew pgp key: 0x74ED336B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Is "gatereloaded" a Bad Exit?
On Sat, Jan 29, 2011 at 09:55:05PM +0100, j...@buksy.de wrote 1.3K bytes in 38 lines about: : What kind of scans do you perform? I thought these scans do only check : for content manipulation? I dont see how to recognize if the traffic is : recorded? https://gitweb.torproject.org/torflow.git/tree/HEAD:/NetworkScanners/ExitAuthority is the code. You are correct in that we cannot detect recording of traffic. : Yeah, I'm not saying "this is evil", but want to bring it into : discussion, because I was unable to get any reasonable explanation for : this exitpolicy. : : Of course these ports are popular, but 443 is popular as well? So for me : it looked like "pick all the popular _unencrypted_ ports". I agree, it does look that way. People can set "ExcludeExitNodes" for gatereloaded in their torrc. -- Andrew pgp key: 0x74ED336B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Hi and Ubuntu install...
Yeah, that server seems to timeout time to time. Retry it a few times and it should work. On Jan 29, 2011, at 6:23 PM, Chris Kimpton wrote: > Hi, > > I am trying to setup Tor on an Ubuntu box, but getting a little glitch > on the install - hope this is the correct list to query... > > I followed the instructions from here: > > http://www.torproject.org/docs/debian.html.en > > In particular: > > Then add this line to your /etc/apt/sources.list file: > > deb http://deb.torproject.org/torproject.org main > > where you put the codename of your distribution (i.e. etch, lenny, > sid, maverick, lucid, karmic, jaunty, intrepid, hardy or whatever it > is) in place of . > > Then add the gpg key used to sign the packages by running the > following commands at your command prompt: > > gpg --keyserver keys.gnupg.net --recv 886DDD89 > > > I found and installed the package ok, but the gpg line fails - doesnt > seem to get to keys.gnupg.net. > > Is that still current, or is the server just down for now and I should > try later... > > Thanks in advance, > Chris > *** > To unsubscribe, send an e-mail to majord...@torproject.org with > unsubscribe or-talkin the body. http://archives.seul.org/or/talk/ *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Is "gatereloaded" a Bad Exit?
On Sat, 29 Jan 2011 19:46:20 +0100 Jan Weiher wrote: > This node looks suspicious to me, because there is no contact info > given and the exit policy allows only unencrypted traffic: It hasn't shown up in any of the exit scans as suspicious. Lack of contact info isn't a concern. The exit policy is odd, yes. However, arguably those are also very popular ports as well. -- Andrew pgp 0x74ED336B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: cave updates, Qwest
On Fri, Jan 28, 2011 at 12:23:53PM -0700, s...@drigon.com wrote 2.8K bytes in 55 lines about: : Hi all. i just wanted to give some updates regarding my router "cave" : and experiences so far with running a Tor exit on my Qwest home DSL : internet. Thank you for sticking with it. If there is some way I can help, please email me. : Unfortunately, there still exist some problems and hiccups i've been : dealing with. While the DMCA complaints have so far stopped, my : internet has been disabled three times now due to 'malicious' behavior. Interesting. A while ago, I ran bothunter[1] on my exit node to see how much malicious behavior ever came of a tor exit node. After 46 days, it reported 1 "bot", IP Address 8.8.8.8 as a command and control node. Not sure what that means, other than clearly it didn't like Google PublicDNS. [1] http://www.bothunter.net/ -- Andrew pgp key: 0x74ED336B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Tor exits in .edu space
On Thu, 27 Jan 2011 11:51:56 -0500 Flamsmark wrote: > I run a Tor exit node because I support the ubiquitous availability > of strong anonymity for anyone who wants it. Tor is one of the > strongest, best- researched, and most widely-used online anonymity > system, and I want to help keep it running at maximum capacity. First and foremost, thank you. > The support that I received from the project was somewhat limited, > but I can't really imagine receiving that much more. I spoke with > arma on the IRC channel, and he provided me with moral support, and > offered to get me in touch with Ed Felten at Princeton's CITP. We're trying to figure this out ourselves. I've personally been the introduction point between exit relay operators and a lawyer in their country to help them when something goes wrong. I've spoken to a number of organizations, such as law enforcement, Internet providers, and schools about what Tor is, who uses it, and how we can help when criminals use tor. In some cases, I've travelled to meet people to spend time with them and help them as best I can. Law enforcement organizations are generally surprised when we show up to talk to them, to educate them, and explain that real people use tor for real reasons. If all you see all day are criminals using a hammer, then clearly hammers are only for criminals. It's the same with Tor. It's frequently the case that their own investigators are using Tor to hide their tracks online too, and are willing to show up to support us and talk about how they use it. I hope this helps stop SWAT teams from kicking down doors when someone exits traffic for a jerk. I've talked to people on the steps of their local police station just after they were released from jail the night before. I've talked to people looking at academic suspension and huge fines because of a DMCA notice. This is why I started contacting law firms in various countries to find resources for people, https://blog.torproject.org/blog/start-tor-legal-support-directory. It needs more work, it needs someone with more legal background to write up a case guide for other lawyers/solicitors/judge advocates. I am always impressed that 95% of those accused of something due to their exit node fight harder to keep running a Tor exit node. It's people like this that help keep your liberties around the world. Once again, thank you. -- Andrew pgp 0x74ED336B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: exit node config for egypt IP range
That is not really how Tor works as far as I know. A more dedicated proxy like squid is what you should look for. Similar to what was done for the Iran protests. But adding new nodes helps the entire network, and increases general capacity. If know someone that needs something more specific like a VPN tunnel then that is a whole other issue entirely. With that said I would be more then happy to get that setup for people if that is required. I am sure others on the list would do the same. Thanks, Andrew On Jan 28, 2011, at 1:59 AM, Klaus Layer wrote: > Hi, > Jacob Applebaum asked on twitter for more nodes which exit to ports 22, 25, 80 > and 443 to support egypt. Does anyone can post a proper exit config for those > who want to support the egypt people but are unfamiliar with exit nodes. I > would like to open my relays exclusively for the egypt ip ranges. > > Thanks, > > Klaus *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: exit node config for egypt IP range
That is not really how Tor works as far as I know. A more dedicated proxy like squid is what you should look for. Similar to what was done for the Iran protests. But adding new nodes helps the entire network, and increases general capacity. If know someone that needs something more specific like a VPN tunnel then that is a whole other issue entirely. With that said I would be more then happy to get that setup for people if that is required. I am sure others on the list would do the same. Thanks, Andrew On Jan 28, 2011, at 1:59 AM, Klaus Layer wrote: > Hi, > Jacob Applebaum asked on twitter for more nodes which exit to ports 22, 25, 80 > and 443 to support egypt. Does anyone can post a proper exit config for those > who want to support the egypt people but are unfamiliar with exit nodes. I > would like to open my relays exclusively for the egypt ip ranges. > > Thanks, > > Klaus *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
or-talk list migration Feb 19, 2011
Hello or-talk subscribers, On February 19, 2011, we are migrating or-talk from or-t...@seul.org to tor-t...@lists.torproject.org. We will migrate your e-mail address's subscription to the new list. You will receive a confirmation from the new mailing list software on the 19th. Current or-talk archives will be migrated. Roger plans to leave the current archives in place at seul.org as well. We're using this migration to spread administration out to Tor's sysadmin team rather than making Roger do everything himself. The secondary benefits of having the lists on the torproject.org domain include SSL-enabled login, archives, and easier account management. You can subscribe to the new list at https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk I will send out a reminder on the day of the migration. Please e-mail tor-assista...@torproject.org with any questions. Thank you. -- Andrew pgp 0x74ED336B signature.asc Description: PGP signature
Re: polipo-tor deb/ubuntu native package
On Mon, 17 Jan 2011 12:21:56 -0800 travis+ml-tor-t...@subspacefield.org wrote: > > The real answer is to fix firefox so it doesn't need a proxy > > between it and Tor. We patch firefox to do just this in the osx > > and linux tor browser bundles. Polipo was a fine kludge until > > either we started patching firefox or mozilla fixed their > > many-years-old socks bug. > > Hmm, I had no idea this was even available for Linux. > > It looks like a tarball - it's unclear how this will interact with a > package manager, which likes to know which packages installed which > files, and updates them automatically, etc. Tor Browser Bundle isn't something to install, you extract and run. I've seen a few linux users just double click the tar.gz file and run from inside their archive extractor. -- Andrew pgp 0x74ED336B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Torservers: Update on move to UK & on the association
I doubt that I will be able to get to dresden, but is there a chance of some sort of video conference? I like the idea of putting together so sort of official group behind the tor exit node operators. There are a ton of things that this could encompass, and we could roll up a few different efforts under one header. Also it allows those that want to sponsor nodes, but not deal with the tech side of it to contribute. On Mon, Jan 17, 2011 at 7:25 AM, Moritz Bartl wrote: > Hi, > > [ Crossposted to or-talk; if you want to stay informed about > torservers.net or discuss specifics, please subscribe to our list: > http://www.freelists.org/list/torservers ] > > * SOFTLAYER/100TB: > A few days ago Softlayer nullrouted ONE of our exit IPs, but the other > IPs are still up. So much for the 72hr deadline issued on Dec 5th > (because of one DMCA complaint). > > I could just move the one "dead" exit to one of our unused IPs, but we > have used up most of our bandwidth in the current billing period anyway > (85TB at the moment, one week to go), so it doesn't hurt that much and > I'll let it run with three Tor processes for the next week. > BW: http://us1.torservers.net/stats/graphs/graph_6_3.png > > Every time I ask 100tb about the new server in the UK, they tell me they > will get "back to me with an offer shortly". > > * ASSOCIATION: > About the association: You know that I am working on setting up a > non-profit organization. I have found an excellent privacy lawyer who > helps me to set everything up, and the foundation will be based in their > offices, which gives the best legal protection we can get. At the > moment, I am waiting for the tax authorities to confirm the charitable > status of our charter, after that we will hold a founding meeting in > Dresden, probably sometime in early February. > > If you happen to be somewhere near and want to help us get this thing > going, you're welcome to join us! I could also use a native speaker for > the press release (to hopefully generate a bit of attention to the Tor > project). > > -- > Moritz Bartl > http://www.torservers.net/ > *** > To unsubscribe, send an e-mail to majord...@torproject.org with > unsubscribe or-talkin the body. http://archives.seul.org/or/talk/ >
Re: polipo-tor deb/ubuntu native package
On Fri, Jan 07, 2011 at 03:21:22PM -0800, travis+ml-tor-t...@subspacefield.org wrote 15K bytes in 259 lines about: : I've advertised this a few times, to virtually no response. The : tor-assistants mlist has been confused, with people telling me they : weren't sure what their ubuntu strategy was, whether they even wanted : debian packages, etc. : : I haven't, for the life of me, been able to even figure out who to : talk to. I've posted emails perhaps 3 times, with virtually no : feedback. Nobody's apparently doing anything. I don't blame them, : because the debian packaging tools and docs are complicated and : annoying. There has been much discussion over a combined tor and polipo package, as well as a vidalia-tor-polipo package for deb-based systems. The core issue is that packages should not overwrite other packages config files. We've generally assumed (wrongly) that linux users understand their system and can handle manual configuration of a few packages, such as tor, polipo, and vidalia. The general answer for users who just want a tor client is to use the tor browser bundle. The real answer is to fix firefox so it doesn't need a proxy between it and Tor. We patch firefox to do just this in the osx and linux tor browser bundles. Polipo was a fine kludge until either we started patching firefox or mozilla fixed their many-years-old socks bug. I tried to summarize this state of affairs in https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TorFAQ#WhydoweneedPolipoorPrivoxywithTorWhichisbetter. As for ubuntu, we've started to work with their build teams to get an updated tor in their repositories. We do build our own debs for many versions of ubuntu, but not your polipo-tor specific deb. If you want to talk about integrating your build and config into our build system, please open a ticket, https://trac.torproject.org/projects/tor/report/10. The great thing about free software is that you're welcome to do just what you're doing. You don't like the situation, so you solve it. Great. -- Andrew pgp key: 0x74ED336B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: geeez...
On Wed, 12 Jan 2011 02:29:49 +0100 Dirk wrote: > But I wan't a legally binding statement from a lawyer or an official > (BSI) that running TOR exit nodes in germany is legal. Ask the CCC for a start. They have defended many Germans already. -- Andrew pgp 0x74ED336B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: blutmagie law enforcement inquiry stats
Recent cases of people being stopped by DHS as they enter/exit the country due to political causes they are affiliated with. Not really anything to do with Tor yet, but wikileaks or hacking in general. On Tue, Jan 11, 2011 at 5:15 AM, Matthew wrote: > > > On 10/01/11 21:00, Olaf Selke wrote: > >> However I'm not sure what will happen at certain country's airport >> immigration. >> > What does this mean? > > *** > To unsubscribe, send an e-mail to majord...@torproject.org with > unsubscribe or-talkin the body. http://archives.seul.org/or/talk/ >
Re: blutmagie law enforcement inquiry stats
What do they typically ask for, and is it from any place in particular? Also what sort of things typically generate these notices? On Mon, Jan 10, 2011 at 4:00 PM, Olaf Selke wrote: > Am 10.01.2011 20:42, schrieb Roc Admin: > > This is interesting. Could you detail time consumed in resolving the > > requests and any problems you ran into with authorities? > > this morning arrived the first fax in 2011 requesting user data. Police > is back again from Xmas vacation ;-) > > Using my template composing the answer and sending it thru a fax machine > usually takes less than 15min. I never did run into difficulties with > police so far. However I'm not sure what will happen at certain > country's airport immigration. > > In most cases the police officers are quite polite and almost happy to > close their file cause the trace ends. I suppose it's much more easy to > deal with law enforcement if you appear 25 times a year on police's > radar than only once. At least they tend to believe my words. > > regards Olaf > *** > To unsubscribe, send an e-mail to majord...@torproject.org with > unsubscribe or-talkin the body. http://archives.seul.org/or/talk/ >
Re: Index of hidden services?
On Fri, 7 Jan 2011 13:22:58 -0600 Peter McCann wrote: > On the website describing how to set up a hidden service > I saw a mention of a (hypothetical?) "Hidden Services Wiki" > where pointers to hidden services are stored. Does such a wiki exist? > If so, where can I find it? Years ago, there was a popular place called "The hidden wiki" which was the only one in existence, that anyone knew about. It was then beseiged by child porn links and images and went away. Since then, many different services claiming to be "the hidden wiki" have come and gone. Someone also tried to setup a google search appliance to crawl all of .onion space. It didn't get very far for the obvious reason of most hidden service sites don't want to be found by the general population. The services don't link to each other, and they may be on random ports. It's possible one could create a search engine that crawls every possible .onion hostname on common tcp ports (80, 443, 8080, 8443). Over long periods of time, this may find many hidden services. -- Andrew pgp 0x74ED336B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Home Internet with Anonymity Built In
On Fri, 7 Jan 2011 00:55:32 +0800 Trystero Lot wrote: > will this work with linksys ata specially 3102? We're just adding a correct tor configuration to openwrt. If openwrt supports your device, then our tor mods should as well. -- Andrew pgp 0x74ED336B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Tor uses swap?
On Wed, Jan 05, 2011 at 11:27:59PM +0100, noi...@gmx.net wrote 1.2K bytes in 29 lines about: : since 4GB or 8GB of ram are pretty much the standard these days you could use a ramdisk for swap... ;D Towards this end, my travel laptop running pcbsd has no swap configured. I haven't run into any issues with this configuration yet. I realize the risks of some program going haywire and consuming all ram, but in the past month of doing this, it hasn't materialized. -- Andrew pgp key: 0x74ED336B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Tor and google groups
On Wed, 05 Jan 2011 19:18:09 + Orionjur Tor-admin wrote: > Is it very difficult to buy a SIM without showing ID in the USA or > countries of Western Europe? Sorry for such off topic but it is very > interesting to know are there any countries in Western Europe or > states of the USA when it is possible to buy a SIM without showing > your ID with accordance to local law? My $0.02 from buying SIM cards all over the world, I show them my CostCo Club photo id. In Hong Kong they wrote down my first/last name as "cost co". No one has photocopied the ID yet. Many shops ask for it and then do nothing with it. As explained to me in Belgium, the law says they have to see an ID, not record, write down, and register the sim in your name. Maybe I just found a cool shop by accident. -- Andrew pgp 0x74ED336B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: BDS VPNs hosting
On Fri, Dec 31, 2010 at 05:55:57PM +0100, jespa...@minibofh.org wrote 1.5K bytes in 28 lines about: : The approach described in the official Tor project documentation is : excellent from my humble point of view. As a web-hosting sysadmin I Ok, that's really what I was hoping. Otherwise, my hope is that people improve it over time to adjust to reality and experiences. -- Andrew pgp key: 0x74ED336B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Tor-BlackBelt Privacy
On Wed, Dec 29, 2010 at 01:53:17PM +0100, tor-ad...@privacyfoundation.de wrote 0.8K bytes in 25 lines about: : I have done a small test. It seems, high performance nodes are prefered. : The project page offers only a binary download. : What do you think about the project. Is it serious? It's been around for a few years, previously called "black belt tor" by Cav Edwards. We've had some interaction with Cav Edwards over the years, but nothing substantial. : Is the preference of high power nodes useful or does it have a bad : influence on the load balancing of the tor network like the Cloakfish : idea two years ago? TCP stacks and crypto overhead may be overloading "high performance nodes". If you only need 1KB/s for a xmpp chat session, no need to choose a high bandwidth relay when a lower performance one will do. I haven't tested it, but I wonder if over time (days, weeks, months) the performance usage profile of blackbeltprivacy is different than a stock tor client. -- Andrew pgp key: 0x74ED336B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Key length and PK algorithm of TOR
On Fri, Dec 31, 2010 at 09:21:53PM +0100, canconsult...@web.de wrote 0.6K bytes in 20 lines about: : 1) is there a specific reason why TOR does use RSA with : a keylength of only 1024 Bit? Start here, http://archives.seul.org/or/dev/Dec-2010/msg00012.html. : 2) is there a specific reason why TOR does not use ECC, : which is more secure (with reasonable curve parameters and same : key length like RSA) *and* uses less or, depending on the : ECC algorithm, at least not significantly more CPU cycles than RSA? A quick answer is most ECC implementations we may want use are patent encumbered. However, Nick or Roger will have a better answer. -- Andrew pgp key: 0x74ED336B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: BDS VPNs hosting
On Fri, Dec 31, 2010 at 03:40:33PM +0100, jespa...@minibofh.org wrote 1.0K bytes in 20 lines about: : Yes Anders, I know. I've been involved in web host industry (as a : sysadmin and Security Officer) the last three years. I know a lot : about this business. They (web hosting providers) appreciate a lot : when the costumer offers good attitude and collaboration, as my case : is. Do you have advice on how to better approach an ISP from the start? Say, if I wanted to find a host to run an exit node? -- Andrew pgp key: 0x74ED336B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Downloading files?
On Fri, Dec 31, 2010 at 04:55:18PM +0100, andr...@fastmail.fm wrote 0.9K bytes in 27 lines about: : When I've tried to download, when using Tor, Tor pops up some message : and says something like "this could unmask youuse Amnesia LiveCd" That sounds like the torbutton download intercept for firefox. It should ask you if you want to launch the application or cancel. In most cases, launching the application opens the firefox download prompt. In some cases, it will launch the application directly. It depends how your browser is configured with mime types and the like. -- Andrew pgp key: 0x74ED336B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: BDS VPNs hosting
On Fri, Dec 31, 2010 at 02:18:00PM +0100, jespa...@minibofh.org wrote 1.7K bytes in 42 lines about: : ... they allow me to run Tor proxy. So, good for me and Tor network! : For the moment I will stay will them. Great. Be aware that rootbsd.net appears to be using SoftLayer for their infrastructure. Lately, softlayer has decided one complaint (abuse or dmca) is one too many and threatens to kick people of their network. -- Andrew pgp key: 0x74ED336B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: https errors
On Fri, Dec 31, 2010 at 04:55:39AM +, moeedsa...@gmail.com wrote 1.2K bytes in 36 lines about: : The majority of time i try to submit info over https, i get this message: : An error occurred during a connection to ansar1.info. : Peer reports incompatible or unsupported protocol version. : (Error code: ssl_error_protocol_version_alert) What browser configuration? what exit relay at the time you are trying to submit? -- Andrew pgp key: 0x74ED336B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: BDS VPNs hosting
On Fri, Dec 31, 2010 at 11:41:26AM +0100, jespa...@minibofh.org wrote 1.4K bytes in 31 lines about: : Anyway my host provider (www.rootbsd.net) seems unhappy hosting a If their terms of service forbids anonymous proxies or any proxies, then they have the legal right to enforce their contract. Perhaps you've found this already, https://www.torproject.org/docs/faq-abuse.html.en and https://blog.torproject.org/blog/tips-running-exit-node-minimal-harassment -- Andrew pgp key: 0x74ED336B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Downloading files?
On Fri, Dec 31, 2010 at 08:17:05AM +0100, andr...@fastmail.fm wrote 0.4K bytes in 9 lines about: : Is there a recommended way for downloading files while using Tor? Isn't : there some program called Amnesia or some similar thing? There is no recommended way to download files through Tor. Normally, one simply uses firefox in tbb or 'usewithtor' for wget, links, etc. -- Andrew pgp key: 0x74ED336B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Tor & Email?
On Wed, 29 Dec 2010 14:02:34 -0500 grarpamp wrote: > > We've generally suggested gmail because their bulk account creation > > process was good. It seems this is not the case any more. > > What is this bulk account creation you speak of? Gmail used to have the ability to stop bots from creating accounts en masse. gmail doesn't have this ability any more. > > This is false. I just created a gmail account via tor without > > needing a phone number or any other information. > > Hmm, you mean "just", as in today? What exit were you using? > Want to sell the account for bitcoins? Kidding :-) As in around 08:45 AM EST. I didn't look to see which exit, it just worked, just a captcha required. -- Andrew pgp 0x74ED336B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Looking for updated debian sqeeze packages of Tor 0.2.1.28
On Wed, Dec 29, 2010 at 09:02:57AM +0100, klaus.la...@gmx.de wrote 1.1K bytes in 39 lines about: : I am looking for updated debian sqeeze packages. Currently only Tor 0.2.1.26 : packages seems to be available. Any ideas where to find the 0.2.1.28 packages? It is updated in squeeze, labelled as 0.2.1.26-6. See http://packages.debian.org/testing/net/tor and http://packages.debian.org/changelogs/pool/main/t/tor/tor_0.2.1.26-6/changelog for the applied changes. -- Andrew pgp key: 0x74ED336B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Tor & Email?
On Wed, Dec 29, 2010 at 03:42:00AM -0500, grarp...@gmail.com wrote 0.9K bytes in 15 lines about: : Keep in mind that google does not allow new accounts to be : created via Tor. Unless you are willing to give up your phone This is false. I just created a gmail account via tor without needing a phone number or any other information. Frequently, google's anti-ddos/spam/too-many-creations-from-a-single-ip-address detector is tripped for tor exit nodes and requires other information. We've generally suggested gmail because their bulk account creation process was good. It seems this is not the case any more. -- Andrew pgp key: 0x74ED336B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Why NOT send UDP over tor?
On Mon, Dec 27, 2010 at 09:56:55AM -0500, prae...@yahoo.com wrote 0.5K bytes in 12 lines about: : Subject says it all. Why is only TCP sent over tor and not UDP? Why not simply suck up and send ALL net traffic, regardless of type, through tor so there can be no anonymity violations? The short answer is it needs research and coding to do correctly. The long answer is in here, https://www.torproject.org/press/presskit/2009-03-11-performance.pdf -- Andrew pgp key: 0x74ED336B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: tor is blocked in china
On Mon, Dec 27, 2010 at 10:41:26AM +0800, luweit...@gmail.com wrote 1.0K bytes in 28 lines about: : Bridge : : cannot be present. I hear that it's because fingerprint : checking is blocked. You heard wrong. We disabled the fingerprint requirement for bridges. It is still good practice to include the fingerprint. I think this was in 0.2.0.19 in 2008. -- Andrew pgp key: 0x74ED336B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Help with JanusVM?
On Sun, Dec 26, 2010 at 08:22:03PM -0500, zzretro...@email2me.net wrote 9.3K bytes in 548 lines about: : anyone have this happen? suddenly I get no more mail from or-talk and any emails I send or post don't go to or-talk nor are they sent back to me as undeliverable? You could send a mail to or-talk-admin with your old email address to find out what happened. -- Andrew pgp key: 0x74ED336B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Tor VM stalled at 25%
On Thu, Dec 23, 2010 at 05:45:06PM -0500, prae...@yahoo.com wrote 1.3K bytes in 34 lines about: : From the tor site. It is Ubuntu. Is there another out there or do we all have to roll out own? Where specifically? -- Andrew pgp key: 0x74ED336B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Polipo and privoxy needed?
On Thu, Dec 23, 2010 at 09:26:17AM -0500, pe...@aleksandrsolzhenitsyn.net wrote 1.4K bytes in 34 lines about: : I just upgraded my Tor setup with the Browser Bundle. It runs fine but : I noticed that I have privoxy and polipo still on my system from the old : setup. : : Can I delete them? If you are using TBB, then yes, you can remove privoxy/polipo installed on your system. -- Andrew pgp key: 0x74ED336B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: tor is blocked in china
On Tue, Dec 21, 2010 at 03:34:29PM +0800, luweit...@gmail.com wrote 1.0K bytes in 21 lines about: : Could someone confirm that tor has been defeated in china? I mean : running tor natively, not "capped" or through another proxy. The Chinese GFW team has been actively blocking all public relays since the 60th Anniversary of the CCP in Sept 2009. In March 2010, the GFW admins ramped up and crawled all of bridges.torproject website and flooded requests to brid...@torproject from around 6000 unique gmail accounts. We've been re-balancing the various bridge pools to create more churn so the GFW admins have to keep crawling in order to block the public bridges. We released a batch of bridges via social networking sites in China mid-summer and those bridges are working fine. New bridges seem to be blocked within 1-2 weeks. We are working on a number of things to improve the availability of tor in China. In the arms race of censor vs. circumvention, China's GFW is the furthest along at Step 3 (attempt to block the bridges). We are trying to have this arms race as slow as possible. One of the problems with the bridge solution right now is that there are so few of them. See https://metrics.torproject.org/network.html for the current count of bridges in the top graph. Many users in China are using vpns and other insecure proxies, and then using tor over those technologies to protect their traffic and browsing. Fluffybunny vpn, hot spot shield, and others are popular right now. We want to roll out a better bridge design that makes it vastly more expensive to try to block. The research and development on this step has been underway for a while. Other projects to simply increase the quantity of bridges are the Torouter [1] and bridge-bundle [2] plans we're working on towards a March 2011 release. [1] https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/Torouter [2] https://trac.torproject.org/projects/tor/wiki/projects/ExperimentalBridgeBundles -- Andrew pgp key: 0x74ED336B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: signature of Tor release
On Mon, Dec 20, 2010 at 11:54:38AM +0800, luweit...@gmail.com wrote 0.5K bytes in 12 lines about: : again. I noticed that the signature of Tor release was changed from : 0x31B0974B, "Andrew Lewman (phobos) " to 0x63FEE659, : "Erinn Clark ". Is it correct? Was there any announcement? It is correct. We switched around a year ago. The verifying signatures page lists who typically signs what, https://www.torproject.org/docs/verifying-signatures.html.en And you'll notice I've signed the main key, 0x63FEE659. -- Andrew pgp key: 0x74ED336B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Portable Tor error message
On Sat, Dec 18, 2010 at 12:31:59AM -0500, pe...@aleksandrsolzhenitsyn.net wrote 1.4K bytes in 36 lines about: : When I start up Portable Tor I get the following message; : Qt: Session management error: None of the authentication protocols : specified are supported Is this tor browser bundle or the actual portable tor? -- Andrew pgp key: 0x74ED336B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Tor web dox bug
On Tue, Dec 14, 2010 at 03:08:13AM -0500, grarp...@gmail.com wrote 0.3K bytes in 6 lines about: : https://www.torproject.org/docs/tor-doc-unix : the above page says tsocks. it should say: : http://code.google.com/p/torsocks Done. -- Andrew pgp key: 0x74ED336B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Tor 0.2.2.19-alpha is out
On Tue, 30 Nov 2010 16:25:25 + Matthew wrote: > In System / Administration / Software Sources / Authentication there > is an deb.torproject.org archive signing key dated 2009-09-04 with > the value 886DDD89. This is correct. > Am I correct to think that this key sufficient to verify updates when > using sources.list. This is correct. > Also, who exactly owns 886DDD89? Is it a specific person or for > torproject.org as a whole? If you gpg --list-sigs 0x886DDD89 You can see who signed the key. It is a role key that the packagers use to sign the builds, rather than using their own personal keys. It is up to you if you trust the key and those who signed it implying validity. -- Andrew pgp 0x74ED336B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Tor-node failed
On Fri, 03 Dec 2010 00:29:58 + Orionjur Tor-admin wrote: > Last time my tor-node regularry fails. How can I debug causes of it? https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TorFAQ#MyTorkeepscrashing. The text at that url is a fine start. -- Andrew pgp 0x74ED336B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Tor 0.2.2.19-alpha is out
On Sun, Nov 28, 2010 at 08:56:13PM +, pump...@cotse.net wrote 5.4K bytes in 125 lines about: : I am curious how to get 0.2.1.27 in the preferred way when using : Ubuntu. Thanks! You are doing it correctly. Packages for ubuntu/debian for 0.2.1.27 aren't created yet. We announce the source release before the binary packages we create are available. It's generally a few days from source release to binary package availability. The exception here is OS X PPC, which lacks a build machine right now. -- Andrew pgp key: 31B0974B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: StrictNodes or StrictExitNodes?
On Fri, Nov 26, 2010 at 10:11:55AM +, my.green.lant...@googlemail.com wrote 2.3K bytes in 61 lines about: : So if Tor is using usual development practice then why does the : stable version manual : (http://www.torproject.org/docs/tor-manual.html.en) have : "*WarnUnsafeSocks" in it if there has been no stable build since it : was introduced in *0.2.2.14-alpha ? This is because the tor-manual.html.en is really the -alpha manual, not the -stable manual. The long story made short is that the new website removed the ability to do man2html on the -stable man page. Oops. I've removed the links to the -stable man page on the website, linking to the -alpha version instead (and labelled as such). : Also , I notice the manuals do not have deprecated commands in it : any more (even if they are still supported). It might be wise to add Because they're in the changelog. The man pages only contain what is supported, not what was supported. -- Andrew pgp key: 31B0974B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Anonymity easily thwarted by flooding network with relays?
On Thu, 18 Nov 2010 18:19:03 -0800 "Theodore Bagwell" wrote: > Some of you may be aware of the paper,"Cyber Crime Scene > Investigations (C2SI) through Cloud Computing" > (http://www.cs.uml.edu/~xinwenfu/paper/SPCC10_Fu.pdf) which > illustrates a feasible method of invalidating the anonymity afforded > by Tor. The quick answer is that this is a known active attack, and has been documented for many years. See the Tor design paper from 2004, https://svn.torproject.org/svn/projects/design-paper/tor-design.html#sec:attacks. Specifically, "Run a hostile OR. In addition to being a local observer, an isolated hostile node can create circuits through itself, or alter traffic patterns to affect traffic at other nodes. Nonetheless, a hostile node must be immediately adjacent to both endpoints to compromise the anonymity of a circuit. If an adversary can run multiple ORs, and can persuade the directory servers that those ORs are trustworthy and independent, then occasionally some user will choose one of those ORs for the start and another as the end of a circuit. If an adversary controls m > 1 of N nodes, he can correlate at most ([m/N])2 of the traffic â although an adversary could still attract a disproportionately large amount of traffic by running an OR with a permissive exit policy, or by degrading the reliability of other routers." Perhaps Roger, Nick, or Paul have a more in-depth answer. -- Andrew pgp 0x31B0974B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Scalability and fairness [was: P2P over Tor [was: Anomos - anonBT]]
On Wed, 17 Nov 2010 20:03:58 -0500 grarpamp wrote: > Wish the mbox or maildir archives were available/mirrored for easy > search, reading, reference and reply using native mail clients :) ...I wish people would stop cross-posting between -dev and -talk...;) -- Andrew pgp 0x31B0974B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Tor 0.2.2.18-alpha is out
On Wed, 17 Nov 2010 20:11:44 -0500 Justin Aplin wrote: > I agree that dropping the expert packages might be a good idea, but > I don't see a reason that the Vidalia bundles should fall behind. The reason for the delay in packages is the powerpc build machine died a melting death when the internal fan died over a weekend. A donor gave us a powerpc mac mini for a build machine running 10.5. It's in process of being turned into the powerpc build machine. Alternatively, building from source is very easy once the dependencies are installed. I'm not sure how well 10.5 binaries work on 10.3 and 10.4 (even with osx compiles set for 10.3 and 10.4 compatibility). I guess we'll find out. -- Andrew pgp 0x31B0974B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: can I only use 3 bridges in torrc ? thx
On Tue, 16 Nov 2010 17:59:47 +0800 waterloo wrote: > can I only use 3 bridges in torrc ? thx You can use many more than 3. Tor will see if they are reachable and use those that are working. I've seen people with 50 configured in vidalia. -- Andrew pgp 0x31B0974B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Hints and Tips for Whistleblowers - their comments on Tor and SSL - I don't understand.
On Wed, 27 Oct 2010 19:19:02 +0100 Matthew wrote: > There is a "Hints and Tips for Whistleblowers Guide" available at > http://ht4w.co.uk/. The first problem is the content is actually served up by hostingprod.com and not ht4w.co.uk. As far as the content in question, it is dangerously wrong. -- Andrew pgp 0x31B0974B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Question about torbrowser for mac
On Tue, Oct 26, 2010 at 04:18:30AM +, moeedsa...@gmail.com wrote 0.6K bytes in 15 lines about: : There is no torbutton on 1.0.1. nor 1.0.2 bundles for mac in the firefox : supplied. Should i install it manually? It is there, just due to a display bug in snow leopard, it doesn't always show up. If you go to Tools -> Addons -> Extensions, you should see torbutton listed and enabled. -- Andrew pgp key: 31B0974B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: OT: Etiquette (was Re: Excessive scrubs)
This is way off topic, please take it off the list. Thanks. -- Andrew pgp key: 31B0974B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Three circuit hops as default.How does this function?
On Sat, Oct 23, 2010 at 06:39:35PM -0700, luis_a_mace...@yahoo.com wrote 1.0K bytes in 25 lines about: : A)MyComputer--->TorRelay1--->TorRelay2--->Final Destination. : B)MyComputer--->TorRelay1--->TorRelay2--->TorRelay3--->Final Destination. : What is the right one? A or B?The three means 3 jumps or 3 tor relays? The answer you seek is here, https://www.torproject.org/about/overview.html.en#thesolution -- Andrew pgp key: 31B0974B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Firefox Problem
On Fri, Oct 22, 2010 at 01:27:56PM +, irrata...@gmail.com wrote 0.7K bytes in 15 lines about: : increase socks connection timeout on Firefox but with no luck. Anyone : know what of Firefox configuration parameters is responsible for Tor : connection timeout? Unless you want to patch and recompile firefox, you can't. See https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TorFAQ#privoxyorpolipo for some more details. -- Andrew pgp key: 31B0974B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: DNS with Tor (compared to VPNs).
On Wed, Oct 20, 2010 at 07:18:21PM +0100, pump...@cotse.net wrote 2.0K bytes in 53 lines about: : AIUI here is the DNS situation ("leaks") when using an ISP, a VPN, and Tor. : : If I am using my ISPs DNS then they can log the websites via my DNS requests. The dns server sees every request involving a hostname, IM, web, ssh, etc. : If I am using a commercial VPN then the VPNs DNS logs the websites. : However, my ISP does not see the DNS requests (or the website since : all traffic flows through the encrypted VPN). It depends on the VPN. Many vpns don't touch your dns settings, therefore your local resolver sees the requests. : If I am using Tor then all DNS resolution is done by the Tor exit : node. No DNS requests leave my computer unencrypted - unlike in the : previous two examples. If the apps are set to use tor correctly, yes. -- Andrew pgp 0x31B0974B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: New Bundle Version 1.3.10
On Sat, Oct 16, 2010 at 10:00:07AM -0400, zzzjethro...@email2me.net wrote 5.1K bytes in 137 lines about: : Well, I recently downloaded and extracted the USB Vidalia/Tor bundle version 1.3.10. It came with NoScript. Is this correct? Well, Vidalia keeps crashing, usually won't open and when it does I get a Google captcha I cannot get past and have to start all over. Yes, this is correct. Vidalia crashing is unrelated to Firefox and noscript. Opening a bug about the vidalia crashes would be good. : The options for NoScript are not really clear to me (I keep going over them though), and the icons don't seem to look the same as what is next to the Torbutton toggle and what it shows in the options window when clicked on. So, how do I disable or otherwise get rid of this NoScript, no want? In general, we try to set conservative options so the bundle is safe by default. A document describing the options included and why they were set to a value would be fantastic. I opened a ticket about this, https://trac.torproject.org/projects/tor/ticket/2078 -- Andrew pgp 0x31B0974B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Tor Bundle vs. Vidalia Bundle
On Thu, Oct 14, 2010 at 09:14:54AM -0400, zzzjethro...@email2me.net wrote 1.3K bytes in 51 lines about: : What is the difference between a Vidalia Bundle and a Tor Bundle, other than what I perceive as the obvious? >From the download page itself at https://www.torproject.org/download/download.html.en: Vidalia Bundle: "The Vidalia Bundle contains Tor, Vidalia, and Polipo for installation on your system. You'll need to configure your applications to use it." Tor Bundle: "The Expert Packages contain just Tor and nothing else. You'll need to configure Tor and all of your applications manually." -- Andrew pgp 0x31B0974B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: vidalia source tarball is missing
On Tue, 12 Oct 2010 01:21:30 +0300 Erdem Bayer wrote: > Hi > > After last website update, vidalia source tarball link goes missing > from this address: > > http://www.torproject.org/projects/dist/vidalia-0.2.9.tar.gz > > However it is still referred on this page, but the download link is > broken: > > http://www.torproject.org/projects/vidalia.html.en Thanks for the notice, I fixed it this morning, http://archives.seul.org/or/cvs/Oct-2010/msg00293.html -- Andrew pgp 0x31B0974B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Hidden service: Is it possible for an attacker to break out of a VM?
On Thu, Oct 07, 2010 at 08:31:14PM -0400, michael.gom...@gmail.com wrote 2.8K bytes in 78 lines about: : If there is no back-door or bug in your VM software, how you wanna break out : of the VM? That's a perfect world that doesn't exist. The VM software will have bugs, someone will exploit it. For a start, http://duckduckgo.com/?q=virtual+machine+attacks -- Andrew pgp 0x31B0974B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: AdvTor
On Thu, Oct 07, 2010 at 05:20:08PM +0100, my.green.lant...@googlemail.com wrote 2.3K bytes in 55 lines about: : Well, well, well suddenly the problem fixes "itself"... after : 20+ disconnects and 10+ "You are using a proxy which is changing : your data... refusing connection.." over the past 3 days. This would be a lot better if it came with logs, bug reports, and data. It could also be the destination site having problems, or the exit relay is overloaded, or sun flares. The Internet is complex, narrowing down the problem to Tor or not Tor is a first step. -- Andrew pgp 0x31B0974B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: StrictNodes
On Tue, 05 Oct 2010 19:57:42 +0100 "Geoff Down" wrote: > "[warn] The configuration option 'StrictExitNodes' is deprecated; use > 'StrictNodes' instead." > It would help if such an option were documented in > https://www.torproject.org/tor-manual.html.en > or shipped in the expert install package. > Where is it documented please? You are running the -alpha version of tor, therefore you want the appropriate man page, https://www.torproject.org/tor-manual-dev.html.en Which -alpha package are you using that has the -stable man page included? -- Andrew pgp 0x31B0974B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: beneficia versus maleficia
On Sat, 02 Oct 2010 15:58:15 -0500 David Bennett wrote: > I am facing a moral dilemma in regards to joining the tor proxy > network. I am hoping a discussion may alleviate some of my concerns. It seems what you are wrestling with is the dual use nature of any technology. Some easy examples are: highways are used to transport pregnant mothers to hospitals to deliver cuddly babies and to transport kidnappers and their victims across the country. The phone system is used to let you keep in touch with your friends and family and to stalk and harass domestic violence victims. Firewalls are used by companies to keep their employees protected by outside threats and used by governments to repress their citizenry. From my work with victims of domestic violence, abusers and survivors use technology in surprising ways. From cooking pots to butter knives to pre-paid anonymous cellphones, I've seen the technologies used to abuse and used to help. It comes down to if you believe the good uses outweigh the bad uses. Technologies are generally introduced with a narrow use case in mind. Seldom to these technologies stick to their original use case over time. We have real situations in which tor is used at https://www.torproject.org/torusers. For every bad thing some jerk does over tor, there are likely 50-100 more using tor for good reasons. Think about all of the bandwidth tor relays push and how many of the connections result in complaints or abuse. The bad uses are more public but still the vast minority. In the end, tor is a technology. It can be used for both good and bad. We develop, advocate, and continue to work on tor for the positive outcomes; whatever that may mean for your morals and locale. -- Andrew pgp 0x31B0974B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: BetterPrivacy - necessary?
On Fri, Oct 01, 2010 at 10:29:48PM +0100, pump...@cotse.net wrote 0.5K bytes in 12 lines about: : I concur but doesn't TorButton do all this suppression? : : That said: what was the rationale in moving from Privoxy to Polipo? : Did it happen because TorButton became standard? https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TorFAQ#WhydoweneedPolipoorPrivoxywithTorWhichisbetter -- Andrew pgp 0x31B0974B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Vatlator 1.1. released
On Tue, 21 Sep 2010 11:32:13 +0200 emanuele incremona wrote: > I write to present the new release of "Vatlator", a live cd for > anonymous browsing. Hi, I tried this out today and have some feedback. It looks like a stock ubuntu mini mix with tor, polipo, and firefox w/torbutton installed. As a result, it leaks traffic and information on the network. This is bad. For example, the iptables config is wide open and set to accept all both outbound and inbound. At a minimum, vatlator should transparently proxy everything through Tor, and otherwise deny any traffic that isn't going through Tor, like udp, icmp, etc. iptables should deny or drop all inbound traffic from outside the OS. You may want to look at what the TAILS people have been doing do harden their livecd, https://amnesia.boum.org/. Someone started to write this as a guide to help others, https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/LiveCDBestPractices. -- Andrew Lewman The Tor Project pgp 0x31B0974B +1-781-352-0568 Website: https://www.torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject Skype: lewmanator *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: start tor with launchd?
On Mon, Sep 13, 2010 at 11:25:09PM -0400, jerz...@interia.eu wrote 0.5K bytes in 16 lines about: : i want to start tor with mac osx launchd service on computer startup. how can i do this? I wrote a plist years ago as a proof of concept. It's at https://gitweb.torproject.org/tor.git/blob_plain/HEAD:/contrib/osx/org.torproject.tor.plist and may or may not work in modern OS X. -- Andrew Lewman The Tor Project pgp 0x31B0974B +1-781-352-0568 Website: https://www.torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject Skype: lewmanator *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: connect Vidalia to a running tor instance [solved]
On Sun, Sep 12, 2010 at 05:19:00PM +0200, tor...@ymail.com wrote 0.4K bytes in 12 lines about: > solved: > It is irritating but one has to tick: > "Start the Tor software when Vidalia starts" > > even if Vidalia just connects to a already running tor instance and > doesn't start tor. this doesn't sound correct. with a shared cookie or hashed passphrase, does your vidalia not connect to the existing tor on start? The option above should start a new tor process, spawned by vidalia. -- Andrew Lewman The Tor Project pgp 0x31B0974B +1-781-352-0568 Website: https://www.torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject Skype: lewmanator *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: When is the 'MyFamily' setting unnecessary?
On Sun, Sep 12, 2010 at 02:38:18PM +0200, tor...@ymail.com wrote 1.1K bytes in 31 lines about: > If it is technically not necessary, because tor would never use certain > nodes in one circuit. I would understand people running >20 nodes that > do not use 'MyFamily'. It's easy, put all 20 nodes in the MyFamily line and just use that line for all 20 nodes. > If there are certain rules I would stop asking people to set MyFamily if > one of these rules apply in the concrete scenario. > > So there are no rules beside the "/16 network" - rule? Perhaps it depends on what you mean by "rule". The /16 network diversity is in the tor source code. There are other proposals in the mix for circuits to contain a unique AS and/or a unique continent per node. -- Andrew Lewman The Tor Project pgp 0x31B0974B +1-781-352-0568 Website: https://www.torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject Skype: lewmanator *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: The team of PayPal is a band of pigs and cads!
On Sun, Sep 12, 2010 at 08:23:08AM +, jbrownfi...@gmail.com wrote 1.4K bytes in 34 lines about: : Have you any answer from them? Nothing. -- Andrew Lewman The Tor Project pgp 0x31B0974B +1-781-352-0568 Website: https://www.torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject Skype: lewmanator *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Why does this happen?
On Thu, 02 Sep 2010 21:03:16 +0100 Matthew wrote: > [17:50:35] Your Computer's Clock is Potentially Incorrect - Tor has > determined that your computer's clock may be set to 7285 seconds in > the future compared to the source "DIRSERV:80.239.147.21:443". If > your clock is not correct, Tor will not be able to function. Please > verify your computer displays the correct time. Either your clock or the directory server's clock is wrong. -- Andrew Lewman The Tor Project pgp 0x31B0974B +1-781-352-0568 Website: https://www.torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject Skype: lewmanator *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: IP-tables and TOR
On Tue, 24 Aug 2010 13:54:14 -0400 Michael Gomboc wrote: > Could some net filter expert give me some advise how to use iptables > with TOR? For your specific question, https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/BlockNonTorTrafficDebian For the larger question of pushing traffic through tor: https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TransparentProxy -- Andrew Lewman The Tor Project pgp 0x31B0974B +1-781-352-0568 Website: https://www.torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject Skype: lewmanator *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: The team of PayPal is a band of pigs and cads!
On Mon, 23 Aug 2010 15:04:04 -0500 David Carlson wrote: > I am a newbie here. Since they use SSL, isn't it overkill to route > your connection through Tor? I know it is a pain to switch Tor on > and off when multitasking, but it would seem that Tor button could do > that. Tor provides anonymity, ssl provides content encryption in transit. I use Tor for everything because I generally don't trust the local network to not inject ads, record my traffic, or otherwise modify my traffic as it leaves my computer. This is true for home, travel, phones, etc. I have no problem logging into a website I trust through Tor over ssl. I am not my IP address, just like I am not my postal address. IP addresses are for routing, not for authentication. It's up to me if I want to let my bank see my real IP address, or if I want to show up from the USA when in Thailand. As for your comment about "pain to switch", use two browsers. One for your Tor-based activities, and one for non-Tor activities. -- Andrew Lewman The Tor Project pgp 0x31B0974B +1-781-352-0568 Website: https://www.torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject Skype: lewmanator *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: The team of PayPal is a band of pigs and cads!
On Mon, 23 Aug 2010 18:52:17 + James Brown wrote: > "Our records indicate that your password may have been shared with > another person, or that an anonymising proxy to access your PayPal > Account may be in use. Should this be the case, it would mean a > violation of our User Agreement. They are correct, https://cms.paypal.com/us/cgi-bin/?&cmd=_render-content&content_ID=ua/UserAgreement_full&locale.x=en_US Section 9.1, j. Apparently they don't want you as a customer if you want to protect yourself from unscrupulous marketing or local ISP surveillance. I'll start a conversation with them. Thanks for bringing this up. -- Andrew Lewman The Tor Project pgp 0x31B0974B +1-781-352-0568 Website: https://www.torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject Skype: lewmanator *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: The team of PayPal is a band of pigs and cads!
On Mon, 23 Aug 2010 16:48:13 + James Brown wrote: > They block accounts of their user if users ised the Tor or another > anonymous proxy!!! I think the answer here is more complex. I've used tor's paypal-based donation account through Tor without issue for years. Possibly, Paypal has a bot detection program looking for many users logging in from the same IP address. This is similar to what Google, Yahoo, and others have done. If you happen to exit from a popular exit node, Paypal flags you as potentially compromised. I've attempted to have conversations with Paypal to no avail. Getting an actual human to talk to you with a clue about their security measures is incredibly difficult. Just try asking them for their SSL fingerprint because you're worried about phishing. When I tried, I was sent to their abuse dept who were thoroughly unhappy I was asking "suspicious questions about ssl". -- Andrew Lewman The Tor Project pgp 0x31B0974B +1-781-352-0568 Website: https://www.torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject Skype: lewmanator *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Why does Gmail claim Tor IPs are located in one country when blutmagie.de claims they are located in a different country?
On Wed, 18 Aug 2010 16:59:40 +0100 Matthew wrote: > Hello, > > I don't understand this. > > I go to http://torstatus.blutmagie.de/ and have a look at the exit > node "gigatux" called emohawk2.gigatux.com and located at > 78.129.201.189. > > This appears to be located in the UK according to blutmagie.de. whois and RIPE agree with blutmagie. Gmail is wrong. Perhaps they use different geoip databases. If you look at your circuits, are you exiting from the UK or do you have split circuits where some may be going to gstatic.com through another place? -- Andrew Lewman The Tor Project pgp 0x31B0974B +1-781-352-0568 Website: https://www.torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject Skype: lewmanator *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Tor Project 2008 Tax Return Now Online
On Mon, 16 Aug 2010 20:32:13 -0700 Julie C wrote: First off, your enthusiasm and questioning our decisions is great and encouraged. Will you help us? > The larger threat that I see is the Tor Project is absolutely ... > dare I say it? ... PATHETIC AT MARKETING ITSELF. Yes, this is by design. For years we've been a boring R&D organization working away in relative obscurity. Only in the past year have we been forced into the public spotlight. First was the growing number of Chinese citizens that found Tor circumvented the GFW just fine, and protected their privacy when doing so. Second was the Iranian protests in June 2009. We now answer the press questions, appear on tv/radio shows, panels, and other Internet media. There's an internal debate over how much publicity is good versus harmful. We've learned that keeping a relatively low profile continues to let us work on the R&D, rather than writing policy papers and dealing with bureaucracy. Many other organizations are great at doing the latter two. We're happy to subcontract from the latter types of organizations, which lets us focus on R&D. > Something has been bugging me the last couple days about the bigger > picture of the funding issue that came to light with the cryptome > posting a couple days ago. It became clearer to me today as I was > driving through my neighbourhood (yes, I am a Canadian) - only > $500,000 in funding for all of 2008 for the Tor Project?! Yes, 2 years ago that was more money than we could handle. It's taken 6-8 months to ramp up to handle more funding and to get everyone productive. This includes finding the right people, passing audits, managing the workload, and getting infrastructure assembled so people can do their jobs. Conversely, think of all we've been able to accomplish with that $500k. > Sorry, Roger and Andrew, but as talented as you are, I think you have > to make it a priority to get some professional fundraisers on board. > Anonymity, privacy, free speech, and stuff are absolutely more > important than a few thousand homeless people in my home town. > Somebody is not getting the message out, and all of the volunteers > who believe in these bread and butter moral and ethical issues > deserve more. As Paul mentioned later in this thread, we did. Karen is awesome and currently handling the fundraising, policy meetings, grant writing, and marketing for us. However, she's one person, she could use help. > Think bigger, please! Who is holding the project back from not > thinking bigger? Why isn't the UN sending you $50M a year? We are self-limiting. Too much growth, too fast, will kill us. Bigger isn't always better. We are a cash and project-based business. By design, we take on slightly more than we can handle. Think of a startup versus a Fortune 50 company. Like all startups, there is much more to do than people to do it. That's fine, as it forces us to focus on what's important. We don't have an endowment to smooth out the funding roller coaster. All of our contracts can be cancelled at any point in time. We either deliver or die. R&D work is much different than writing policy statements, legal opinions, and producing documentaries. So far, the UN, IGF, and parts of various governments don't understand what we say nor what we do. I'm happy to keep talking to them and work on something that works for both organizations. Education and training seems to be the common ground where we speak the same language. We've recently started attracting potential sponsors that want us to stand up for anonymity in general. Starting to counter the surveillance by design mentality of the general populace is a different focus for us. Frankly, the EFF and ACLU may be better at this than us, nevertheless discussions continue. > enterprises need your software. All law enforcement needs your > software. All governments need your software. All journalists, all > bankers, accountants, lawyers, researchers - everyone who needs to > have at least some of their communications off the record. I agree. We're working with a surprising number of people in those categories. However, the vast majority of the world doesn't understand how the Internet works, nevermind how Tor can help them. Education is a big deal which takes time and understanding. I can't tell you how many times I've explained to victims of domestic violence, child abuse, or human rights activists that organizing over some social networking site is a horrible idea. There are many, many good things that come out of social networking sites, but too many of them are careless with private information or not clear in what is collected, how it is collected, and how it is shared. This fact comes back to bite people or groups in unexpected ways. In many cases, peop
Re: $keyid of my server
On Wed, 18 Aug 2010 01:20:25 + Orionjur Tor-admin wrote: > Where I can find it for pointing out "MyFamily" in /etc/torrc ? > I find only my node fingerprint. That's your keyid, or look for the log message on start: [notice] Your Tor server's identity key fingerprint is Or here, https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TorFAQ#Iwanttorunmorethanonerelay -- Andrew Lewman The Tor Project pgp 0x31B0974B +1-781-352-0568 Website: https://www.torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject skype: lewmanator *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Selecting an Exit Server By State?
On Sat, Aug 14, 2010 at 09:27:29AM +0100, pump...@cotse.net wrote 1.1K bytes in 34 lines about: > Is there a way to select an exit server by state? For example, choosing > a working exit server in California? No, we don't ship with that level of resolution, just IP to country. -- Andrew Lewman The Tor Project pgp 0x31B0974B +1-781-352-0568 Website: https://www.torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject Skype: lewmanator *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Tor Project 2008 Tax Return Now Online
On Sat, 14 Aug 2010 12:26:57 +0100 Anon Mus wrote: > It looks like 90% of the funding is from the US, nearly all US > government. > > > Internews Europe - France $183,180 (35.6%) > (http://www.sourcewatch.org/index.php?title=Internews) > Stichting Nlnet - Netherlands $42,931 > International Broadcasting $260,000 (50.5%)) > (http://en.wikipedia.org/wiki/International_Broadcasting_Bureau) > Google US $28,500 (5.5%) > > Total $514,611 Last I checked, France and the Netherlands aren't under US Government rule. Internews Europe is different from Internews, and funded completely differently. -- Andrew Lewman The Tor Project pgp 0x31B0974B +1-781-352-0568 Website: https://www.torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject skype: lewmanator *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Tor Project 2008 Tax Return Now Online
On Sat, 14 Aug 2010 01:20:28 -0400 Jimmy Dioxin wrote: > Cryptome has posted the Tor Project 2008 Tax Return available at: > http://cryptome.org/0002/tor-2008.zip > > As many know, all US non-profit corporation returns are available upon > request by the public. In fact, these documents are already public. They are available through us on request, as required by US tax laws. Or, generally through GuideStar or Charity Navigator. There's nothing secret here, it's all public. Every 501c3 has to file these every year. Tor develops in public, meets in public, and is generally approachable for questions, comments, or concerns. We specifically chose to be a 501c3 for the transparency factor. We could easily have been a for-profit entity with many willing investors to create black box software. We believe in the right to online anonymity and developing and improving it with Tor. The adversaries to online anonymity are vastly better funded to the tune of trillions of dollars, and in some cases, can tax their populace to better oppress them. > Firstly, people need to look through these returns in the same way we > audit code. Looking at funding sources and expenditures is important > to insuring Tor is a useful anonymity tool for years to come. There are two points in that statement. First, we've repeatedly stated that you should evaluate our designs, the code, and to verify the binaries we produce. Second, many organizations want anonymity online. These organizations need Tor and/or our advice to accomplish their goals. Our examples of Tor users gives you an idea of who wants their anonymity online, https://www.torproject.org/torusers. We will accept funding from people who understand our mission, our goals, and generally our research and development model of progress. We don't take funding we don't feel comfortable handling. We generally work along two paths at once: 1) Research, attack, and improve the Tor design. Low-latency anonymity and the general field of anonymous Internet communications are still relatively young. Research into these fields takes anywhere from 3 to 10 years to solidify designs, develop attacks, and then develop defenses to attacks; 2) Turn the research into code. Improving the codebase and the growing number of accessory programs for Tor is a growing challenge. We have a live Tor network that is used by half a million people a day. We want to make sure that Tor works for those putting their life on the line. Therefore, we must make sure Tor is the strongest we can make it to provide anonymity online. The US and European Governments are large entities. They feed people, protect citizens, save lives, make bombs, and get involved in wars. They do not speak with one voice and one mission. For all of the people who publicly state anonymity should disappear, there are just as many who want to see anonymity strengthened. > Secondly, can the Tor project release these returns on the site for > the above purpose? I don't think there needs to be some onerous > accounting process for reporting to the public (ya'll have better > things to do anyways), but these returns would be nice to have in the > interest of transparency. We are finishing up the 2009 audits and filings this month. We will announce our first ever annual report soon, and post the 2007 through 2009 IRS 990 forms, financial statements, and reviews. This is what you want to watch for progress on this front, https://trac.torproject.org/projects/tor/milestone/2009%20Financial%20%26%20Compliance%20Audit The best way we know to combat conspiracy theories and cranks is for the organization to be as transparent as possible. We hope you'll join us in protecting, providing, and strengthening anonymity online. -- Andrew Lewman The Tor Project pgp 0x31B0974B +1-781-352-0568 Website: https://www.torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject skype: lewmanator *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Vulnerability in OpenSSL 1.0.x & Firefox 4 Silent Updates
On Wed, 11 Aug 2010 02:42:15 -0400 whowatchesthewatcherswatc...@safe-mail.net wrote: > Vulnerability in OpenSSL 1.0.x > http://marc.info/?t=12811816911&r=1&w=2 > http://archives.neohapsis.com/archives/fulldisclosure/2010-08/0085.html > > Tor server/client use vuln? Unknown, the real bug seems to be explained here, http://marc.info/?l=openssl-dev&m=128128256314328&w=2 I'll let Nick or someone more familiar with openssl explain the risk better. > Firefox 4 Silent Updates > http://news.slashdot.org/story/10/08/07/1239224/Like-Googles-Chrome-Mozilla-To-Silently-Update-Firefox-4 This is why we repeatedly say to stick with the firefox versions we have analyzed. New features aren't analyzed and/or mitigated with torbutton yet. Something like this should be caught and stopped by future versions of torbutton. We've only analyzed the Firefox 3.5.x codebase. 3.6 is next, or maybe we just skip and go to 4.x. There is exactly one person working on this, so if people want faster updates to torbutton, more help is needed. -- Andrew Lewman The Tor Project pgp 0x31B0974B +1-781-352-0568 Website: https://www.torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject skype: lewmanator *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: An asking concirning the TB
On Thu, 12 Aug 2010 09:16:14 + James Brown wrote: > 1. What is the bug in the TB which lets that test define that I use > Mozilla under Windows but not IE under Windows? Or the TB masqueradge > only the OS not the type of browser? (I thought that it masqueradge > the type of browser too, am I not right?). Torbutton sets a common user agent to make all users look alike. See https://www.torproject.org/torbutton/design/#id2935059 for details. > 2. It defined that by the browser characteristic "HTTP_ACCEPT > Headers" those are only one in about 7000 browsers have that value. > Why? What could mean the above value of that characterisrics? Maybe Seth or Peter can answer this question based on the code logic in panopticlick. -- Andrew Lewman The Tor Project pgp 0x31B0974B +1-781-352-0568 Website: https://www.torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject Skype: lewmanator *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Restricted Exit Policy Port Suggestions?
On Wed, Aug 11, 2010 at 03:05:24AM -0700, mikepe...@fscked.org wrote 1.8K bytes in 55 lines about: : It's become clear that it is almost impossible to run an exit node : with the default exit policy in the USA, due to bittorrent DMCA abuse : spambots. I believe this means that we should try to come up with one : or more standard, reduced exit policy sets that allow use of the : majority of popular internet services without attracting bittorrent : users and associated spam. Giving in to the automated accusations of DMCA violations is a sad statement on the contemporary Internet. It seems the chilling effects of the DMCA are so palpable, no one wants to fight back any more, not users and not ISPs. See http://chillingeffects.org/ for more analysis and options on how to respond. Are there no ISPs/datacenters left in the USA willing to defend the First Amendment of the US Constitution and the user's legal protections under patent/trademark/copyright laws? : 1. Low Abuse (above list, possibly minus 465, 587 and 563) : 2. Medium Abuse (above list, plus IRC) : 3. High Abuse (default exit policy) I wouldn't call them varying levels of abuse, as the name alone implies exiting Tor traffic generates abuse. It doesn't. Many exit nodes run without incident for years. We could probably better study/poll exit node operators and ask how many abuse complaints or dmca notices they receive over time to get more data on this topic. And of course, everyone forgets their Tor exit relay will transmit TB of normal traffic without incident. -- Andrew Lewman The Tor Project pgp 0x31B0974B +1-781-352-0568 Website: https://www.torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject Skype: lewmanator *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Tor notice
On Mon, 09 Aug 2010 22:35:50 -0600 Jim wrote: > Would it make sense to add that link, or some other link, to the > message Tor prints out so the casual user can get some idea of what > the message means? Perhaps more relevant is this, http://dud.inf.tu-dresden.de/Anon_Terminology.shtml -- Andrew Lewman The Tor Project pgp 0x31B0974B +1-781-352-0568 Website: https://www.torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject Skype: lewmanator *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Tor notice
On Mon, Aug 09, 2010 at 09:48:24PM +0200, spacem...@gmail.com wrote 0.4K bytes in 9 lines about: : why in every Tor version (a/b/stable) there is "Do not rely on it for : strong anonymity"? If not Tor, what should we use for strong : anonymity? excluding Freenet and cryptography apps. The challenge here is to define "strong anonymity". A possible current definition is a state of not being identifiable within an anonymity set. This anonymity is considered strong if it is resistant to all known attacks on anonymity. I think Roger wrote that line in the source to simply remind people that Tor has a defined threat model, given the anonymity research field is still growing, and that low-latency anonymity is inherently open to some attacks, tor is not strong anonymity. Tor raises the bar for de-anonymizing you to many attacks on your anonymity on the actual internet today. This is a fine place to start to understand what Tor does and does not provide, https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TorFAQ#AnonymityandSecurity Many other tools simply state they are anonymous, without mentioning any of the R&D on current anonymity attacks, their success probabilities, and design flaws. If you're interested in learning more about the current state of the field of anonymity in research, start here; http://freehaven.net/anonbib/full/topic.html All tools have design goals and threat models. Many just don't clearly state what these goals and threats are to the user, but brush it under the rug as perfect anonymity, or some other hyperbole. Disclaimer: Roger, Nick, and Steven are the anonymity researchers, their opinion overrules mine. -- Andrew Lewman The Tor Project pgp 0x31B0974B +1-781-352-0568 Website: https://www.torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject Skype: lewmanator *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Legal response to real abuse
On Fri, Aug 06, 2010 at 11:48:36PM -0700, mikepe...@fscked.org wrote 3.4K bytes in 84 lines about: : Now personally, I think that what might be more likely to win you : points with your ISP is to reiterate that these events are : extremely rare in comparison to the number of requests and the amount : of traffic that you carry. The overwhelming majority of people are : using the service legitimately, and the incident rate is close to that : of the normal Internet. In the past, I've modified my exit policy to reject the specific IP address and port in question to address the abuse complaint. Shown the modified exit policy snippet to the ISP's Abuse dept and considered the specific abuse complaint solved. I've stated the reject line will be removed in X months, assuming no other abuse complaints from the same IP address owner. -- Andrew Lewman The Tor Project pgp 0x31B0974B +1-781-352-0568 Website: https://www.torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject Skype: lewmanator *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Could somebody comment that information?
On Sun, 01 Aug 2010 20:50:57 + James Brown wrote: > http://www.boingboing.net/2010/07/31/wikileaks-volunteer.html > > Are those a new activity of the President Obama administration against > Internet anonymity and against the Tor-network? It's unclear. The simplest explanation is this detainment and interrogation are due to Jacob's volunteering with Wikileaks. As far as we know today, the US government still believes in anonymity. -- Andrew Lewman The Tor Project pgp 0x31B0974B +1-781-352-0568 Website: https://www.torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject skype: lewmanator *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Flash Cookies and Tor.
On Fri, Jul 30, 2010 at 11:27:27PM +0100, pump...@cotse.net wrote 1.5K bytes in 29 lines about: > OK, to continue this - in the past I did use Tor with Flash enabled after > having Flash cookies on the hard drive from surfing when I was not using > Tor. In your opinion, is it likely that some websites would use these > Flash cookies to realise that the person surfing with Tor is the same > person who was surfing days / weeks / months earlier when not using Tor? > Would they then be able to connect non-Tor IPs to the person currently > using Tor (me)? Yes. http://www.eff.org/deeplinks/2009/09/new-cookie-technologies-harder-see-and-remove-wide -- Andrew Lewman The Tor Project pgp 0x31B0974B +1-781-352-0568 Website: https://www.torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject Skype: lewmanator *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Problem with the TB automatically usage of an alternative search engine
On Fri, 30 Jul 2010 06:27:45 + James Brown wrote: > Today I have the next problem when the TB automatically use the > ixquick.com-engine instead the Google: > "We have recently received a large number of searches coming from your > computer or others on your local network in a very short time frame. > In order to protect our service against automated "screen scraping" > software programs, your access to Ixquick's search has been paused for > approximately one hour. > > If you were using Ixquick normally, we apologize for the inconvenience > and will be able to lift this pause if you phone us at (212) 447-1100 > (USA). Alternately, if you were operating a "screen scraping" program, > you may phone us to work out an arrangement. You can also contact us > at: autoquery @ ixquick.com" This appears to be something new from ixquick. In the past they never rate limited queries from individual IP addresses. The problem is not with TBB per se, it's that ixquick is seeing lots of queries per IP address. Before we launched torbutton 1.2.5 with this automatic redirect feature, I asked ixquick if there was any problem in sending them potentially millions of queries per day. They never responded. Now that we have their attention, maybe they will. -- Andrew Lewman The Tor Project pgp 0x31B0974B +1-781-352-0568 Website: https://www.torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject skype: lewmanator *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: A quick tor analysis that I did in my spare time.
On Fri, Jul 23, 2010 at 03:08:25PM +0100, jason.coo...@heckrothindustries.co.uk wrote 1.2K bytes in 23 lines about: > Over the last few months I have been having a play with a crude tor > simulator (it just simulates the circuit building part of tor). I did > three different types of simulation from point of view of a number of > organisations trying adding their own nodes to the network in an attempt > to control both the entrance and exit nodes. Have you read through anonbib and seen the research that covers this topic? http://freehaven.net/anonbib/topic.html -- Andrew Lewman The Tor Project pgp 0x31B0974B +1-781-352-0568 Website: https://www.torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject Skype: lewmanator *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: A suggestion to TOR [a proxy server]
On Sun, Jul 25, 2010 at 05:44:29PM -0400, prae...@yahoo.com wrote 2.0K bytes in 37 lines about: : At work I am unable to run or use tor even from a USB key - they are prevented from working. It might be nice to have a website(s) that act as entry points to tor and that use names that do not immediately scream TOR PROXY SERVER! TOR ENTRY POINT RIGHT HERE! so that it is less likely for IT departments to be able to easily block access to such (I am also prevented from accessing any proxy servers and they often name themselves as proxies to boot so they scream their nature and make it easy to block). Is there any way to create tor entry point servers that provide the benefits of the tor network without the cost of providing the site with user ID AND endpoint site? As someone else said, these are called bridges. I've met people who work on systems that are effectively a dumb terminal since they are so locked down. I've not had any serious time to debug how to either bypass the blocking or get tor working. I've also noted that these environments are also mitm all ssl, which breaks tor too. The employees are prisoners in their own jobs. So they spend most of their time pretending to be busy since they can't do anything else. -- Andrew Lewman The Tor Project pgp 0x31B0974B +1-781-352-0568 Website: https://www.torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject Skype: lewmanator *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/