Re: [tor-talk] Tor Browser Linux_don't extract to root
On 04/11/2017 03:47 AM, Jonathan Marquardt wrote: On Mon, Apr 10, 2017 at 07:11:48PM -0500, Joe Btfsplk wrote: What is the reason(s) the TBB instructions say do not install (extract) TBB to root? Is it so the TBB files will be in a location where the user has write permissions, so that TBB updates can automatically D/L and install? Yes, that's the biggest advantage, I think. We don’t want superold versions of TBB to be used, do we? Other than that, does installing TBB to a location where anyone / anything has full r/w/x permissions (like in /home), weaken the security of Linux, compared to packages installed via a distro's software manager? If "anyone / anything has full r/w/x permissions" in /home on your system, you're doing something very wrong. Only the individual users should have write permissions in their own home directories. On a multi-user system it is also a good idea to give "world" zero permissions in your user home directory so no other users can read your files. Thanks. I may be missing something here. Anyone feel free to correct me where I'm wrong. I'm not "doing" anything with /home permissions - it's Linux defaults. AFAIK, once a user logs into their 'nix acct, anything that writes to (most) files in /home can do so - w/o any prompting. For browsers - Firefox - that's full access to most things under .mozilla, but not Firefox program files - installed elsewhere. In /home, the user is the owner & has full r/w/x permissions for most files there - no PW required to change files there (once logged in). There're some exceptions to that, like .local/keyrings. For TBB extracted to a folder in /home, on files I checked (tor, cached-certs, torrc, etc.) - the user is owner & has r/w/(x) permissions by default. No PW required - like any document in /home. So anything that makes it past basic defenses of the browser, NoScript, etc. - would generally have r/w/x permissions on most TBB files in /home - yes? Conversely, Firefox installed to /usr & other protected directories that most installed apps use, by default the user or anything making it onto the computer don't have w/x permissions for those "program files." Yes? That's part of Linux overall security. Maybe I'm missing something. Tor Project goes to great lengths to provide uncompromised TBB copies & ways to verify them, but at least in Linux - advises putting it in the least secure area, so it can update automatically with one click? (because TBB wasn't installed via a Linux software manager & therefore automatic updates wouldn't be allowed). Seems like that's in opposition to all the other TBB security efforts. When Linux users choose to D/L the latest release from mozilla & install to /opt or /usr/local, it won't update automatically or w/ a click, AFAIK. Unless you change ownership / permissions of those directories - which I've read is a bad idea, security wise. (I'm not sure the D/L Linux Fx ver has "update now" available in about:firefox, anyway). But, for Fx or Tbird in /opt you can install update files from Mozilla easily enough using sudo. It takes typing a few characters vs. one click. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] No more logs on 0.3.1
Seby: > Hi list, > > Upgraded to a newer version on Debian (Jessie) and can't find any logs in > /var/log/tor folder. They used to be there under 0.2.9. Tor is running, > socks works, I can browse the web via Tor but don't find any logs. Is this > normal? This is expected if your run tor >= 0.3: in the Debian packaging the default logging was switched to using syslog, so on a default systemd-enabled Debian Jessie system you should look in the journal, e.g.: sudo journalctl -u tor@default.service Cheers! -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Suspicious rise in direct users connection from Israel (from ~9k to >100k)
> I'm wondering why that spike of new users from IL does not show in theoverall > user graphs. > Did another country "lose" that many users at the same time? Another country, no. Other countries yes :) It's 91k more users, minus total losses from other countries which should add up to it. For example the US lost about 20k, Brazil 7k, ... But I expect it to appear soon. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Suspicious rise in direct users connection from Israel (from ~9k to >100k)
> Direct users graph: > > https://metrics.torproject.org/userstats-relay-country.html?graph=userstats-relay-country=il > > Bridge users (nothing suspicious for now): > > https://metrics.torproject.org/userstats-bridge-combined.html?start=2017-01-11=2017-04-11=il interesting. I'm wondering why that spike of new users from IL does not show in the overall user graphs. Did another country "lose" that many users at the same time? -- https://mastodon.social/@nusenu https://twitter.com/nusenu_ signature.asc Description: OpenPGP digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Suspicious rise in direct users connection from Israel (from ~9k to >100k)
Hi, Direct users graph: https://metrics.torproject.org/userstats-relay-country.html?graph=userstats-relay-country=il Bridge users (nothing suspicious for now): https://metrics.torproject.org/userstats-bridge-combined.html?start=2017-01-11=2017-04-11=il --Jeff -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor Browser Linux_don't extract to root
On Mon, Apr 10, 2017 at 07:11:48PM -0500, Joe Btfsplk wrote: > What is the reason(s) the TBB instructions say do not install (extract) TBB > to root? > Is it so the TBB files will be in a location where the user has write > permissions, so that TBB updates can automatically D/L and install? Yes, that's the biggest advantage, I think. We don’t want superold versions of TBB to be used, do we? > Other than that, does installing TBB to a location where anyone / anything > has full r/w/x permissions (like in /home), weaken the security of Linux, > compared to packages installed via a distro's software manager? If "anyone / anything has full r/w/x permissions" in /home on your system, you're doing something very wrong. Only the individual users should have write permissions in their own home directories. On a multi-user system it is also a good idea to give "world" zero permissions in your user home directory so no other users can read your files. -- 4096R/1224DBD299A4F5F3 47BC 7DE8 3D46 2E8B ED18 AA86 1224 DBD2 99A4 F5F3 signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] release of heads 0.2 live 100% libre torified distro based on devuan
Hi, Lara: > those handicapped enough to be unable to write software This can be interpreted in a number of ways, including some that I personally find problematic. But maybe you want to rephrase so I understand better what you meant? Cheers, -- intrigeri -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] release of heads 0.2 live 100% libre torified distro based on devuan
On Tue, 11 Apr 2017, Lara wrote: > parazyd: > > On Mon, 10 Apr 2017, Mateo Carmona wrote: > >> In regard to the great news about the release of heads OS I have two > >> things to say, first congratulations! second why the heads repository is > >> hosted in a non-free software repository (github). Is it not about > >> Libre-privacy? > > > > I've tried hosting the repositories on git.devuan.org, but it hasn't > > performed on-par at that time. I also don't have another place as good > > as Github to host everything, along with the bugtracker. In any case, a > > plethora of free software projects are hosted on Github, and I don't > > really see an issue. All my git commits are signed with gnupg so we have > > that going at least. > > Welcome to the "free" software world! > > Where the developers aren't reliable enough to have a host and a HTTPS > certificate. And where those handicapped enough to be unable to write > software have informed oppinions as long as they don't have to pay a cent. <3 -- ~ parazyd GPG: 0333 7671 FDE7 5BB6 A85E C91F B876 CB44 FA1B 0274 signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] release of heads 0.2 live 100% libre torified distro based on devuan
parazyd: > On Mon, 10 Apr 2017, Mateo Carmona wrote: >> In regard to the great news about the release of heads OS I have two things >> to say, first congratulations! second why the heads repository is hosted in >> a non-free software repository (github). Is it not about Libre-privacy? > > I've tried hosting the repositories on git.devuan.org, but it hasn't > performed on-par at that time. I also don't have another place as good > as Github to host everything, along with the bugtracker. In any case, a > plethora of free software projects are hosted on Github, and I don't > really see an issue. All my git commits are signed with gnupg so we have > that going at least. Welcome to the "free" software world! Where the developers aren't reliable enough to have a host and a HTTPS certificate. And where those handicapped enough to be unable to write software have informed oppinions as long as they don't have to pay a cent. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] release of heads 0.2 live 100% libre torified distro based on devuan
On Mon, 10 Apr 2017, Mateo Carmona wrote: > Dear tor-talkers, > > In regard to the great news about the release of heads OS I have two things > to say, first congratulations! second why the heads repository is hosted in a > non-free software repository (github). Is it not about Libre-privacy? > > happy hacking, > Mateo Carmona Thank you! I've tried hosting the repositories on git.devuan.org, but it hasn't performed on-par at that time. I also don't have another place as good as Github to host everything, along with the bugtracker. In any case, a plethora of free software projects are hosted on Github, and I don't really see an issue. All my git commits are signed with gnupg so we have that going at least. -- ~ parazyd GPG: 0333 7671 FDE7 5BB6 A85E C91F B876 CB44 FA1B 0274 signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk