[tor-talk] Android app: Torrific
Hello, Just a small announce (not sure if this is the right ML, sorry). I'm developing an Android app allowing to block all IP traffic, and force only selected app through Orbot. This is done because neither Orbot nor AFWall (or other free, opensource Android iptables managment interface) seem to be able to do that… Website is here: https://torrific.ch/ (yep, Switzerland, a not-so-against-Tor country) Source code is on github: https://github.com/EthACKdotOrg/Torrific Released under GPLv2 Still under heavy development, it's released under alpha tag. It should go beta shortly (still have to add some new features as described down the website). Any feedback is welcome, it's not a so huge app, but I still think it may be of some use for people wanting to ensure they don't send traffic outside Tor, and wanting to redirect only some traffic through it. Thanks for your attention and, most important, thank you for Tor, Orbot and the freedom it provides! Cheers, C. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Android app: Torrific
On Thu, Jul 24, 2014 at 08:01:53 +0200, CJ wrote: Website is here: https://torrific.ch/ (yep, Switzerland, a not-so-against-Tor country) Source code is on github: https://github.com/EthACKdotOrg/Torrific Released under GPLv2 I wanted to help by adding it to F-Droid, but noticed that you use the GPLv2. Any particular reason? As far as I know, you cannot use it with the Android support libs - which the app uses - since they ara Apache2, and the GPLv2 is incompatible with it. The closest options to GPLv2 are GPLv3 and Apache2. Please ping me when you've fixed the licensing issue and I'll finish adding it :) -- Daniel Martí - mv...@mvdan.cc - http://mvdan.cc/ PGP: A9DA 13CD F7A1 4ACD D3DE E530 F4CA FFDB 4348 041C signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Android app: Torrific
Hello, Craps… right. I just updated to v3. I was wanting to add the app to f-droid once it's in beta state, alpha is maybe a bit early (though it shouldn't block the whole network anymore now with latest release) ;). Thanks for the license headup, and for pushing it to f-droid — means it may be of some interests indeed :). Cheers, C. On 07/24/2014 08:52 AM, Daniel Martí wrote: On Thu, Jul 24, 2014 at 08:01:53 +0200, CJ wrote: Website is here: https://torrific.ch/ (yep, Switzerland, a not-so-against-Tor country) Source code is on github: https://github.com/EthACKdotOrg/Torrific Released under GPLv2 I wanted to help by adding it to F-Droid, but noticed that you use the GPLv2. Any particular reason? As far as I know, you cannot use it with the Android support libs - which the app uses - since they ara Apache2, and the GPLv2 is incompatible with it. The closest options to GPLv2 are GPLv3 and Apache2. Please ping me when you've fixed the licensing issue and I'll finish adding it :) -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Android app: Torrific
On Thu, Jul 24, 2014 at 09:45:35 +0200, CJ wrote: I was wanting to add the app to f-droid once it's in beta state, alpha is maybe a bit early (though it shouldn't block the whole network anymore now with latest release) ;). We had apps like davdroid in alpha stage for a long time, it's just a matter of making it clear that the app is not yet deemed stable. Thanks for the license headup, and for pushing it to f-droid — means it may be of some interests indeed :). I just pushed it, should be available tomorrow morning at the latest. Just out of curiosity though, wouldn't it be easier to just add this feature into Orbot? Like an extra option or toggle switch to enable the blocking of traffic that wouldn't go through Tor. -- Daniel Martí - mv...@mvdan.cc - http://mvdan.cc/ PGP: A9DA 13CD F7A1 4ACD D3DE E530 F4CA FFDB 4348 041C signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor Browser window size
grarpamp: Can't TBB also alternativly just rig the functions that report window size to report whatever size you tell it, regardless of actual size? ie 1024x768x24 . Sure. You can report that you have a window size of 0x0 if you want. Or 42x23 or 1234x567. But the problem is a) that you want to be in a group of users with the same window size AND b) that there is no means to get (further) information on what your actual window size is. Reporting whatever size you tell it is not appropriate to achieve these two related goals. It turns out that especially b) is quite hard if you do not report the actual window size. Georg signature.asc Description: OpenPGP digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor Browser window size
Joe Btfsplk: On 7/23/2014 2:49 AM, Georg Koppen wrote: Red Sonja: I'm running the latest TBB on linux32. How do I reset the window size? I moved one side by mistake and I can't set it back by hand. Each time I run it, it's the window size from the last session. That should not happen. If you resize a window and then e.g. click on New Identity you should get your default window size again and not the one from some last session. Does this happen with a clean, new Tor Browser? If so, please file a bug at https://bugs.torproject.org giving some steps to reproduce as we'd need to investigate that further. Should TBB always start in partial window size? It depends on your available screen size. But in almost all cases, yes, TBB should always start in partial window size at least until we find a good way to deal with maximized browser windows (see e.g.: https://bugs.torproject.org/7256). Vanilla Firefox starts in maximized mode, if that was the state when closed (I think). TBB always starts in partial screen mode, even if last closed while in full screen. Many apps remember the last screen size. Is there an anonymity reason to have TBB start in partial screen? Not per se, but see https://bugs.torproject.org/7256 for the issue that still needs to get solved first. Georg signature.asc Description: OpenPGP digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Android app: Torrific
CJ: Just a small announce (not sure if this is the right ML, sorry). I'm developing an Android app allowing to block all IP traffic, and force only selected app through Orbot. This is done because neither Orbot nor AFWall (or other free, opensource Android iptables managment interface) seem to be able to do that… Orbot is free software. Isn't there a way to add the needed features directly to it? Sorry if it's a naive question, I'm not very knowledgable regarding Android. But I know that asking our users to install 3 different apps or even more is not friendly. -- Lunar lu...@torproject.org signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Android app: Torrific
On 07/24/2014 11:20 AM, Daniel Martí wrote: On Thu, Jul 24, 2014 at 09:45:35 +0200, CJ wrote: I was wanting to add the app to f-droid once it's in beta state, alpha is maybe a bit early (though it shouldn't block the whole network anymore now with latest release) ;). We had apps like davdroid in alpha stage for a long time, it's just a matter of making it clear that the app is not yet deemed stable. Thanks for the license headup, and for pushing it to f-droid — means it may be of some interests indeed :). I just pushed it, should be available tomorrow morning at the latest. Just out of curiosity though, wouldn't it be easier to just add this feature into Orbot? Like an extra option or toggle switch to enable the blocking of traffic that wouldn't go through Tor. Thanks for adding thins one on f-droid :). Regarding your question (as well as Lunar's): yep, completely possible to add this feature either to Orbot, or AFWall or anything else. Torrific has two aims: ° personal one: know how to build an android app, play a bit with the system while find ways to secure a bit more this kind of devices, without being prejudicial for current apps. And I love having one app specialized in one task, as for devices. ° community: just show what we can do with our devices, show how easy it is for people to just take over the control on their phone, phablet or tablet. To be honest, I won't cry if Orbot implements this functionality later ;). I'm not sure if Orbot should manage the firewall (though it's doing it now, for the transparent proxy thing), as I prefer dedicated app for special tasks… But that's my PoV I guess. Also, there are some stuff I want to add to Torrific, as described on the website. Among them, probably the most interesting would be to allow a browser to bypass Orbot, especially for captive portals (ever tried to log-in in this kind of things through Tor? I did, didn't work well as expected ;) ). Of course this could also be added to Orbot. But, as said, Orbot is first of all a Tor connector (well, here again, my PoV ;) ). That said: point taken. Who knows, maybe I'll submit later some patch to Orbot in order to add this functionality directly in the app. I was more willing to play with AFWall, as it already manage the iptables as a dedicated task. Thanks again for the f-droid push and interest :). Cheers, C. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Android app: Torrific
Lunar: CJ: Just a small announce (not sure if this is the right ML, sorry). I'm developing an Android app allowing to block all IP traffic, and force only selected app through Orbot. This is done because neither Orbot nor AFWall (or other free, opensource Android iptables managment interface) seem to be able to do that… Orbot is free software. Isn't there a way to add the needed features directly to it? Sorry if it's a naive question, I'm not very knowledgable regarding Android. But I know that asking our users to install 3 different apps or even more is not friendly. AFAIK this works in Orbot if you have a rooted Android device. Cheers. u. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Android app: Torrific
On 07/24/2014 01:23 PM, u wrote: Lunar: CJ: Just a small announce (not sure if this is the right ML, sorry). I'm developing an Android app allowing to block all IP traffic, and force only selected app through Orbot. This is done because neither Orbot nor AFWall (or other free, opensource Android iptables managment interface) seem to be able to do that… Orbot is free software. Isn't there a way to add the needed features directly to it? Sorry if it's a naive question, I'm not very knowledgable regarding Android. But I know that asking our users to install 3 different apps or even more is not friendly. AFAIK this works in Orbot if you have a rooted Android device. Cheers. u. Not the block all other output part in fact :) Cheers, C. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Android app: Torrific
* on the Thu, Jul 24, 2014 at 08:01:53AM +0200, CJ wrote: Just a small announce (not sure if this is the right ML, sorry). I'm developing an Android app allowing to block all IP traffic, and force only selected app through Orbot. This is done because neither Orbot nor AFWall (or other free, opensource Android iptables managment interface) seem to be able to do that??? One suggestion: Test this on a network which dishes out IPv6 addresses. None of these Firewall apps seem to take IPv6 into consideration. So if you wander onto a WiFi network which dishes out v6 addresses and then one of your Apps tries to connect to a host which supports v6, like for example Google or Facebook, then it will bypass your iptables rules. You need to set up rules using ip6tables for IPv6 too. Also, make sure that the rules are applied prior to any network connectivity coming up. -- Mike Cardwell https://grepular.com https://emailprivacytester.com OpenPGP Key35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4 signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] tor-talk Digest, Vol 42, Issue 79
From: tor-talk-requ...@lists.torproject.org Subject: tor-talk Digest, Vol 42, Issue 79 To: tor-talk@lists.torproject.org Date: Wed, 23 Jul 2014 06:24:31 + Send tor-talk mailing list submissions to tor-talk@lists.torproject.org To subscribe or unsubscribe via the World Wide Web, visit https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk or, via email, send a message with subject or body 'help' to tor-talk-requ...@lists.torproject.org You can reach the person managing the list at tor-talk-ow...@lists.torproject.org When replying, please edit your Subject line so it is more specific than Re: Contents of tor-talk digest... --Anexo de Mensagem Encaminhado-- From: delton.bar...@mail.ru To: tor-talk@lists.torproject.org Date: Tue, 22 Jul 2014 12:38:34 + Subject: [tor-talk] Tor Browser usability - frequent broken connections Hello, I use Tor Browser for all web browsing as many of you probably do. A frequent problem is you will be logged in to various sites and then the connection will break. For instance, attempting to make any request gives Firefox could not establish a connection to the server at Changing identities will always rectify the problem, but doing so via the onion button causes all open windows and tabs to be closed, which means you have to log back in and then get back to whatever page you were on. This is especially troublesome if you were filling out a form or completing a multi-step process in a web application. Is there a way to change identities or just circuits without closing everything and without using an external application? I understand the browser is closed and re-opened when you request a new identity to prevent your identity from being associated with your prior identity, but sometimes you do not need a new identity and just want to fix the connection. I do not think this a problem specific to me because it occurs on multiple devices on multiple networks. Thanks, Delton --Anexo de Mensagem Encaminhado-- From: delton.bar...@mail.ru To: tor-talk@lists.torproject.org Date: Tue, 22 Jul 2014 12:45:12 + Subject: Re: [tor-talk] Tor Browser usability - frequent broken connections Delton Barnes: I use Tor Browser for all web browsing as many of you probably do. A frequent problem is you will be logged in to various sites and then the connection will break. For instance, attempting to make any request gives Firefox could not establish a connection to the server at Changing identities will always rectify the problem, but doing so via the onion button causes all open windows and tabs to be closed, which means you have to log back in and then get back to whatever page you were on. This is especially troublesome if you were filling out a form or completing a multi-step process in a web application. Is there a way to change identities or just circuits without closing everything and without using an external application? I understand the browser is closed and re-opened when you request a new identity to prevent your identity from being associated with your prior identity, but sometimes you do not need a new identity and just want to fix the connection. I do not think this a problem specific to me because it occurs on multiple devices on multiple networks. The FAQ answers my question: https://www.torproject.org/docs/faq#NewIdentityClosingTabs This ticket is for exactly the feature I'm seeking: https://trac.torproject.org/projects/tor/ticket/9442 It's flagged tbb-easy, so maybe I'll try to implement. Delton --Anexo de Mensagem Encaminhado-- From: sc...@arciszewski.me To: tor-talk@lists.torproject.org Date: Tue, 22 Jul 2014 11:32:31 -0400 Subject: [tor-talk] Fwd: Tor and tlk.io Somebody told me of tlk.io. I have joined. I closed the window and when I was back I already had all settings as last time. I cleared the cookies and went back. I was like logged in, without ever logging in. I closed the window, cleaned up everything the delete all data can remove and 15 minutes after I reentered. I was still registered. New identity had no effect either. I had to close down Tor and start it again to lose the whatever that keeps identifying me. What is this? How do they do it? Are there other sites like that? I'm using the latest version of the Tor Browser Bundle. It gives me this prompt: http://imgur.com/ZGqzK4Z http://www.propublica.org/article/meet-the-online-tracking-device-that-is-virtually-impossible-to-block ^- possibly related Hello Scott and tor talkers! I would like to kwow your opinion about this adblocker Chamaleon. It is usefull to improve our surface web privacy? https://github.com/ghostwords/chameleon Marcos Kehl (Brazil) --Anexo de Mensagem Encaminhado-- From: joebtfs...@gmx.com To: tor-talk@lists.torproject.org Date: Tue, 22 Jul 2014 11:14:02 -0500 Subject: Re: [tor-talk] Carnegie Mellon Kills Black Hat Talk About Identifying Tor Users -- Perhaps
Re: [tor-talk] Android app: Torrific
On 07/24/2014 02:38 PM, Mike Cardwell wrote: * on the Thu, Jul 24, 2014 at 08:01:53AM +0200, CJ wrote: Just a small announce (not sure if this is the right ML, sorry). I'm developing an Android app allowing to block all IP traffic, and force only selected app through Orbot. This is done because neither Orbot nor AFWall (or other free, opensource Android iptables managment interface) seem to be able to do that??? One suggestion: Test this on a network which dishes out IPv6 addresses. None of these Firewall apps seem to take IPv6 into consideration. So if you wander onto a WiFi network which dishes out v6 addresses and then one of your Apps tries to connect to a host which supports v6, like for example Google or Facebook, then it will bypass your iptables rules. You need to set up rules using ip6tables for IPv6 too. Also, make sure that the rules are applied prior to any network connectivity coming up. Hello Mike, good point for IPv6 — it won't block it for now (no call to ip6tables so far, though it's already defined in the init-script). Regarding the early rule applying: the app currently installs an init-script with: - INPUT/OUTPUT default policy to DROP - first rule in INPUT/OUTPUT to REJECT I had to ensure there is no network at all — it seems some rules are pushed really early in the chains, especially for the quota managing thing. With this init-script, I ensure there is nothing IN nor OUT of the device until torrific is launched. Even Orbot can't connect, which may create some problems (and has created I think, though it's pretty unclear for now and not really reproducible :( ). Unfortunately, some android versions, such as 4.1.1, don't seem to support user init-script — meaning those may (and do!) send stuff on the network before torrific is up :(. After many tests on my nexus4, running 4.4.4, it appears the system tries to send at least 100 packages on the network before we can even use the device :). There's a warning regarding init-script support on the site, I really tried hard to make it work, but no luck so far :(. Also, most probably a ROM update will remove the init-script and torrific won't see that for now, I have to add some other checks. But the idea is here, at least :). … Knowing all is pretty useless on phone devices due to the closed baseband and GSM protocol is pretty annoying but, at least, we can do something in order to get a safer (if not the safest) devices. Cheers, C. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Android app: Torrific
CJ: On 07/24/2014 01:23 PM, u wrote: Lunar: CJ: Just a small announce (not sure if this is the right ML, sorry). I'm developing an Android app allowing to block all IP traffic, and force only selected app through Orbot. This is done because neither Orbot nor AFWall (or other free, opensource Android iptables managment interface) seem to be able to do that… Orbot is free software. Isn't there a way to add the needed features directly to it? Sorry if it's a naive question, I'm not very knowledgable regarding Android. But I know that asking our users to install 3 different apps or even more is not friendly. AFAIK this works in Orbot if you have a rooted Android device. Not the block all other output part in fact :) That said, I am also interested in your answer to Lunar's question :) Why not contribute to Orbot instead? Cheers! -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tails vulnerability specific to I2P, not Tor
http://blog.exodusintel.com/2014/07/23/silverbullets_and_fairytails/ SILVER BULLETS AND FAIRY TAILS Introduction This week we made mention on Twitter of a zero-day vulnerability we’ve unearthed that affects the popular Tails operating system. As the Tails website states: Tails is a live operating system, that you can start on almost any computer from a DVD, USB stick, or SD card. It aims at preserving your privacy and anonymity, and helps you to: use the Internet anonymously and circumvent censorship; all connections to the Internet are forced to go through the Tor network; leave no trace on the computer you are using unless you ask it explicitly; use state-of-the-art cryptographic tools to encrypt your files, emails and instant messaging.” This software was largely popularized due to the fact that it was used by whistleblower Edward Snowden. Since then, the OS has garnered much attention and use by a wide range of those seeking anonymity on the Internet. We publicized the fact that we’ve discovered these issues for a very simple reason: no user should put full trust into any particular security solution. By bringing to light the fact that we have found verifiable flaws in such a widely trusted piece of code, we hope to remind the Tails userbase that no software is infallible. Even when the issues we’ve found are fixed by the Tails team, the community should keep in mind that there are most certainly other flaws still present and likely known to others. Our customers use our information for both offensive and defensive purposes to better protect themselves and others. Providing a wide variety of exploit software we help penetration testers effectively test network security and incident response teams. One high profile example occurred last year when Facebook used a zero-day vulnerability to test their teams response to a zero-day attack. The information we provide is also leveraged in defensive purposes providing companies with well documented research for use in IDS and AV signatures for previously unknown threats. We at Exodus are able to do what many software projects cannot, perform security code audits and find exploitable vulnerabilities releasing them to the public. The Vulnerable Component The vulnerability we will be disclosing is specific to I2P. I2P currently boasts about 30,000 active peers. Since I2P has been bundled with Tails since version 0.7, Tails is by far the most widely adopted I2P usage. The I2P vulnerability works on default, fully patched installation of Tails. No settings or configurations need to be changed for the exploit to work. I2P is preconfigured so that all .i2p TLD sites are routed through the I2P network. At a high level I2P traffic is message based similar to IP packets. All communication is encrypted end to end with a total of four layers of encryption. I2P routers (end points) act as cryptographic identifiers, similar to a pair of public keys. I2P is a packet switched network, instead of circuit switched like Tor. This means transparent load balancing of packets across multiple peers. I2P is fully distributed with no centralized resources. There is no distinct separation of servers to nodes, this architecture helps eliminate single points of failure. Demonstration To lend credence to our claims we have created a video that demonstrates de-anonymizing a Tails user: TailsDeAnonymizationTailsDeAnonymization ► Timeline 0:00:00,000 – 0:00:10,400: Demonstrating IP on listening server, Turning on listening server 0:00:19,000 – 0:00:25,400: Tails user visiting website icanhazip.com which shows the anonymized IP address 0:00:36,000 – 0:00:49,400: Showing that we’re indeed using the latest Tails build 1.1 0:00:50,000 – 0:01:03,400: I2P address being resolved, proof of concept malicious payload being delivered 0:01:30,000 – 0:01:40,400: Listening server retrieves the Tails user’s de-anonymized IP address (Austin RoadRunner ISP) Note on Disclosure Disclosure of vulnerabilities takes many forms, particularly their shape is adapted to the landscape that the platform is used upon. In the past at Exodus Intelligence, we’ve felt that significant vulnerabilities have been disregarded and have not had the requisite exposure. Through appropriate airing of the issue, we feel that users of such security platforms may come to understand the risks in base-level trust. Even further we hope to break the mold of unconditional trust in a platform. Users should question the tools they use, they should go even further to understand the underlying mechanisms that interlock to grant them security. It’s not enough to have faith upon security, rather to have an understanding of it. If the public thinks Exodus is one of a few entities finding bugs in software, they are grossly misinformed. As is the case with all vulnerabilities we report to vendors, we do not ask for any remuneration. All flaws that we give to vendors are given free of
Re: [tor-talk] Almost everyone involved in developing Tor was (or is) funded by the US government
On Wed, Jul 23, 2014 at 09:43:50PM -0400, krishna e bera wrote: :Tor Project had to refuse funding from a donor who was deemed some kind :of enemy of the US govt[1]. This should raise suspicions that the :project may not be developing in its most productive direction(s) for :the other parties that could or do use Tor (e.g. hidden service :operators, copyright pirates, anti-capitalists, whistleblowers, enemies :of the US govt). (Despite the idealism, good reputation and best :intentions of various Tor Project members.) It isnt just a matter of :looking for bad code or design decisions, we should look at what code :isnt there or what other non-code aspects of the project arent covered well. This isn't becasue Tor had US government funding but because Tor is a US based entity. If there's another location where a similar yet independent anonymity foundation could do similar work with fewer restrictions (or a roughly equivelent but different set) I'm all for it, modulo some worries about split/duplicate effort, but it's not an issue of funding==control or other conspiracy. -Jon -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Android app: Torrific
On 07/24/2014 03:54 PM, u wrote: CJ: On 07/24/2014 01:23 PM, u wrote: Lunar: CJ: Just a small announce (not sure if this is the right ML, sorry). I'm developing an Android app allowing to block all IP traffic, and force only selected app through Orbot. This is done because neither Orbot nor AFWall (or other free, opensource Android iptables managment interface) seem to be able to do that… Orbot is free software. Isn't there a way to add the needed features directly to it? Sorry if it's a naive question, I'm not very knowledgable regarding Android. But I know that asking our users to install 3 different apps or even more is not friendly. AFAIK this works in Orbot if you have a rooted Android device. Not the block all other output part in fact :) That said, I am also interested in your answer to Lunar's question :) Why not contribute to Orbot instead? Cheers! It's possible I push some pull-request later, yes. But, as said in some previous email, I'm not really sure it's Orbot job to set up firewall… I rather prefer dedicated app for dedicated task — Orbot main task is, for me, connecting to Tor network… Basically, this just doesn't involve the firewall at all. But yeah, I know, users like all-in-one apps — who knows, once torrific is ready (i.e. no more broken rules, no more bugs like craps, network's broken)… the devs may get some PR ;). Torrific is also, for me, a way to play with android without annoying other applications. To be honest, I'd rather contribute this function in AFWall than Orbot, as it already is a firewall manager (and not a bad one). Cheers, C. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor Browser window size
On 7/24/2014 3:58 AM, Georg Koppen wrote: Joe Btfsplk: Should TBB always start in partial window size? It depends on your available screen size. But in almost all cases, yes, TBB should always start in partial window size at least until we find a good way to deal with maximized browser windows (see e.g.: https://bugs.torproject.org/7256). Thanks Georg, Clearly I've forgotten or never knew why (partial) TBB window sizes can be spoofed, but standard multiples for maximized TBB windows *can't* be spoofed, instead. ? Don't a majority of users maximize something like browsers, for general use? I've never seen it mentioned that most users leave TBB in partial screen. I wouldn't think TBB (window size) would be used differently than regular browsers (a result of human habit). I rarely see people using browsers in partial size, unless doing some between app operation / comparison. I'm talking about what the masses do. Vanilla Firefox starts in maximized mode, if that was the state when closed (I think). TBB always starts in partial screen mode, even if last closed while in full screen. Many apps remember the last screen size. Is there an anonymity reason to have TBB start in partial screen? Not per se, but see https://bugs.torproject.org/7256 for the issue that still needs to get solved first. I don't understand your last statement in relation to the bug you linked: Right now, we set the size of new Tor Browser windows such that their content area is a 200x100 multiple. We also lie to content that the entire desktop resolution is this size. However, this potentially leaks information for users who maximize their browser windows, as such windows will no longer be rounded. There, Mike P. is clearly saying that maximizing TBB window poses a threat (under the right circumstances). Am I misunderstanding it? But, I'm unclear on which sentence (current TBB behavior) causes potential info leak, *IF users maximize* TBB: The 1st sentence, ... content area is a 200x100..., or the 2nd one, We also lie Or, both? -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] ISP surveillance.
Hello experts! TAILS, running by usb stick, protect me against forensics tecnics in my pc. Ok. TOR, running as a client only or as a relay, protect (theoretically) my privacy. Ok. But... if my static IP, provided by my ISP, is under surveillance by a legal requirement, what kind of data they can sniff? I mean, my connection looks like a simple HTTPS, or they know I am diving into the Deep Web, hacking the world? Could the ISP capture the downloads dropping into my pc when running TAILS? If so, TOR Socks (proxy + TOR) is the pathway to deceive and blindfold my ISP? https://www.torproject.org/docs/proxychain.html.en Thanks. Marcos Kehl (Brazil) -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] ISP surveillance.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 7/24/2014 8:24 PM, Marcos Eugenio Kehl wrote: Hello experts! TAILS, running by usb stick, protect me against forensics tecnics in my pc. Ok. TOR, running as a client only or as a relay, protect (theoretically) my privacy. Ok. But... if my static IP, provided by my ISP, is under surveillance by a legal requirement, what kind of data they can sniff? I mean, my connection looks like a simple HTTPS, or they know I am diving into the Deep Web, hacking the world? Could the ISP capture the downloads dropping into my pc when running TAILS? If so, TOR Socks (proxy + TOR) is the pathway to deceive and blindfold my ISP? https://www.torproject.org/docs/proxychain.html.en Thanks. Marcos Kehl (Brazil) Hi it is irrelevant if your IP is static or dynamic - the ISP has that data tied to a broadband internet access account so they know it's you either way, regardless your IP type. Using Tor will encrypt your data totally with multiple layers, this means that your ISP can see that you are using Tor, and nothing more. They can't see what sites you visit, what data you download, intercept, modify or alter the data you download, can't see if you are accessing hidden services and what hidden services, etc. Bottom of the line, your ISP can see you are using Tor and that's all, nothing more. Using Tor is not a felony under any circumstances. If you don't want your ISP to learn you are using Tor, you can choose to connect to the Tor network via an obfuscating bridge (make sure you choose obfs3 pluggable transport) and in this case your ISP won't even see that you are using Tor, it will see obfuscated random traffic, inconclusive traffic. Go to https://bridges.torproject.org/ fetch your obfs3 bridges and put them in your torrc for Tor Browser or at startup when booting Tails do not select This computer's connection is free of obstacles, choose to enter a bridge, and enter your bridge previously fetched from https://bridges.torproject.org/ - -- s7r PGP Fingerprint: 7C36 9232 5ABD FB0B 3021 03F1 837F A52C 8126 5B11 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJT0Ue2AAoJEIN/pSyBJlsRjK0IAMUBgChpviniaGvNdY5iglO+ I7fXusrzlHJVRX5NXgUzL0bWiSgPFI8yl+mHzR1nGp+MkiC0x8doZaUFBeaJ2/tC vGYDl/UhZJiZhmJtcO7aF5Jp2MhtAThXK1ddHUbusBt4iy8tqCT0OCD0+QkVsA3R s5vWzMWEtxzYvqolVT6nA+Ru4HQhvx67ovePwCiYQhKEi67IxchpJGGCPV9gL9M8 FDo+xfR064OZeDmi/vgrNQxSt69XMz5pMbU40isCsbM9bIZZzEZUExS8Kcr0C3w+ CKlnG1iMNoG8q8TNm4cedsmPDiEuX0WzdYeCUxgXTvzCBO7EIyVnwQTXafBslKw= =RVtG -END PGP SIGNATURE- -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] ISP surveillance.
Marcos Eugenio Kehl writes: Hello experts! TAILS, running by usb stick, protect me against forensics tecnics in my pc. Ok. TOR, running as a client only or as a relay, protect (theoretically) my privacy. Ok. But... if my static IP, provided by my ISP, is under surveillance by a legal requirement, what kind of data they can sniff? I mean, my connection looks like a simple HTTPS, or they know I am diving into the Deep Web, hacking the world? Could the ISP capture the downloads dropping into my pc when running TAILS? If so, TOR Socks (proxy + TOR) is the pathway to deceive and blindfold my ISP? https://www.torproject.org/docs/proxychain.html.en Oi Marcos, Normally Tor doesn't try to hide the fact that you are using Tor. So, your ISP can see that you're using it, and when. Tor only tries to hide the particular details of what you are doing. Although some Tor connections do look like simple HTTPS in some ways, the connections are always made to the IP addresses of Tor nodes, and the complete list of those addresses is openly published. So it's easy for the ISP to notice that you're using Tor, and some firewalls and kinds of surveillance equipment can be programmed to detect Tor use if the person operating them cares about it. There are other methods to try to hide the fact that you're using Tor, especially meant for people on networks that block Tor. The main method of doing this is called bridges, which you can read more about on the Tor web site. https://bridges.torproject.org/ https://www.torproject.org/docs/bridges Most people who use bridges are on networks where Tor is blocked completely, so they have a very practical reason to try to hide the fact that they're using Tor. One of the benefits of Tails is that it will send all of your communications over Tor. So, if you believe that Tor is appropriate to protect you in a particular situation, you can get that protection automatically when you are using Tails. Your ISP will not directly see what you do, although someone who can see both ends of the connection can try to use information about the time of the connection to identify you. Torsocks and configuring Tor to use a proxy are not very relevant to Tails users. Torsocks has to do with getting other applications apart from the Tor Browser to communicate over Tor (which Tails does automatically!), while configuring Tor to use a proxy is mostly relevant if you're behind a firewall which doesn't allow direct Internet connections. (Sometimes it's an alternative to bridges, but it may not be a particularly strong way of hiding your activity from your ISP -- it doesn't add any additional encryption or obfuscation.) -- Seth Schoen sch...@eff.org Senior Staff Technologist https://www.eff.org/ Electronic Frontier Foundation https://www.eff.org/join 815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x107 -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Fwd: Russia open procurement for report on deanonymization of Tor users
Looks like a classified noforn 'contest', $5500 app fee. -- Forwarded message -- From: Anton Nesterov koma...@openmailbox.org Date: Thu, Jul 24, 2014 at 10:15 AM Subject: Russia open procurement for report on deanonymization of Tor users To: cypherpu...@cpunks.org It's tender by Special equipment and communication of Ministry of Internal Affairs. Title fully says Study the possibility of obtaining technical information about users (user equipment) on anonymous network Tor, codename TOR (navy) ~$111500 (3 900 000 roubles) http://zakupki.gov.ru/epz/order/notice/zkk44/view/common-info.html?regNumber=037310008871408 -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Questions about NSA monitoring of Tor users.
Patrick Schleizer: Артур Истомин: On Mon, Jul 14, 2014 at 12:17:14PM +, Patrick Schleizer wrote: Nice graphic. Looks similar for any country! Exponential growth of debts. But not because mainly more and more money is wasted, it is the money system itself that is broken. One of the biggest frauds ever. Who has the right to create fiat money out of nothing? How exactly does money creation work? Why is it that almost all countries are indebted? And those not indebted, have minor funds in comparison to others debt, don't hold the balance that others owe to them. If you take a balance of all governments worldwide, debts are exponentially growing. To whom do they owe the money? In the fiat money system, amount of money in circulation equals debts. Yes, even if you personally don't have any debts, all paper and book money is only in circulation, because someone else made a debt. Pay back a loan, and money gets literally destroy. If everyone could pay back their loan, there would be no more money in circulation. One problem with this system is, someone earns interest for the money in circulation. So I can only encourage you to learn about the money system. Get information from official sources. Read different opinions on how to interpret it. Then try to conclude if it is a fair system or a fraud system where few get richer at expense of everyone else. Interesting think. What do you advise to read? If no one else has suggestions, it requires some effort from your side, research. I don't know who best advocates this topic in English language. Maybe, - https://en.wikipedia.org/wiki/Money_as_Debt - haven't seen yet, but sounds interesting - https://www.youtube.com/results?search_query=money+as+debt - search terms: fiat money, - debt money, - and money creation are good starting points https://www.youtube.com/watch?v=jqvKjsIxT_8 is a good introduction. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] ISP surveillance.
On 14-07-24 01:51 PM, s7r wrote: Using Tor will encrypt your data totally with multiple layers, this means that your ISP can see that you are using Tor, and nothing more. They can't see what sites you visit, what data you download, intercept, modify or alter the data you download, can't see if you are accessing hidden services and what hidden services, etc. Bottom of the line, your ISP can see you are using Tor and that's all, nothing more. If either the Tor exit node or destination computer gets its connection from the *same* ISP as you, then the ISP could correlate the traffic end-to-end and be pretty sure it was you who was accessing that resource, though they might not be able to read the contents. Tor cannot encrypt connections beyond the exit node - that is your responsibility. If the connection from your computer to the destination computer isnt encrypted with something at least as strong as SSL, then the exit node operator and anyone else watching traffic coming out of the exit node can see the contents. With hidden services, however, the connection is encrypted from your computer to the hidden service port, so snoopers cannot read the contents. signature.asc Description: OpenPGP digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] ISP surveillance.
They will know that you are using Tor, but not what you are doing with Tor. Check this nice overview: https://www.eff.org/pages/tor-and-https You can click the buttons and see what everyone knows about you. On Thu, Jul 24, 2014 at 7:24 PM, Marcos Eugenio Kehl marcosk...@hotmail.com wrote: Hello experts! TAILS, running by usb stick, protect me against forensics tecnics in my pc. Ok. TOR, running as a client only or as a relay, protect (theoretically) my privacy. Ok. But... if my static IP, provided by my ISP, is under surveillance by a legal requirement, what kind of data they can sniff? I mean, my connection looks like a simple HTTPS, or they know I am diving into the Deep Web, hacking the world? Could the ISP capture the downloads dropping into my pc when running TAILS? If so, TOR Socks (proxy + TOR) is the pathway to deceive and blindfold my ISP? https://www.torproject.org/docs/proxychain.html.en Thanks. Marcos Kehl (Brazil) -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Coinkite Has an Onion for Tor
http://blog.coinkite.com/post/92733188841/coinkite-has-an-onion-for-tor http://gcvqzacplu4veul4.onion/ -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Why does requesting for bridges by email require a Yahoo or Gmail address?
With the recent discussion about what your ISP can see when you use Tor, I ended up on the Tor Bridges page. On that page is the following statement: I need an alternative way of getting bridges! Another way to get bridges is to send an email to brid...@torproject.org. Please note that you must send the email using an address from one of the following email providers: Gmail or Yahoo. In light of the last year of disclosures by Edward Snowden, why is Tor requiring that I establish an account with an email provider that is completely out of my control and has a general history of complying with law enforcement data requests? Why those two providers specically? Note to conspiracy theorists: I am NOT intimating that Tor is in cahoots with the government in any way and that's why they're requiring Yahoo and Gmail so don't bother going there. Can anyone shed some light on this? Thanks, Cypher -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Why does requesting for bridges by email require a Yahoo or Gmail address?
On Thu, Jul 24, 2014 at 03:24:26PM -0500, Cypher wrote: In light of the last year of disclosures by Edward Snowden, why is Tor requiring that I establish an account with an email provider that is completely out of my control and has a general history of complying with law enforcement data requests? Why those two providers specically? Because we need an adequately popular provider that makes it hard to generate lots of addresses. Otherwise an attacker could make millions of addresses and be millions of different people asking for bridges. https://svn.torproject.org/svn/projects/design-paper/blocking.html#tth_sEc7.4 (Also, it recently became clear that it would be useful for people to access this provider via https, rather than http, so a network adversary can't just sniff the bridge addresses off the Internet when the user reads her mail. And it would also be nice to not use providers that turn their entire email databases over to the adversary, even unwittingly. Lots of adversaries and lots of goals to manage at once here.) --Roger -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Why does requesting for bridges by email require a Yahoo or Gmail address?
On 07/24/2014 02:36 PM, Roger Dingledine wrote: On Thu, Jul 24, 2014 at 03:24:26PM -0500, Cypher wrote: In light of the last year of disclosures by Edward Snowden, why is Tor requiring that I establish an account with an email provider that is completely out of my control and has a general history of complying with law enforcement data requests? Why those two providers specically? Because we need an adequately popular provider that makes it hard to generate lots of addresses. Otherwise an attacker could make millions of addresses and be millions of different people asking for bridges. https://svn.torproject.org/svn/projects/design-paper/blocking.html#tth_sEc7.4 That totally makes sense. (Also, it recently became clear that it would be useful for people to access this provider via https, rather than http, so a network adversary can't just sniff the bridge addresses off the Internet when the user reads her mail. And it would also be nice to not use providers that turn their entire email databases over to the adversary, even unwittingly. Lots of adversaries and lots of goals to manage at once here.) --Roger Right, and with HTTPS, users' ISPs (and their friends) can't even see that bridges are being provided. Does the bridge database talk directly with Google and Yahoo mail servers, to prevent possible XKeyScore snooping? -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Why does requesting for bridges by email require a Yahoo or Gmail address?
Food for thought: How much do you think it would cost per email to have the same thing (collecting a heap of bridges) done via Mechanical Turk, etc.? On 07/24/2014 05:16 PM, Mirimir wrote: On 07/24/2014 02:36 PM, Roger Dingledine wrote: On Thu, Jul 24, 2014 at 03:24:26PM -0500, Cypher wrote: In light of the last year of disclosures by Edward Snowden, why is Tor requiring that I establish an account with an email provider that is completely out of my control and has a general history of complying with law enforcement data requests? Why those two providers specically? Because we need an adequately popular provider that makes it hard to generate lots of addresses. Otherwise an attacker could make millions of addresses and be millions of different people asking for bridges. https://svn.torproject.org/svn/projects/design-paper/blocking.html#tth_sEc7.4 That totally makes sense. (Also, it recently became clear that it would be useful for people to access this provider via https, rather than http, so a network adversary can't just sniff the bridge addresses off the Internet when the user reads her mail. And it would also be nice to not use providers that turn their entire email databases over to the adversary, even unwittingly. Lots of adversaries and lots of goals to manage at once here.) --Roger Right, and with HTTPS, users' ISPs (and their friends) can't even see that bridges are being provided. Does the bridge database talk directly with Google and Yahoo mail servers, to prevent possible XKeyScore snooping? signature.asc Description: OpenPGP digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Why does requesting for bridges by email require a Yahoo or Gmail address?
On 07/24/2014 03:29 PM, mal wrote: Food for thought: How much do you think it would cost per email to have the same thing (collecting a heap of bridges) done via Mechanical Turk, etc.? I suspect that Google and Yahoo require cellphone text confirmation for multiple account attempts from a single IP address. There are workarounds, but there's more required than cheap labor. On 07/24/2014 05:16 PM, Mirimir wrote: On 07/24/2014 02:36 PM, Roger Dingledine wrote: On Thu, Jul 24, 2014 at 03:24:26PM -0500, Cypher wrote: In light of the last year of disclosures by Edward Snowden, why is Tor requiring that I establish an account with an email provider that is completely out of my control and has a general history of complying with law enforcement data requests? Why those two providers specically? Because we need an adequately popular provider that makes it hard to generate lots of addresses. Otherwise an attacker could make millions of addresses and be millions of different people asking for bridges. https://svn.torproject.org/svn/projects/design-paper/blocking.html#tth_sEc7.4 That totally makes sense. (Also, it recently became clear that it would be useful for people to access this provider via https, rather than http, so a network adversary can't just sniff the bridge addresses off the Internet when the user reads her mail. And it would also be nice to not use providers that turn their entire email databases over to the adversary, even unwittingly. Lots of adversaries and lots of goals to manage at once here.) --Roger Right, and with HTTPS, users' ISPs (and their friends) can't even see that bridges are being provided. Does the bridge database talk directly with Google and Yahoo mail servers, to prevent possible XKeyScore snooping? -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Why does requesting for bridges by email require a Yahoo or Gmail address?
On 07/24/2014 05:54 PM, Mirimir wrote: I suspect that Google and Yahoo require cellphone text confirmation for multiple account attempts from a single IP address. There are workarounds, but there's more required than cheap labor. Correct, but if a million people in your developing country of choice phones and/or pre-existing gmail or yahoo accounts take you up on your five cent offer... Gmail, at least, allows for 4 or 5 accounts per phone number. If yahoo does the same, that's 8 to 10 per person. signature.asc Description: OpenPGP digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Market for secure systems, ICLOAK puts Nix/Tor/TBB/etc on USB raises $95k
On Wed, Jul 23, 2014 at 6:09 PM, rysiek rys...@hackerspace.pl wrote: Dnia środa, 23 lipca 2014 17:24:22 grarpamp pisze: Snowden triggers flood of Crapware [was: Gruveo, more secure skype?] I'll fork this one off to the Tor folks... Here, have a chuckle: https://www.kickstarter.com/projects/icloak/icloak-tm-stik-easy-powerful-online-privacy-for-yo Hat-tip to all the TAILS/Tor people here. https://icloak.org/ At least it appears from the splashpage to be an open bundling of mostly open tools that are thought reasonably well of, ie: Nix, Tor, GnuPG. As opposed to being some new unheard of closed commercialware. Things like this could serve by dropping more 'crypto by default' on the net at the end user level (even if such users are their own newbie cannon fodder on a learning curve). And spreading Unix also helps shift marketshare and knowledge away from Windows long term. If my two minute read of this one is right, it would be hard to not give them some kudos. I don't know what amounts are typically fundraised and the donor counts, but $95k for something like this seems to indicate a demand for more secure/private systems in general. Maybe a million will sell and send some donations back. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Fwd: Russia open procurement for report on deanonymization of Tor users
Is a tender to perform research study the possibility of obtaining technical information about users (user equipment) TOR anonymous network, cipher TOP (Navy) On Thu, Jul 24, 2014 at 6:09 PM, grarpamp grarp...@gmail.com wrote: Looks like a classified noforn 'contest', $5500 app fee. -- Forwarded message -- From: Anton Nesterov koma...@openmailbox.org Date: Thu, Jul 24, 2014 at 10:15 AM Subject: Russia open procurement for report on deanonymization of Tor users To: cypherpu...@cpunks.org It's tender by Special equipment and communication of Ministry of Internal Affairs. Title fully says Study the possibility of obtaining technical information about users (user equipment) on anonymous network Tor, codename TOR (navy) ~$111500 (3 900 000 roubles) http://zakupki.gov.ru/epz/order/notice/zkk44/view/common-info.html?regNumber=037310008871408 -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Why does requesting for bridges by email require a Yahoo or Gmail address?
On 14-07-24 06:29 PM, ideas buenas wrote: I don't trust Gmail nor Yahoo. Roger, found another way. No excuses, please. I am curious why Riseup.net isnt in the list of popular and relatively secure email providers. Also there must be several large european and asian free email providers, but someone from those regions might have to recommend/evaluate them. How about yandex.ru for example? Another good method is to get a bridge directly from someone you trust. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Why does requesting for bridges by email require a Yahoo or Gmail address?
I don't trust Gmail nor Yahoo. Roger, found another way. No excuses, please. On Thu, Jul 24, 2014 at 9:59 PM, mal m...@sec.gd wrote: On 07/24/2014 05:54 PM, Mirimir wrote: I suspect that Google and Yahoo require cellphone text confirmation for multiple account attempts from a single IP address. There are workarounds, but there's more required than cheap labor. Correct, but if a million people in your developing country of choice phones and/or pre-existing gmail or yahoo accounts take you up on your five cent offer... Gmail, at least, allows for 4 or 5 accounts per phone number. If yahoo does the same, that's 8 to 10 per person. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Why does requesting for bridges by email require a Yahoo or Gmail address?
On 07/24/2014 03:59 PM, mal wrote: On 07/24/2014 05:54 PM, Mirimir wrote: I suspect that Google and Yahoo require cellphone text confirmation for multiple account attempts from a single IP address. There are workarounds, but there's more required than cheap labor. Correct, but if a million people in your developing country of choice phones and/or pre-existing gmail or yahoo accounts take you up on your five cent offer... Gmail, at least, allows for 4 or 5 accounts per phone number. If yahoo does the same, that's 8 to 10 per person. Yes, it's doable, but at least it's harder than scraping a website. One could have the start-tor-browser script generate a unique key at first run, based on the hashed time (nanosecond accuracy) that the download had completed. Users would need to include the key with the bridge request. The bridge database could ignore multiple requests from a given key, or limit them appropriately. The keys could be passed on to the bridges, and each bridge would accept connections only from its assigned clients. The process could be totally hidden for normal users. But each account would require a separate download and installation. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Fwd: Russia open procurement for report on deanonymization of Tor users
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Anyone up for making a proposal for it, getting the money and then donating it back to Tor Project to fix the exact idea you raised with the money they just given you? That'd be a laugh! On 24/07/2014 23:22, ideas buenas wrote: Is a tender to perform research study the possibility of obtaining technical information about users (user equipment) TOR anonymous network, cipher TOP (Navy) On Thu, Jul 24, 2014 at 6:09 PM, grarpamp grarp...@gmail.com wrote: Looks like a classified noforn 'contest', $5500 app fee. -- Forwarded message -- From: Anton Nesterov koma...@openmailbox.org Date: Thu, Jul 24, 2014 at 10:15 AM Subject: Russia open procurement for report on deanonymization of Tor users To: cypherpu...@cpunks.org It's tender by Special equipment and communication of Ministry of Internal Affairs. Title fully says Study the possibility of obtaining technical information about users (user equipment) on anonymous network Tor, codename TOR (navy) ~$111500 (3 900 000 roubles) http://zakupki.gov.ru/epz/order/notice/zkk44/view/common-info.html?regNumber=037310008871408 - -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQIcBAEBAgAGBQJT0Y+uAAoJEE2uQiaesOsLEbwP/2/csDcrAIDJP6jUF5MMe21W Ux5eJki2JJ7cO27nZrpkPROA//ZI4V4ucgh7lX9lszMfWE9kAZMg+vWmgd9Voeix CTSYg4GcGgUnmPvN+mrts4aNVQiMwePXGKv1kVpcAkJU1n3lWfHbpkmVoMHmTm5V R3Hv8bxvLGLYF5iw2KL+KeTFiV2fFNjuSfXbKJpZocnexPJ10Fm8sfIsFTGxo40M tpJBXkn/k2fD62ElT0kqdkl9BycmJkXoKqJZCfxdIuFX6ut0uTtRLctL6K/2luh6 lkN/WtNG7OVDXjDrXqmDcqhtwlnQT+Ir+B2N5+/U5CFMVpwfFOPLUyWrGeFbC22U /UTUiWHvd0bE4z1+sX8Q6X5Lg3z92vQ6O3bti9DVCH1vjuSsJ8wshSKWbZkzA+4Z qChPYYAb4/Y7qMagbDhUnZK5fRBGAXJFOqWp9J7vlZuKfkLACaCr/jqHlnKQuu1h F15QfbAk72u7H6cuWZWDUarAp5VMLwb+VDFYJZH0+y+2MZ252DKNfMO5vrjtNnr8 NE21m+rJsrpUJLwpwt4/VFFGFREpLv897Eh8nuk+JCoqW6+DGHBNX8gzyFklHwR7 Hy6TdizJ4EpFldfsQSVEevj9WHwTFasV0IZbXueMQ8y9YdpcZ3mZIE8b+5BSxIDQ 4HoR+rykhkfC83CLDEai =hd/4 -END PGP SIGNATURE- -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Why does requesting for bridges by email require a Yahoo or Gmail address?
Cypher: With the recent discussion about what your ISP can see when you use Tor, I ended up on the Tor Bridges page. On that page is the following statement: I need an alternative way of getting bridges! Another way to get bridges is to send an email to brid...@torproject.org. Please note that you must send the email using an address from one of the following email providers: Gmail or Yahoo. In light of the last year of disclosures by Edward Snowden, why is Tor requiring that I establish an account with an email provider that is completely out of my control and has a general history of complying with law enforcement data requests? Why those two providers specically? Note to conspiracy theorists: I am NOT intimating that Tor is in cahoots with the government in any way and that's why they're requiring Yahoo and Gmail so don't bother going there. Can anyone shed some light on this? Thanks, Cypher Because it's about different threat models and use cases. Usually bridges are used by countries that are unfriendly with US - for example China. US services gmail / yahoo won't cooperate with China. That may or may not be true, but for the use case at hand, that is simple censorship circumvention it works. On the other hand, your use case is interpreted by me as I live in some western country (ex: US), recently read the news, that using the public Tor network will mark you as extremist in NSA database. Bad. Bridges hide Tor, no? So isn't it an oxymoron to ask for gmail / yahoo accounts then? - Oxymoron on first sight, but there is none. Using private and obfuscated bridges alone doesn't provide strong guarantees of hiding the fact you are using Tor from your ISP. Quote [1] [2] Jacob Appelbaum: Some pluggable transports may seek to obfuscate traffic or to morph it. However, they do not claim to hide that you are using Tor in all cases but rather in very specific cases. An example threat model includes a DPI device with limited time to make a classification choice - so the hiding is very specific to functionality and generally does not take into account endless data retention with retroactive policing. Cheers, Patrick [1] https://mailman.boum.org/pipermail/tails-dev/2013-April/002950.html [2] http://www.webcitation.org/6G67ltL45 -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Why does requesting for bridges by email require a Yahoo or Gmail address?
ideas buenas: I don't trust Gmail nor Yahoo. Okay. Roger, found another way. You probably mean Roger, find another way! - which I would find offensive. No excuses, please. This is offensive. Nevertheless, on topic... Go for private bridges. You must set it up. Someone else should do it won't work - too public. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor Onion Proxy Library
I work on the Thali project [1] which depends on being able to host hidden services on Android, Linux, Mac and Windows. We wrote an open source library to help us host a Tor OP that that we thought would be useful to the general community - https://github.com/thaliproject/Tor_Onion_Proxy_Library The library produces an AAR (Android) and a JAR (Linux, Mac Windows) that contain the Guardian/Tor Project's Onion Proxy binaries. The code handles running the binary, configuring it, managing it, starting a hidden service, etc. The Tor_Onion_Proxy_Library started off with the Briar code for Android that Michael Rogers was kind enough to let us use [2]. We then expanded it to handle running on Linux, Mac and Windows. The code is just a wrapper around Briar's fork of jtorctl (originally from Guardian I believe) and the latest binaries from Guardian and the Tor Project. This is an alpha release, version 0.0.0 so please treat accordingly. I hope y'all find it useful. Thanks, Yaron [1] http://www.thaliproject.org/mediawiki/index.php?title=Main_Page [2] Specifically he dual licensed the code under Apache 2 so we could use it. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Why does requesting for bridges by email require a Yahoo or Gmail address?
On Thu, Jul 24, 2014 at 10:29:49PM +, ideas buenas wrote: I don't trust Gmail nor Yahoo. Roger, found another way. No excuses, please. This actually has very little to do with trust, and (as Roger said) these providers were chosen because of the difficulty of creating new accounts. Out of curiousity, what are you actually worried about? Personally, it is sad that you need a phone number when you create these accounts over Tor, but if retrieving bridges is important (and it usually is), then there are usually ways to do this safely. Another distribution method is currently being written and we will write others in the future, but please help us provide another way (yes, you, please help us if the current situation is unsatisfactory!). The more people we can safely help, the better. - Matt -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Why does requesting for bridges by email require a Yahoo or Gmail address?
On Thu, Jul 24, 2014 at 06:37:27PM -0400, krishna e bera wrote: On 14-07-24 06:29 PM, ideas buenas wrote: I don't trust Gmail nor Yahoo. Roger, found another way. No excuses, please. I am curious why Riseup.net isnt in the list of popular and relatively secure email providers. Also there must be several large european and asian free email providers, but someone from those regions might have to recommend/evaluate them. How about yandex.ru for example? See https://trac.torproject.org/projects/tor/ticket/11139 I haven't looked much at other providers recently. We want to keep the whitelist as small as possible. We can only make the situation worse by increasing the attack surface. The email distributor is already significantly weaker than the website. We'd rather provide more safe/secure distribution methods. Another good method is to get a bridge directly from someone you trust. This is already done informally. Eventually we will try to make this safer (to some extent)[0]. [0] https://trac.torproject.org/projects/tor/ticket/7520 -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Why does requesting for bridges by email require a Yahoo or Gmail address?
On 7/24/2014 9:38 PM, Matthew Finkel wrote: On Thu, Jul 24, 2014 at 10:29:49PM +, ideas buenas wrote: I don't trust Gmail nor Yahoo. Roger, found another way. No excuses, please. This actually has very little to do with trust, and (as Roger said) these providers were chosen because of the difficulty of creating new accounts. Out of curiousity, what are you actually worried about? Personally, it is sad that you need a phone number when you create these accounts over Tor, but if retrieving bridges is important (and it usually is), then there are usually ways to do this safely. Another distribution method is currently being written and we will write others in the future, but please help us provide another way (yes, you, please help us if the current situation is unsatisfactory!). The more people we can safely help, the better. I don't understand. I haven't tried to create an email acct w/ Google in yrs, but as I understand it, unless you have a burner phone, a new acct won't be anonymous. 1) Is it important to have anonymous email to request bridges? Seriously. I've never done it. 2) If (1) = yes, -- GOTO (4) 3) No sweat 4) Google is the wrong provider for you. :D -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Why does requesting for bridges by email require a Yahoo or Gmail address?
On 07/24/2014 08:38 PM, Matthew Finkel wrote: On Thu, Jul 24, 2014 at 10:29:49PM +, ideas buenas wrote: I don't trust Gmail nor Yahoo. Roger, found another way. No excuses, please. This actually has very little to do with trust, and (as Roger said) these providers were chosen because of the difficulty of creating new accounts. Out of curiousity, what are you actually worried about? Personally, it is sad that you need a phone number when you create these accounts over Tor, but if retrieving bridges is important (and it usually is), then there are usually ways to do this safely. A workaround is http://receive-sms-online.com/. Maybe there are other similar sites. But even so, it probably won't be through Tor. So the safest approach may be offline. Are there Tor Project addresses with published gpg keys that can be used for requesting keys? Another distribution method is currently being written and we will write others in the future, but please help us provide another way (yes, you, please help us if the current situation is unsatisfactory!). The more people we can safely help, the better. - Matt -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk