Re: [tor-talk] problem reinstalling NoScript

[krishna e bera]

On 04/10/16 10:03 PM, Joe Btfsplk wrote:

In TBB 6.0.5 (Win), NoScript 2.9.0.14 it seemed to be misbehaving.
It wasn't showing many trackers in the icon drop list, on sites where
there would be plenty.
I UNchecked "Allow Scripts Globally."

I uninstalled it - closed TBB.  Removed  NoScript entries in pref.js &
restarted TBB, then reinstalled fresh NS copy - 2 separate times.
Didn't fix it.


Without seeing whatever was left in your TBB folder from previous 
self-updates and from other add-ons or from data saved during sessions, 
it is difficult to figure out what is going on.


I gave up trying to manage separate addons and settings in TBB long ago 
because the interactions between parts is complex and more importantly 
every bug that came up could be fixed by

removing the whole TBB directory and starting from scratch.

--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] problem reinstalling NoScript

[Joe Btfsplk]

In TBB 6.0.5 (Win), NoScript 2.9.0.14 it seemed to be misbehaving.
It wasn't showing many trackers in the icon drop list, on sites where 
there would be plenty.

I UNchecked "Allow Scripts Globally."

I uninstalled it - closed TBB.  Removed  NoScript entries in pref.js & 
restarted TBB, then reinstalled fresh NS copy - 2 separate times.  
Didn't fix it.
TBB has an "extensions-overrides.js" file in Partition (X):\Program 
Files\Tor Browser 4.5.3\Tor 
Browser\Browser\TorBrowser\Data\Browser\profile.default\preferences, 
that replaces some of NS default settings.  It also removes default 
whitelisted sites that Giorgio added (lots of google sites & others - 
google.com, gstatic.com, etc.).


Removing the whitelisted sites via extensions-overrides.js shouldn't 
cause them not to show in the NS icon drop list  Besides, it wasn't only 
the removed NS whitelist trackers not displaying.


In TBB, NS  hardly showed any trackers (Allow Scripts Globally still 
unchecked).  But did show them under the Untrusted grouping, but none 
were marked untrusted (that's normal).

On the same pages in Firefox there were many trackers.
I compared TBB's reinstalled NS settings to Firefox - appear almost the 
same.  I doubt the 2 differences I found  caused the problem?


I got NS in TBB to display all trackers - no real clue.  In TBB, under 
Advanced>Trusted, the "Cascade Top Document's permissions to 3rd party 
scripts" was checked... but *none* of the pages I loaded had *base 
domain* scripts allowed - I checked (so that shouldn't have caused the 
problem).  I unchecked the "Cascade..." option, anyway.  Maybe there's a 
bug w/ those 2 settings in NS?


The only other NoScript diff  in Fx & TBB was Appearance tab > "Allow" 
was checked in one & not the other.  I made them the same.  I can't see 
that causing this issue either.

Tried some new sites & both browsers show the same trackers - for now.

Anyone seen a similar NoScript problem or any clues what caused trackers 
not to show up, based on what I found?



--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor and Google error / CAPTCHAs.

[krishna e bera]

We are already starting to see people switching away from Google for
privacy reasons and soon it will also be because of censorship
(nationstate edicts and EU "right to forget") and biasing (due to
Google's political involvement, e.g. suppressing typeaheads negative to
Clinton).  The alternative search engines do not produce results as
comprehensive as Google's but at least one of them was accessible
directly in onionspace.
Existing 3rd party spiders must be solving the CAPTCHA problem somehow
or how could they index everything?  Let's hope they keep their servers
completely uncensored and honest and independent of national
jurisdictions. I wonder if that is a project which needs (crowd?)funding
to make it viable, attractive, and sustainable.

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] An example of scraping and bad behaviour over Tor

[128Ko]

"Has anyone here had a CAPTCHA on Amazon over Tor, recently? [...]"

Hello !
Yes, since few days, I notice that Amazon ask me for a CAPTCHA code.
Worst than Google, It's a annoying random string :/





 Original Message 
Subject: [tor-talk] An example of scraping and bad behaviour over Tor
Local Time: October 1, 2016 9:27 AM
UTC Time: October 1, 2016 7:27 AM
From: alec.muff...@gmail.com
To: tor-talk@lists.torproject.org

Sharing for context: the article does not clearly say whether this scam was
entirely completed over Tor, or only partially - the "over 200 proxy
servers" sounds like come other proxy network - but it's a fine example of
the sort of thing I have been talking about and what all those CAPTCHAs we
experience are meant to be preventing, in this case: helping scammy hoaxy
e-books on Amazon:

http://www.zdnet.com/article/exclusive-inside-a-million-dollar-amazon-kindle-catfishing-scam/


Moore was just one of hundreds of pseudonyms employed in a sophisticated
> "catfishing" scheme run by Valeriy Shershnyov, whose Vancouver-based
> business hoodwinked Amazon customers into buying low-quality ebooks, which
> were boosted on the online marketplace by an unscrupulous system of bots,
> scripts, and virtual servers.


[...]

These books were associated with a publisher's email account used to
> collect royalties on all the ebook and physical books that were sold.
> (Shershnyov used his own personal email address, along with other
> accounts.) Each account was responsible for publishing hundreds of ebooks.
> If one account was caught or disabled, it wouldn't upend the entire scheme.


These accounts worked together to artificially inflate the number of ebooks
> downloaded, thus raising the ranking of each ebook in Amazon's charts. That
> visibility helped to draw in real readers.


The server hosted a table containing 83,899 fake Amazon accounts (an easy
> feat given that, when we checked, Amazon doesn't verify email accounts). *At
> any given time of the day, dozens of those accounts could be pushed through
> one of over 200 proxy servers -- provided by a third-party internet company
> -- which makes it harder for Amazon to detect the logins.* The server
> installed the Selenium web driver, a browser automation tool, which
> simulates a real person typing in the accounts' usernames and passwords,
> one after the other.


Not all logins will be successful. Some are blocked or banned. If that
> happens, the table would log the the failure, and move on to the next
> account.


[...]

The *downloads would be tunneled over the Tor anonymity network*, masking
> the IP addresses of the server, making it tougher for Amazon's systems to
> spot the fraudulent downloads.


It can take just a few days for an ebook to rise up the charts and increase
> visibility -- these books can easily reach the Top 100 list, particularly
> in niche categories.



Has anyone here had a CAPTCHA on Amazon over Tor, recently? This sort of
thing is why...

-a

--

http://dropsafe.crypticide.com/aboutalecm
--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor and Google error / CAPTCHAs.

[Alec Muffett]

On 4 October 2016 at 01:51, Jeremy Rand  wrote:

> Alec Muffett:
>
> I'm curious what the advantage is in this respect of .onion compared to
> using TLS with manual fingerprint verification.
>

I like to look at Onions from the perspective of a network engineer:

- it's a lightweight near-equivalent (and in no way as powerful as, but
hey, it's an 80% solution which requires zero setup) to Layer-2 / IPsec
AH+ESP

- this means it operates and is available at the "Link Layer" and is
inherited by any protocol which uses it, including plaintext HTTP,
plaintext Telnet, etc

- In IPsec AH means "Authentication Header", extra metadata that IPsec
sends, using certs and keys and shit, to guarantee that you are talking to
the machine that you asked for

- In Onion, if you can type in the address and get connected, you are
talking to the machine that you asked for

- In IPsec, ESP means "Encapsulating Security Payload", extra metadata on
the packet which stops people tampering with, or reading the packet

- In Onion, all that shit comes pre-packaged from Tor, with zero user setup.

- Onion also routes around blocks

So my position is that Onion routing is "cheap-ass IPsec, without all the
configuration BS, and *yay* with E2E/disintermediation".

That is _really_ cool; at a stroke you selectively pypass a bunch of
internet balkanization technologies and reconnect people like it's 1990 all
over again.

I'm old enough to remember when `finger usern...@host.subdomain.tld`
actually worked and was useful; there's a lot you can build with that kind
of connectivity.



> My best guess is that .onion has better usability today with current
> tools.


That's also nice.



> But it seems to me that it wouldn't be incredibly hard to
> produce a SOCKS proxy to support a ".tlsexplicit" TLD where the SOCKS
> proxy drops the connection to "www.google.com..tlsexplicit"
> if the server doesn't present a TLS cert that matches .
>

Could do that, but then you'd just be reinventing IPsec-like features at
layer 4, rather than at pseudo-layer-2.

I shall elide your other question, because - as should be obvious by now -
I rate Onions highly for qualities  other than the "anonymity" and
"location hiding" - which are obviously very important to other people.

- alec


-- 
http://dropsafe.crypticide.com/aboutalecm
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk