Re: [tor-talk] problem reinstalling NoScript
On 04/10/16 10:03 PM, Joe Btfsplk wrote: In TBB 6.0.5 (Win), NoScript 2.9.0.14 it seemed to be misbehaving. It wasn't showing many trackers in the icon drop list, on sites where there would be plenty. I UNchecked "Allow Scripts Globally." I uninstalled it - closed TBB. Removed NoScript entries in pref.js & restarted TBB, then reinstalled fresh NS copy - 2 separate times. Didn't fix it. Without seeing whatever was left in your TBB folder from previous self-updates and from other add-ons or from data saved during sessions, it is difficult to figure out what is going on. I gave up trying to manage separate addons and settings in TBB long ago because the interactions between parts is complex and more importantly every bug that came up could be fixed by removing the whole TBB directory and starting from scratch. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] problem reinstalling NoScript
In TBB 6.0.5 (Win), NoScript 2.9.0.14 it seemed to be misbehaving. It wasn't showing many trackers in the icon drop list, on sites where there would be plenty. I UNchecked "Allow Scripts Globally." I uninstalled it - closed TBB. Removed NoScript entries in pref.js & restarted TBB, then reinstalled fresh NS copy - 2 separate times. Didn't fix it. TBB has an "extensions-overrides.js" file in Partition (X):\Program Files\Tor Browser 4.5.3\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\preferences, that replaces some of NS default settings. It also removes default whitelisted sites that Giorgio added (lots of google sites & others - google.com, gstatic.com, etc.). Removing the whitelisted sites via extensions-overrides.js shouldn't cause them not to show in the NS icon drop list Besides, it wasn't only the removed NS whitelist trackers not displaying. In TBB, NS hardly showed any trackers (Allow Scripts Globally still unchecked). But did show them under the Untrusted grouping, but none were marked untrusted (that's normal). On the same pages in Firefox there were many trackers. I compared TBB's reinstalled NS settings to Firefox - appear almost the same. I doubt the 2 differences I found caused the problem? I got NS in TBB to display all trackers - no real clue. In TBB, under Advanced>Trusted, the "Cascade Top Document's permissions to 3rd party scripts" was checked... but *none* of the pages I loaded had *base domain* scripts allowed - I checked (so that shouldn't have caused the problem). I unchecked the "Cascade..." option, anyway. Maybe there's a bug w/ those 2 settings in NS? The only other NoScript diff in Fx & TBB was Appearance tab > "Allow" was checked in one & not the other. I made them the same. I can't see that causing this issue either. Tried some new sites & both browsers show the same trackers - for now. Anyone seen a similar NoScript problem or any clues what caused trackers not to show up, based on what I found? -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor and Google error / CAPTCHAs.
We are already starting to see people switching away from Google for privacy reasons and soon it will also be because of censorship (nationstate edicts and EU "right to forget") and biasing (due to Google's political involvement, e.g. suppressing typeaheads negative to Clinton). The alternative search engines do not produce results as comprehensive as Google's but at least one of them was accessible directly in onionspace. Existing 3rd party spiders must be solving the CAPTCHA problem somehow or how could they index everything? Let's hope they keep their servers completely uncensored and honest and independent of national jurisdictions. I wonder if that is a project which needs (crowd?)funding to make it viable, attractive, and sustainable. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] An example of scraping and bad behaviour over Tor
"Has anyone here had a CAPTCHA on Amazon over Tor, recently? [...]" Hello ! Yes, since few days, I notice that Amazon ask me for a CAPTCHA code. Worst than Google, It's a annoying random string :/ Original Message Subject: [tor-talk] An example of scraping and bad behaviour over Tor Local Time: October 1, 2016 9:27 AM UTC Time: October 1, 2016 7:27 AM From: alec.muff...@gmail.com To: tor-talk@lists.torproject.org Sharing for context: the article does not clearly say whether this scam was entirely completed over Tor, or only partially - the "over 200 proxy servers" sounds like come other proxy network - but it's a fine example of the sort of thing I have been talking about and what all those CAPTCHAs we experience are meant to be preventing, in this case: helping scammy hoaxy e-books on Amazon: http://www.zdnet.com/article/exclusive-inside-a-million-dollar-amazon-kindle-catfishing-scam/ Moore was just one of hundreds of pseudonyms employed in a sophisticated > "catfishing" scheme run by Valeriy Shershnyov, whose Vancouver-based > business hoodwinked Amazon customers into buying low-quality ebooks, which > were boosted on the online marketplace by an unscrupulous system of bots, > scripts, and virtual servers. [...] These books were associated with a publisher's email account used to > collect royalties on all the ebook and physical books that were sold. > (Shershnyov used his own personal email address, along with other > accounts.) Each account was responsible for publishing hundreds of ebooks. > If one account was caught or disabled, it wouldn't upend the entire scheme. These accounts worked together to artificially inflate the number of ebooks > downloaded, thus raising the ranking of each ebook in Amazon's charts. That > visibility helped to draw in real readers. The server hosted a table containing 83,899 fake Amazon accounts (an easy > feat given that, when we checked, Amazon doesn't verify email accounts). *At > any given time of the day, dozens of those accounts could be pushed through > one of over 200 proxy servers -- provided by a third-party internet company > -- which makes it harder for Amazon to detect the logins.* The server > installed the Selenium web driver, a browser automation tool, which > simulates a real person typing in the accounts' usernames and passwords, > one after the other. Not all logins will be successful. Some are blocked or banned. If that > happens, the table would log the the failure, and move on to the next > account. [...] The *downloads would be tunneled over the Tor anonymity network*, masking > the IP addresses of the server, making it tougher for Amazon's systems to > spot the fraudulent downloads. It can take just a few days for an ebook to rise up the charts and increase > visibility -- these books can easily reach the Top 100 list, particularly > in niche categories. Has anyone here had a CAPTCHA on Amazon over Tor, recently? This sort of thing is why... -a -- http://dropsafe.crypticide.com/aboutalecm -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor and Google error / CAPTCHAs.
On 4 October 2016 at 01:51, Jeremy Randwrote: > Alec Muffett: > > I'm curious what the advantage is in this respect of .onion compared to > using TLS with manual fingerprint verification. > I like to look at Onions from the perspective of a network engineer: - it's a lightweight near-equivalent (and in no way as powerful as, but hey, it's an 80% solution which requires zero setup) to Layer-2 / IPsec AH+ESP - this means it operates and is available at the "Link Layer" and is inherited by any protocol which uses it, including plaintext HTTP, plaintext Telnet, etc - In IPsec AH means "Authentication Header", extra metadata that IPsec sends, using certs and keys and shit, to guarantee that you are talking to the machine that you asked for - In Onion, if you can type in the address and get connected, you are talking to the machine that you asked for - In IPsec, ESP means "Encapsulating Security Payload", extra metadata on the packet which stops people tampering with, or reading the packet - In Onion, all that shit comes pre-packaged from Tor, with zero user setup. - Onion also routes around blocks So my position is that Onion routing is "cheap-ass IPsec, without all the configuration BS, and *yay* with E2E/disintermediation". That is _really_ cool; at a stroke you selectively pypass a bunch of internet balkanization technologies and reconnect people like it's 1990 all over again. I'm old enough to remember when `finger usern...@host.subdomain.tld` actually worked and was useful; there's a lot you can build with that kind of connectivity. > My best guess is that .onion has better usability today with current > tools. That's also nice. > But it seems to me that it wouldn't be incredibly hard to > produce a SOCKS proxy to support a ".tlsexplicit" TLD where the SOCKS > proxy drops the connection to "www.google.com..tlsexplicit" > if the server doesn't present a TLS cert that matches . > Could do that, but then you'd just be reinventing IPsec-like features at layer 4, rather than at pseudo-layer-2. I shall elide your other question, because - as should be obvious by now - I rate Onions highly for qualities other than the "anonymity" and "location hiding" - which are obviously very important to other people. - alec -- http://dropsafe.crypticide.com/aboutalecm -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk