Re: [tor-talk] Using a Solid Tor Configuration

[Mirimir]

On 07/23/2020 08:36 AM, con...@secmail.pro wrote:
> Hi all,
> 
> I would like to setup a solid Tor configuration in the States. I get a lot
> of harassment from corrupted law enforcement and nosy corporations. My
> goal is to keep my online activity private, but it appears Tor isn't doing
> that at all.
> 
> Should I use Linux or Windows with Tor and how do I make it work well
> enough to stop these kind of attackers?

The simplest approach is using Whonix. There are two Linux virtual
machines. The gateway VM just runs the Tor process, and the workstation
VM runs Tor browser and other apps. The workstation VM has no network
connectivity except via Tor, and so malware can't bypass Tor.

It's easy enough to run Whonix in Virtualbox on Linux. And you could
even use Virtualbox on Windows, although I don't recommend that. Using
Whonix in Qubes is more secure, but not so easy.

I recommend using Whonix through VPN services, because it hides Tor use
from your ISP. It would also protect somewhat against malicious entry
guards, and from circuit deanonymization. Better yet is using Tor
through nested VPN chains, because that prevents any individual VPN
service from linking you and your entry guards.

> Thanks in advance for your help.
> 
> 
> --Conser
> 
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] I don't understand two things about the node "freja".

[Mirimir]

On 06/30/2020 03:13 PM, sean_sulli...@danwin1210.me wrote:
> I have questions about the Tor node “freja”.
> 
> First, according to https://torstatus.rueckgr.at/, the node is at
> 194.88.143.66 which is in Italy. Yet WHOIS says the addresses
> 194.88.142.0-194.88.143.255 are in Pune, India. The last IP from a
> ‘traceroute’ is 81.25.202.165 and 81.25.202.128-81.25.202.255 is in ‘IT’
> (Italy) which suggests that https://torstatus.rueckgr.at/ is correct.

Look using https://ping.pe/, https://asm.ca.com/en/ping.php and
https://www.maplatency.com/. To me, Italy seems right.

> Why would WHOIS inaccurately (I think) say the IP is in India?

There's so much reselling of IPv4 now that WHOIS is ~useless.

> Second, according to https://torstatus.rueckgr.at/, “freja” is not an exit
> node. But if you use...
> 
> StrictNodes 1
> ExitNodes freja
> 
> ...then TBB will load the purple introductory screen “Explore. Privately.”
> (I tried with other non-exit nodes and TBB typically gets stuck on
> “Requesting Relay Information” and never loads the purple screen).
> 
> However, then “freja” will not load any pages.
> 
> So if it’s not an exit node, why does the introductory screen load?

I have no clue.

> Thanks.
> 
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Jitsi Meet over Tor

[Mirimir]

On 04/07/2020 08:32 AM, grarpamp wrote:
> Voice and video conferencing apps can and do
> work over I2P, Tor, Phantom, etc.
> Use the lowest quality, bandwidth, window size,
> frame rate, etc settings possible.
> 
> UDP and IPv6 can and do work over all three of the above networks.
> With .onion (.i2p) use OnionCat (GarliCat) to enable UDP and IPv6.
> Search this list for all the cool things you can do with OnionCat.
> Get it here...
> 
> https://www.onioncat.org/
> https://github.com/rahra/onioncat

Yes, VoIP via UDP works very well through Tor with OnionCat. However,
both endpoints must be running Tor and OnionCat. Basically, all devices
running Tor and OnionCat have IPv6 addresses in the same /48 subnet. So
any such device can connect with any other. But _not_ with any other
IPv6 (or IPv4) address. Unless someone setup a router, I suppose.

> Tor exits still don't offer any IP VPN termination services
> to tor circuits. So for UDP over tor exit, use your own or
> a third party VPN, shell, proxychain etc that offers UDP.

Yes, you can route VPNs through Tor. However, I don't recommend doing
that except in Whonix. Otherwise, there's too much risk that the VPN
will connect directly, instead of through Tor, and blow your anonymity.

You could use a commercial VPN service, or run your own VPN server in a
VPS. But either way, you'd need to do everything ~anonymously through
Tor. Or in other words, your anonymity using the VPN via Tor will be
limited by how anonymously you paid for the VPN service or VPS. So that
means well-mixed Bitcoin, or better perhaps Monero.

All things considered, it'd be simpler, and arguably more anonymous, if
you can force Jitsi to use TCP via plain Tor.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Jitsi Meet over Tor

[Mirimir]

On 04/03/2020 02:19 AM, namer...@mailo.com wrote:
> Has anyone managed to use Jitsi Meet over Tor, either with Tor Browser
> or with a normal browser+SOCKPort?
> 
> Every time I try, the video/audio quality is unusable. Things drop out,
> I can't hear people, they can't hear me, etc. THis is true even if video
> is turned off.

I suspect that it's because Jitsi is trying to use UDP, which Tor
doesn't handle. You can see if there's a way to force it to use TCP.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Revisiting youtube blocking TBB, virtually all 1st attempts to load YT

[Mirimir]

On 03/08/2020 02:40 PM, nusenu wrote:
>> What would stop a bad actor from creating a bunch of new circuits and
>> making all Tor IPs look bad if they were so inclined?
> 
> yes there are distribution strategies that can prevent that
> or make that very expensive (an /48 IPv6 block has a **lot** of IP addresses)

Sure, but wouldn't sites start blocking at /48, /64, etc levels?

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] How secure is a hidden service?

[Mirimir]

On 02/21/2020 03:41 AM, Roger Dingledine wrote:



> Services on the internet are inherently harder to make safe than clients,
> (a) because they stay at the same place for long periods of time, and
> (b) because the attacker can induce them to generate or receive traffic,
> in a way that's harder to reliably do to clients.

Yep. That's the fundamental problem.

> Most identification problems with Tor users, and with onion services,
> have turned out to be opsec mistakes, or flaws in the application
> software at one end or the other. That is, nothing to do with the Tor
> protocol at all. But of course in the "layers of conspiracy" world we
> live in nowadays, you can never be quite sure, because maybe "they"
> used a complex attack on Tor and then covered it up by pointing to an
> opsec flaw. One hopefully productive way forward is to point out that
> even if we don't know how every successful attack really started, we
> know that opsec flaws are sufficient to explain most of them.

I've looked at many of them, and I generally agree. The only exception
I'm sure of is relay early, which took down at least PlayPen, and ~1000
of its users, directly or indirectly. I'm not sorry about them, but we
don't know who else exploited it, against whom, or for how long.

> When I'm doing talks about Tor these days, I list these four areas
> of concern, ordered by how useful or usable they are to attackers in
> practice: (1) Opsec mistakes, (2) Browser metadata fingerprints / proxy
> bypass bugs, (3) Browser / webserver exploits, and (4) Traffic analysis.

There's also Freedom Hosting and Freedom Hosting II. Although I haven't
seen anything clear about how they were compromised, it seems arguable
(even obvious, in retrospect) that servers with numerous onion URLs are
far^N  more vulnerable. Not to say, doomed.


-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Speculated Broken by FBI Etc - Freedom Hosting, MITTechReview - Magneto

[Mirimir]

On 02/09/2020 12:19 PM, Felix wrote:
> Hi everybody
> 
> Am 2020-02-09 um 12:40 PM schrieb grarpamp:
>> Given the variety of known weaknesses, exploits, categories
>> of papers, and increasing research efforts against tor and
>> overlay networks in general, and the large number of these
>> "mystery gaps" type of articles (some court cases leaving hardly
>> any other conclusion with fishy case secrecy, dismissals, etc)...
>> the area of speculative brokeness and parallel construction
>> seems to deserve serious investigative fact finding project of
>> global case collation, interview, analysis to better characterize.
> ...
>> Early on August 2 or 3, 2013, some of the users noticed “unknown
>> Javascript” hidden in websites running on Freedom Hosting. Hours
>> later, as panicked chatter about the new code began to spread, the
>> sites all went down simultaneously. The code had attacked a Firefox
>> vulnerability that could target and unmask Tor users—even those using
>> it for legal purposes such as visiting Tor Mail—if they failed to
>> update their software fast enough.
>>
>> While in control of Freedom Hosting, the agency then used malware that
>> probably touched thousands of computers. The ACLU criticized the FBI
>> for indiscriminately using the code like a “grenade.”
>>
>> The FBI had found a way to break Tor’s anonymity protections, but the
>> technical details of how it happened remain a mystery.
> 
> https://www.wired.com/threatlevel/2013/09/freedom-hosting-fbi/
> 
> A malicious route around Tor was/is solvable by keeping the system
> updated or by the use of techniques like Whonix or Tails.
> 
> -- 
> Cheers, Felix

That depends.

Whonix would protect users against malware that bypasses Tor browser.
Perhaps Tails would as well, given its iptables rules, but arguably not
as well as Whonix does. Because in Whonix, Tor client and apps are in
separate VMs, and there's no forwarding from the workstation VM, just
SocksPorts exposed to it on the gateway VM.

And onion services could also use Whonix, or at least the basic concept
of Whonix, implemented in KVM or VBox VMs on the server. Onion services
on Tails would be harder, but probably doable.

However, neither Whonix or Tails would protect users or onion services
against attacks that manipulate Tor clients into using malicious guards.
And once an adversary controls the guard, it knows the IP address of the
user or server. Tails might even be more vulnerable, because it picks
new guards at each boot.

As far as I know, there just two ways to defend against attacks via
malicious guards. One is using vanguards.[0,1] The other is simply
hiding the user's or server's IP address from the guard, using a VPN
service, or a nested VPN chain.

0) https://github.com/mikeperry-tor/vanguards/
1) https://lists.torproject.org/pipermail/tor-dev/2020-February/014156.html


-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor and sources.list

[Mirimir]

On 02/02/2020 07:02 PM, mimb...@danwin1210.me wrote:
> In my /etc/apt/sources.list I have:
> 
> deb https://deb.torproject.org/torproject.org bionic main
> deb-src https://deb.torproject.org/torproject.org bionic main
> 
> My version of tor is 0.4.2.5. Am I correct that, at some point, it will
> automatically update to 0.4.2.6 thanks to the above entries in
> sources.list?
> 
> Thanks!

You also need apt-transport-https and the Tor repo's gpg key. Plus
deb.torproject.org-keyring to keep the key current.

The full instructions are here:
https://2019.www.torproject.org/docs/debian.html.en
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Browser without Tor

[Mirimir]

On 02/02/2020 04:12 PM, Jeremy Rand wrote:
> Jason Evans:
>> Hi all,
>>
>> This is a question that we get from time to time in the Stack Exchange
>> group. Can I use Tor Browser without without actually using the  Tor
>> network? For example, I want to use the browser for checking my back
>> account but I can't because my bank doesn't allow traffic from exit nodes.
>>
>> A similar question that was asked recently is, "how can I connect to
>> local IPs with the Tor Browser?". For example, my home SAN is on
>> 192.168.1.X and it's not reachable with the Tor Browser.
>>
>> Thanks!
>>
>> Jason
> 
> Tor Browser, last I checked, has a transproxy mode (enabled via an
> environment variable) that I suspect would make it work fine without
> Tor.  No idea if it's documented properly; I've only seen it mentioned
> on the Whonix wiki (in the "disable stream isolation" docs).
> 
> Cheers,

Open about:config, and search "extensions.torlauncher".

Set "extensions.torlauncher.prompt_at_startup" to false.

Set "extensions.torlauncher.start_tor" to false.

Now Tor browser won't start Tor.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] restricting output to the tor process, when using Tor browser

[Mirimir]

On 01/28/2020 04:21 AM, Nicolas Vigier wrote:
> On Mon, 27 Jan 2020, Mirimir wrote:
> 
>> But, in a Debian VM running Tor browser, I found that the tor process is
>> running as the login user. And so iptables is totally useless.
>>
>> However, it's apparently easy to start Tor browser as its own user,
>> using Micah Lee's torbrowser-launcher.[0] Is that a prudent solution?
>>
>> 0)
>> https://medium.com/@jamesmacwhite/running-the-tor-browser-on-kali-linux-the-proper-way-d33a38b54e96
> 
> I think what is on this page does not solve your issue as they run both
> the browser and the tor daemon (started by the browser) as the same user.

Oh, right. So I could allow output by whatever uid-owner I created, and
block all other users. That would prevent random malware from bypassing
Tor. But it wouldn't prevent compromised Tor browser from doing it.

So somehow I just need to have the tor process run as a unique user.

I created a user tbtor as described in the post that I cited, and tried
tweaking the Tor browser torrc:

> User tbtor

But the tor process crashes. I'm guessing that this is breaking the
process of starting as root, and dropping capabilities. But I'm not
sure, and in any case don't know how to fix it.

> What you can do is run tor using the debian tor package, and configure
> Tor Browser to use the system tor daemon (instead of starting its own):
> https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Hacking#UsinganExistingTorProcess

I've read in Tor.SE that the Tor browser torrc is optimized. So using
tor with default torrc is less anonymous. I suppose that one could just
use the Tor browser torrc. But I guess that I'll play with it.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] restricting output to the tor process, when using Tor browser

[Mirimir]

OK, so I don't use standalone Tor browser, just in Whonix.

And when I use Tor in Debian, I use iptables rules like:


*filter

:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

-A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A INPUT -j DROP

-A FORWARD -j DROP

-A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -m owner --uid-owner debian-tor -j ACCEPT
-A OUTPUT -j DROP

COMMIT


But, in a Debian VM running Tor browser, I found that the tor process is
running as the login user. And so iptables is totally useless.

However, it's apparently easy to start Tor browser as its own user,
using Micah Lee's torbrowser-launcher.[0] Is that a prudent solution?

0)
https://medium.com/@jamesmacwhite/running-the-tor-browser-on-kali-linux-the-proper-way-d33a38b54e96
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Ports required for Tor and hidden services

[Mirimir]

On 01/26/2020 10:53 PM, Jim wrote:
> Forst wrote:
>> In that case, what would be best approach to achieve that all traffic
>> is forced though Tor and direct internet connection blocked,
>> preferably even if/when the system is breached?
> 
> Roger gave a good reply for the case where the system is not breached.
> But if your firewall is on the same system as the hidden service and an
> attacker gets root then nothing can save you since the attacker could
> alter the firewall at will.  The only exception I can think of is
> SELinux *might* provide a mechanism to prevent this but I am not
> familiar with it.
> 
> Jim

If you're that paranoid, you can use the Whonix model. Basically, run
the Tor process and firewall on one machine, with requisite ports
exposed on an isolated LAN. And run the web server on another machine,
connected via that LAN. So nothing on that machine can see the Internet,
except through Tor.

If you control physical access, it's most secure for those to be
separate hardware. Otherwise, you can use KVM VMs. You can even run KVM
VMs on some KVM VPS, although it's a little sluggish.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Brave Review Mentions Tor

[Mirimir]

On 11/16/2019 01:50 PM, Mirimir wrote:
> On 11/15/2019 11:57 AM, d...@foundingdocuments.org wrote:
>> A few-days-old review.
>>
>> Since Brave is the browser for OnionBrowser on iOS, I figured I’d read the 
>> article. 
>>
>> https://www.pcworld.com/article/3453376/brave-10-review-this-excellent-privacy-focused-browser-can-make-you-money-too.html
>>> Not only can you open a private window, but you can open an even deeper 
>>> level of privacy and use the Tor onion-routing network as well.
> 
> Why the bloody hell does OnionBrowser on iOS not just use Firefox?

Damn, brain fart :(

I meant why doesn't it just use Tor browser.

> I wonder how Brave and Tor browser compare re anonymity, privacy and
> security. It seems unlikely that Brave would do a better job.
> 
> Also, the idea of running clearnet and Tor-mediated tabs in the same
> browser is pretty iffy. I mean, I don't even risk doing that in the same
> VM. And indeed, using Whonix, there is no clearnet connectivity.
> 
> 
> 
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Brave Review Mentions Tor

[Mirimir]

On 11/15/2019 11:57 AM, d...@foundingdocuments.org wrote:
> A few-days-old review.
> 
> Since Brave is the browser for OnionBrowser on iOS, I figured I’d read the 
> article. 
> 
> https://www.pcworld.com/article/3453376/brave-10-review-this-excellent-privacy-focused-browser-can-make-you-money-too.html
>> Not only can you open a private window, but you can open an even deeper 
>> level of privacy and use the Tor onion-routing network as well.

Why the bloody hell does OnionBrowser on iOS not just use Firefox?

I wonder how Brave and Tor browser compare re anonymity, privacy and
security. It seems unlikely that Brave would do a better job.

Also, the idea of running clearnet and Tor-mediated tabs in the same
browser is pretty iffy. I mean, I don't even risk doing that in the same
VM. And indeed, using Whonix, there is no clearnet connectivity.


-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Open tickets

[Mirimir]

On 05/30/2019 02:26 AM, Wallichii wrote:
> On Tue, 28 May 2019 16:57:59 +
> martin590  wrote:
> 
>> why are there so many tickets which are open since years without any
>> visible progress? Will they ever be solved or were they forgotten by
>> its owner?
> 
> no activity generally means no one wants to fix it as of now or there
> are more important issues to look after.

For example, it seems that many tickets about v2 onion services are
~dead. Because v2 is being phased out, having been replaced by v3.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Hidden service persistent connections

[Mirimir]

On 05/20/2019 07:55 AM, George Kadianakis wrote:
> Memory Vandal  writes:
> 
>> Hi,
>>
>> Are client connections to a hidden service .onion address that do not
>> disconnect for hours safe?
>>
>> It may be a big file download or multiple keep-alive transactions that uses
>> the established connection over and over for lets say few hours.
>>
>> If its not safe then what should be the max time a connection to .onion
>> service should get disconnected so that it uses a new circuit when it
>> reconnects?
>>
> 
> What kind of attacks are you worried about? I don't see any serious
> threats for onion service clients when it comes to long lasting connections.

Perhaps there's increased risk of malicious-relay attacks and/or traffic
correlation? I vaguely recall papers about that.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] How to use Tor without a website knowing I am using Tor - possible?

[Mirimir]

On 05/19/2019 01:51 PM, jiggytwi...@danwin1210.me wrote:
> What's the best way to connect to a site via Tor if the site engages in
> exit censorship?

There is no entirely good way.

There's the Cloudflare Onion Service.[0,1,2] Basically, Cloudflare
redirects Tor users to its onion service, which then connects to the
website. So there's no exit involved, and no CAPTCHAs. However, that
only works for sites that use Cloudflare. And both you and the site must
trust them.

> Bridges - or is there a better option.

Not bridges. That's on the guard side. Maybe "exit bridges". But those
would be blacklisted just as fast as exits are.

> In short, I want to have all the benefits of Tor without the destination
> site knowing I am using Tor. Is this even possible?

If you're desperate, you can try an HTTPS proxy, or route a VPN via Tor.
But HTTPS proxies are typically scummy, and may inject ads, or even drop
malware. Some VPN services are probably honest, but most of them are
also scummy.

Your best bet is running your own HTTPS proxy or VPN, on a VPS. But it
must be a VPS leased anonymously through Tor, using Bitcoin that's been
mixed at least twice through Tor. Some VPS providers accept other
cryptocurrencies that may be intrinsically more anonymous than Bitcoin.

But even so, that funnels your Tor traffic through that VPS. So you're
no longer just some anonymous Tor user. You're linked to that VPS. So if
it gets linked to you, then everything you've done through it gets
linked to you. Also, if you use a VPN, that pins the Tor circuit that
it's using. And that increases the risk of traffic analysis.

Bottom line. Using HTTPS proxies or VPNs through Tor is dangerous. So if
you do it at all, you should only do it only when absolutely necessary.
Using your own HTTPS proxy is probably the least dangerous option,
because that doesn't pin Tor circuits.

0)
https://www.securityweek.com/cloudflare-launches-security-service-tor-users
1)
https://www.bleepingcomputer.com/news/security/cloudflare-ends-captchas-for-tor-users-while-blocking-bad-actors/
2)
https://support.cloudflare.com/hc/en-us/articles/203306930-Does-CloudFlare-block-Tor-


-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Decent guide to setting up an .onion site on a VPS?

[Mirimir]

On 05/11/2019 02:33 PM, jiggytwi...@danwin1210.me wrote:
> 
>>
>> Have you read Configuring Onion Services for Tor [1]?
>>
>>
>> [1] https://2019.www.torproject.org/docs/tor-onion-service.html.en
>>
>>
>>
>> Cheers,
>> ~Vasilis
> 
> 
> I had seen this before but it assumes one runs the onion on one's own
> machine. My computer is not on 24/7. Isn't there an up-to-date guide for
> running hidden services on a VPS?

It's not fundamentally that different. And what's different is more
about VPS security than about Tor. I'm not up for writing a complete
guide right now. But I'll share some points, which you can fill in
through searching. They apply to Debian x64.

First, if you want your onion service to be ~anonymous, you must not
provide any real contact information, and you must do everything via
Tor. That basically means paying with well-mixed Bitcoin. To avoid leaks
locally, it's prudent to work in Whonix. You'll need to login to your
VPS via Tor, and that's safer using Whonix than just torsocks.

It's best to use VPS providers that don't require contact information.
CockBox is a good one, not too expensive, and quite Tor friendly.
BitHost (a DO reseller) is OK, but too expensive, and isn't so Tor
friendly.

I've also had good service from a few VPS providers that do require
contact information, but don't verify. Such as VPS.BG and HostSailor.

Second, once you have your VPS, you SSH to it via Tor. Before doing
anything else, change the root password, and create a user account. Then
configure SSH for key-based login as user. Because if someone steals
your private key, and logs in, at least they won't have root privileges.

There are many guides for that, so I won't make another here. I do note
that "ssh-keygen" by default creates 2048-bit RSA keys, and that many
swear by longer keys, and other algorithms (such as AES). Also, set
"PasswordAuthentication no" in "/etc/ssh/sshd_config". And if you decide
to SSH login as root, also set "PermitRootLogin prohibit-password". Then
restart SSH ('systemctl restart ssh") and test with another SSH login
before disconnecting the existing one.

Now install the latest Tor release, and upgrade the system. See
https://2019.www.torproject.org/docs/debian.html.en, and also install
"iptables-persistent". Then "apt-get -y dist-upgrade", and reboot.

Then setup Tor. The Tor Project guide for onion services is a little
confusing, because it covers Windows, MacOS and Linux. So also see
https://github.com/torproject/tor/blob/master/src/config/torrc.sample.in
for a sample torrc. In Linux, "@LOCALSTATEDIR@" is typically "/var".

By default, Tor now creates v3 onion services. If you want a v2 onion
service, you must specify that, as the guide shows (Step Four).

Now setup iptables, in iptables-persistent, to make sure that your onion
service doesn't leak in clearnet. Do "ip a" to get your interface name,
and use that instead of "eth0" in the rules below. Do "id -u debian-tor"
to get Tor's UID, and use that instead of "107" in the rules below.

Unless you have good reason not to, block all IPv6 traffic. For IPv4,
allow only SSH in, and only Tor. Plus related established connections.

# nano /etc/iptables/rules.v6
| *filter
|
| :INPUT DROP [0:0]
| :FORWARD DROP [0:0]
| :OUTPUT DROP [0:0]
|
| COMMIT

# ip6tables-restore < /etc/iptables/rules.v6

# nano /etc/iptables/test-rules.v4
| *filter
|
| :INPUT DROP [0:0]
| :FORWARD DROP [0:0]
| :OUTPUT DROP [0:0]
|
| -A INPUT -i lo -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
| -A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
| -A INPUT -m conntrack --ctstate INVALID -j DROP
| -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
| -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
| -A INPUT -j DROP
|
| -A FORWARD -j DROP
|
| -A OUTPUT -o lo -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
| -A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
| -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
| -A OUTPUT -o eth0 -m owner --uid-owner 107 -j ACCEPT
| -A OUTPUT -j DROP
|
| COMMIT

# iptables-restore < /etc/iptables/test-rules.v4

Now verify that you can still SSH in, from a new local terminal. If you
can, rename /etc/iptables/test-rules.v4 as /etc/iptables/rules.v4

# mv /etc/iptables/rules.v4 /etc/iptables/open-rules.v4
# mv /etc/iptables/test-rules.v4 /etc/iptables/rules.v4

You could also create an SSH onion service, and login using that,
instead of Tor exit to clearnet SSH port. That increases login
anonymity. But blocking clearnet SSH entirely in iptables is risky.
Because if something goes wrong with Tor setup in the VPS, you'll be
unable to login. And so you'll need to redo the VPS from scratch.

Anyway, then install nginx (not apache) and change the listen address
from 0.0.0.0 to 127.0.0.1

# nano /etc/nginx/sites-enabled/default
| ...
|
| # Default server configuration
| #
| server {
| listen 127.0.0.1:80 default_server;
| ...

That should about do it. In creating your site, don't use any
third-party resources, and 

Re: [tor-talk] Building Tor Browser on ARM

[Mirimir]

On 05/07/2019 11:37 AM, J.S. Evans wrote:
> Hi all,
> 
> I'm attempting to build Tor Browser on an ARM64 machine. However, the install 
> tool requires that you download some x64 packages which of course breaks the 
> build. The following has details where it is breaking: 
> https://pastebin.com/11EFY1sQ Any suggestions for a workaround?
> 
> Jason

Some years ago, I built Tor browser on a Pi2. Maybe things have changed,
but here's what I did:

The Tor Project does not distribute Tor Browser for Raspbian wheezy, and
the Debian/Ubuntu version doesn't work. And so you will need to build
from source. That's actually (truly!) not very hard, because the
instructions at
https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Hacking are
clear, and work.

First install required packages.

$ sudo apt-get install --no-install-suggests --no-install-recommends zip
unzip libglib2.0-dev libgtk2.0-dev libdbus-1-dev libdbus-glib-1-dev yasm
libasound2-dev libcurl4-openssl-dev libxt-dev mesa-common-dev autoconf
autoconf2.13 libtool hardening-wrapper libgstreamer-plugins-base0.10-dev
pkg-config g++ libpulse-dev

Then clone the Tor Browser source.

$ git clone https://git.torproject.org/tor-browser.git

Don't worry about the "can't checkout" error, because git branch -a
handles that.

$ cd tor-browser
$ git branch -a
$ git checkout remotes/origin/tor-browser-31.5.0esr-4.5-1

Generate the configure scripts.

$ make $CONFIGURE_ARGS -f client.mk configure
CONFIGURE_ARGS="--with-tor-browser-version=4.5a4
--enable-update-channel=alpha"

Disable Tor Browser update, because none is available.

nano /home/pi/tor-browser/.mozconfig
...
#ac_add_options --enable-tor-browser-update
...

Compile. It should take 6-7 hours at 100% CPU. I recommend cooling the
Pi 2 with a small fan, to prevent overheating and self-protective shutdown.

$ make $MAKEOPTS -f client.mk build

Now make Tor Browser (Firefox).

$ make -C obj-* package INNER_MAKE_PACKAGE=true

It will be at
/home/pi/tor-browser/obj-armv7l-unknown-linux-gnueabihf/dist/firefox.

Download tor-browser-linux32-4.5a4_en-US.tar.xz and extract in /home/pi/.

$ mv /home/pi/tor-browser-linux32-4.5a4_en-US.tar.xz /home/pi/
$ tar xvfJ tor-browser-linux32-4.5a4_en-US.tar.xz
$ cp -a
/home/pi/tor-browser/obj-armv7l-unknown-linux-gnueabihf/dist/firefox/*
/home/pi/tor-browser_en-US/Browser/
$ /home/pi/tor-browser_en-US/start-tor-browser

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] No Script

[Mirimir]

On 05/04/2019 02:28 PM, libertyinpe...@riseup.net wrote:
> No Script has been disabled.  How do I get around this problem? 
> Although having used Tor for years, I am no expert at this. Not being
> able to use No Script has compromised security.  A number of websites
> are now asking for my agreement to allow third party cookies and
> tracking. Any assistance with this would be most appreciated.
> 
> libertyinperil

See https://trac.torproject.org/projects/tor/ticket/30388 for temporary fix.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Browser disabled NoScript, but can't update

[Mirimir]

On 05/04/2019 12:21 AM, Joe wrote:
> I've used the latest stable TBB 8.0.8 (Linux) since released with the
> latest NoScript (at that time).
> Today is the 1st day I saw that NoScript was disabled by TBB.
> 
> I see now that it's not a TBB only issue, but also Firefox.
> A comment on Reddit said, "They [Mozilla] let their add-on signing
> certificate expire and it invalidated a shitload of add-ons."
> 
> I assume it expired today?  When TBB & Fx checked for addon versions, it
> saw the expired signing certificate.
> There is a script listed on Reddit that supposedly will re-enable the
> addons, but until Mozilla fixes the signing certificate bug, they said
> the script would need running every 24 hrs.

See https://trac.torproject.org/projects/tor/ticket/30388 for temporary fix.

> There is a new NoScript version 10.6.1, but it wouldn't be tweaked for
> TBB - downloading it from AMO or NoScript's site, even if it would install.
> 
> HTTPS Everywhere isn't tagged as a legacy addon for me, but it can't
> update to the new version, either.

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] temporary fix for disabled browser extensions

[Mirimir]

| All extensions disabled due to expiration of intermediate signing cert

https://bugzilla.mozilla.org/show_bug.cgi?id=1548973

See https://news.ycombinator.com/item?id=19823928 for workarounds in
MacOS and Linux.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] How Greypony fucks everyone over

[Mirimir]

On 05/03/2019 03:04 AM, Stirling Newberry wrote:
> Greypony just attracts a bunch of script kiddies who have no business running 
> HS relays. All of those morons that run instances with Greypony are lazy and 
> cheap who don't want to pay for server colocation and don't want to pay their 
> dues on their mailing list or by getting known.
> 
> This isn't a welcoming community don't you get it You earn your keep and 
> when youre granted the ability and permission to run an exit they will grant 
> you the permission to run the EXIT.
> 
> Obviously Conrad doesn't deserve his Freedom of Speech on here because it's 
> the torproject's property and they can take it away from him. He doesn't 
> deserve to speak because he's probably a closeted homosexual given the fact 
> that he was in the Navy.
> 
> No one cares about Greypony or freebsd Conrad. Just give it up. Greypony is 
> like the crap that gets stuck in your dick after you're done vigorously 
> fucking a girl in the ass for 10 hours. You'll get a sliver of impacted shit 
> on your dick and that's Greypony a sliver of annoying impacted shit.
> 
> Sent with [ProtonMail](https://protonmail.com) Secure Email.
> 

Keep it comin', bro. More grist for stylometry :)
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] [tor-relays] Explain yourself Conrad Rockenhaus

[Mirimir]

On 05/02/2019 08:38 PM, bo0od wrote:
> I prefer to see trolls posting rather than someone from the military
> (specially USA). Aside from that this is technical list if im not
> mistaken so trolls or military or related to Tor shouldnt moderate
> anything in here in the first place because that would be meaningless.

Oh, so you don't want to see posts from paul.syver...@nrl.navy.mil?

> Mirimir:
>> On 05/02/2019 02:10 AM, Herbert Karl Mathé wrote:
>>> I strongly believe certain issues need be brought up into conscious, and 
>>> into presence: into discussion, actually.
>>>
>>> Therefore appreciating this as it might fit too well into context, at the 
>>> same time definitely deprecating 'filth' and similar.
>>>
>>> Keeping things below surface, or trying so, has too often proven to be a 
>>> very bad idea as these will come up sooner or later anyway, then with much 
>>> higher magnitude. Even worse, trust is then destroyed.
>>>
>>> --
>>> Herbert Karl Mathé
>>
>> I met Conrad online in September 2013, not long after the Washington
>> Navy Yard shootings. Which is how I remember when. He mentioned that he
>> was serving in the Navy then. And I vaguely recall that he's posted on
>> Tor lists about the military using Tor.
>>
>> Also, it's disgusting that he's been moderated off the Tor lists, while
>> trolls who have trash talked him are still posting.
>>
>> 
>>
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] [tor-relays] Explain yourself Conrad Rockenhaus

[Mirimir]

On 05/02/2019 02:10 AM, Herbert Karl Mathé wrote:
> I strongly believe certain issues need be brought up into conscious, and into 
> presence: into discussion, actually.
> 
> Therefore appreciating this as it might fit too well into context, at the 
> same time definitely deprecating 'filth' and similar.
> 
> Keeping things below surface, or trying so, has too often proven to be a very 
> bad idea as these will come up sooner or later anyway, then with much higher 
> magnitude. Even worse, trust is then destroyed.
> 
> --
> Herbert Karl Mathé

I met Conrad online in September 2013, not long after the Washington
Navy Yard shootings. Which is how I remember when. He mentioned that he
was serving in the Navy then. And I vaguely recall that he's posted on
Tor lists about the military using Tor.

Also, it's disgusting that he's been moderated off the Tor lists, while
trolls who have trash talked him are still posting.


-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Checking if an IP address is a Tor exit server though an API call

[Mirimir]

On 04/30/2019 12:06 AM, andre wrote:
> 
> Hello,
> 
> I know there is an API call to check if my own IP address is going through 
> tor, but I would like to know if there is an API call I can use, to check the 
> same with any up address.

See https://www.dan.me.uk/tornodes. There's also supposedly "A tool to
check the TOR status of an IP, giving full detailed TOR information."
but I don't see a link for it.

> Thanks for your help.
> 
> André.
> 
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Nice to meet you! / WhatsApp by Tor?

[Mirimir]

On 04/17/2019 08:19 AM, GTI .H wrote:
> Em ter, 16 de abr de 2019 às 17:26, Mirimir  escreveu:
> 
>> On 04/16/2019 12:39 PM, GTI .H wrote:
>>> Em ter, 16 de abr de 2019 às 13:36, Mirimir 
>> escreveu:
>>>
>>>> On 04/16/2019 08:48 AM, GTI .H wrote:
>>>>> Please, how can I use Tor to hide the origin IP in WhatsApp Android?
>>>>
>>>> Your safest option, if you must use WhatsApp, is to use it in an Android
>>>> VM, running on a small tablet, ...

Upon reflection, maybe I've missed the obvious option. Which is to just
run a Tor client on the phone, and WhatsApp with CCProxy.

So does that work?

And of course, if WhatsApp can see everything, there's no point to doing
it. And maybe that's where I was coming from. Basically, don't use a
real phone. Just an Android VM. Because that you can totally lock down.

>>> To avoid buying a Tablet, would it be possible to use this method with an
>>> Android VM running on the W10?
>>
>> I know nothing about Windows mobile devices.
> 
> 
> I did not mean Windows mobile devices, I'm talking about PC Windows 10 OS.

Oh. Sorry.

>> If it will run VirtualBox,
>>
> 
> Does it have to be VirtualBox? The W10 PC OS has the HyperV which is where
> the VMs run. Is not HyperV useful?
> I searched and saw that VirtualBox also runs on the PC W10 OS.

HyperV is OK, I guess. I used it, long ago. It might run VMs faster on
Windows 10 than VirtualBox does. But there is the possibility that the
Android VM won't work well with it.

>> and the Android VM can reach the Internet, sure.
> 
> 
> I think so, which VM would not access the internet?

I said that because I thought you were using Windows mobile. For Windows
10 on a PC, there shouldn't be problems. But if there are, it might be
that the Android VM is picky about network interface hardware. pfSense
chokes on some hardware, as I recall.

>> That way, you can run a
>> VPN client on the W10, and connect the Android VM through it. Or via
>> Tor, if that works.
>>
> 
> How would it be?
> Do I create a VM, install Android on it (if that's possible), and configure
> the VM Proxy with the Tor Socket with Tor open?

Yes, you run a version of Android that's been tweaked to run as a VM.
The host machine provides a "fake WiFi" connection for it. There's no
cellular account.

If you can use WhatsApp via a Tor SocksPort, using CCProxy or whatever,
that would be simplest. But Tor doesn't route UDP, so as I've said, you
need to verify that WhatsApp works without UDP connectivity.

If you need UDP for WhatsApp, and also want Tor-level anonymity, you'll
need to route a VPN through Tor. That's doable, because OpenVPN has a
socks-proxy option, and will use a Tor SocksPort. But you need to use
the VPN in TCP mode, because Tor doesn't route UDP.

You could run the VPN-via-Tor thing in the host machine, and the Android
VM would reach the Internet through the VPN tunnel. Or you could use a
gateway VM. I recommend using a gateway VM, because it gives you some
isolation, and it's easy to lock down with firewall (iptables) rules.

> What is the VM for? Not to leave vestiges in the HD of the PC?
> 
> What is the function of each item?
> * VM: Do not leave traces in the HD of the PC?

The VM is the Android device, which runs your WhatsApp client. There is
no separate smartphone. You can lock down the Android VM, so WhatsApp
can't see anything from the host machine. Such as your ISP-assigned IP.

> * VPN: Avoid Government / ISP Tracing?
> * Tor: hide IP from source?

Both Tor and VPNs protect you from observation by your ISP. And to some
extent, from governments. And both prevent WhatsApp, and your contacts,
from knowing your IP address.

Tor is far^N better at that than VPNs are. But if WhatsApp won't work
directly via Tor, you'll need a VPN.

> Would it be this?
> 
> 
>>>> which uses WiFi for connectivity. You can
>>>> lease real mobile SIMs from sites like https://speedyverify.com/ and do
>>>> it ~anonymously using well-mixed Bitcoin.
>>>>
>>>
>>>   and this site https://www.receive-sms-online.info/ is free, is not it
>> the
>>> same thing?
>>
>> Sites like that provide shared virtual mobile numbers. Some services
>> won't accept them.
> 
> 
> I'm going to test this week, but I think WhatsApp should accept this site.

As Cyaniventer noted, using services like that would be totally
insecure. I suppose that the same argument applies to Speedyverify, but
at least they're (hopefully) not sharing your SIM with others.

>> Also, phone numbers for WhatsApp accounts are really
>> the account IDs. So you need something that's ~permanent. Using that
>> site I linked, you actually buy SIMs. They just plug t

Re: [tor-talk] Nice to meet you! / WhatsApp by Tor?

[Mirimir]

On 04/16/2019 12:39 PM, GTI .H wrote:
> Em ter, 16 de abr de 2019 às 13:36, Mirimir  escreveu:
> 
>> On 04/16/2019 08:48 AM, GTI .H wrote:
>>> Please, how can I use Tor to hide the origin IP in WhatsApp Android?
>>
>> Your safest option, if you must use WhatsApp, is to use it in an Android
>> VM, running on a small tablet, ...
> 
> 
> To avoid buying a Tablet, would it be possible to use this method with an
> Android VM running on the W10?

I know nothing about Windows mobile devices. If it will run VirtualBox,
and the Android VM can reach the Internet, sure. That way, you can run a
VPN client on the W10, and connect the Android VM through it. Or via
Tor, if that works.

>> which uses WiFi for connectivity. You can
>> lease real mobile SIMs from sites like https://speedyverify.com/ and do
>> it ~anonymously using well-mixed Bitcoin.
>>
> 
>   and this site https://www.receive-sms-online.info/ is free, is not it the
> same thing?

Sites like that provide shared virtual mobile numbers. Some services
won't accept them. Also, phone numbers for WhatsApp accounts are really
the account IDs. So you need something that's ~permanent. Using that
site I linked, you actually buy SIMs. They just plug them into their
system, when you need to use them. As far as I know, they don't charge
"rent" for SIMs. You just buy "five uses" (or whatever) packages.

>> I don't know whether WhatsApp absolutely requires UDP.
> 
> 
> Me neither, I saw this in a forum that talks about the ports used by
> WhatsApp.
> 
> 
>> If it does, then
>> using Tor would be difficult. You'd probably need to route a TCP-based
>> VPN service through it. Or instead, you could just use a VPN service, or
>> better, a nested VPN chain. I could offer more information if you like.
>>
> 
> Of course I want any information that can solve this problem, 10 years ago
> I look for a solution and I thought that now with the new technologies this
> could be possible.

Find out whether WhatsApp really needs UDP. If it does, you can email me
off-list, and we can discuss options.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Nice to meet you! / WhatsApp by Tor?

[Mirimir]

On 04/16/2019 08:48 AM, GTI .H wrote:
> Hi everyone, this is my first post here!
> 
> Excuse me if this is not the right place to ask this, I also think this may
> have been asked a lot, if that's the case, please direct me.
> 
> I want to use Tor to hide the origin IP in WhatsApp. I already have a
> method, but I do not know if it is effective:
> 
> * With the Tor Browser open, I configured with Tor Browser data the Proxy
> socket on my OS W10 that accesses the Internet over Ethernet,
> * I connected my Android Smartphone to my W10 WiFi.
> * I also have the OrBot on Android, but I do not know if it is effective to
> hide my IP to the destination.
> 
> It works?
> I see in my W10 Chrome that my IP has changed, but I'm not sure my IP will
> not leak, for example through the UDP protocol.
> 
> Please, how can I use Tor to hide the origin IP in WhatsApp Android?

Your safest option, if you must use WhatsApp, is to use it in an Android
VM, running on a small tablet, which uses WiFi for connectivity. You can
lease real mobile SIMs from sites like https://speedyverify.com/ and do
it ~anonymously using well-mixed Bitcoin.

I don't know whether WhatsApp absolutely requires UDP. If it does, then
using Tor would be difficult. You'd probably need to route a TCP-based
VPN service through it. Or instead, you could just use a VPN service, or
better, a nested VPN chain. I could offer more information if you like.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Onion website on "usual" server

[Mirimir]

On 04/13/2019 01:28 AM, xxx wrote:
> Hello,
> 
> I am running a dedicated box (Centos 7-64) with a few usual domains and
> websites.
> 
> Is it possible to host an .onion website there? If so, how to setup, is
> it safe (so that the .onion site IP won't be disclosed)?
> 
> Thank you!

Read the stuff that Cyaniventer linked, for sure.

But here's the problem. You run some web server, hosting (I gather)
multiple websites. That implies that you understand how to do that.

If you do, you just add another site to the config, which binds only to
127.0.0.1 using a different port (say 8000). Then you setup an onion
service that points to 127.0.0.1:8000. Also, you make sure that none of
your clearnet sites bind to 127.0.0.1 (just in case).

Even so, that's a little fragile. Mistakes happen. And there's the issue
of web server error messages from the onion site going to clearnet.
That's one of the mistakes that got DPR pwned.

The safest bet is running KVM on your server, and using a VM for the
onion site. And if that's too heavy, even Docker would help.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] What is the weirdest/creepiest thing you have found on the dark web?

[Mirimir]

On 04/07/2019 06:19 PM, Seth Caldwell wrote:
> I know the dark web can be a terrible place, with content not suitable for
> anyone, basically. Like illegal drug cartel, fake passports/IDs,creepy
> websites, and generally all around messed up stuff. If you feel comfortable
> talking about your experiences. Then, please reply to this Message.

Trolling tor.talk like this is in poor taste.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Is there a way to use internet in a sandbox environment? (Linux)

[Mirimir]

On 04/03/2019 05:40 PM, Jim wrote:
> Mirimir wrote:
>> On 04/03/2019 08:03 AM, Ben Tasker wrote:
>>> When the system boots from the disk, it loads the OS into memory, so
>>> things
>>> like your browser cache files are written into memory (and so lost
>>> when the
>>> DIMMs lose charge).  If you want persistence then most live CDs will
>>> allow
>>> you to provide a writeable media (normally a USB drive) for that
>>> purpose,
>>> but then you get back into the risks associated with having writeable
>>> media
>>> available.
> 
> As I stated in an earlier email I am out of date on this but in the "old
> days" this was certainly not true.  In the original Knoppix (which is
> the grandfather of all live systems TMK) if you had the memory there was
> a mode where you could load the image into memory, but this was not
> necessary.  If you did load the image into memory things ran a lot
> faster.  But the only files that *had to* reside in memory were those
> that were writable.  Over the years there have been at least two
> different methods allowing writable files that reside in memory to
> dynamically and transparently be used in place of the read-only files on
> the original image.
> 
> I have certainly run live CDs on computers that had much less RAM than
> the size of the CD.

I don't recall ever trying that with "normal" LiveCDs. And even "normal"
LiveDVDs are rarely much over 1GB. But I was talking about a custom
LiveDVD that I built. Which had a Debian system plus VirtualBox and
another ~3GB of virtual machine data. I do recall trying to boot that in
a machine with 4GB RAM, with no joy. Maybe I wasn't patient enough. And
it did take some minutes to come up in the 8GB machine.

Wild guess: maybe you need to design LiveCDs so they'll boot quickly in
low-RAM systems.

>> True. And there are some limitations. As far as I know, all live
>> read-only systems allocate half of the physical RAM to the system, and
>> half to working memory. So if your machine has 4GB RM, you can load at
>> most a 2GB system image.
>>
>> But DVDs can hold ~4.7GB. So if your machine has 8GB RAM, you can load
>> 4GB from the DVD. Years ago, I built a live ISO with Debian, VirtualBox,
>> a pfSense VPN gateway VM, and stripped-down Whonix gateway and
>> workstation VMs. The workstation VM had just a simple openbox GUI. It
>> took several minutes to boot, but was very responsive afterward.
> 
> 
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Is there a way to use internet in a sandbox environment? (Linux)

[Mirimir]

On 04/03/2019 08:03 AM, Ben Tasker wrote:
> On Wed, Apr 3, 2019 at 3:17 PM npdflr  wrote:
> 
>> Thanks a lot Jim for the information.
>>
>>
>>
>> If I am running a live system on a DVD for internet access and booting
>> from that DVD then the DVD should be able to write some data on itself
>> (Example: if I am using a browser then the browser needs to write some data
>> on the DVD to function). So, I would need a DVD-RW (DVD rewritable) not
>> DVD-R (one-time recordable disc)
>>
> 
> No, one time recordable is fine (preferable, even).

Yes. That's the point. Although it's possible to write to "one time
recordable" DVDs, that requires custom software and a cooperative DVD drive.

> When the system boots from the disk, it loads the OS into memory, so things
> like your browser cache files are written into memory (and so lost when the
> DIMMs lose charge).  If you want persistence then most live CDs will allow
> you to provide a writeable media (normally a USB drive) for that purpose,
> but then you get back into the risks associated with having writeable media
> available.

True. And there are some limitations. As far as I know, all live
read-only systems allocate half of the physical RAM to the system, and
half to working memory. So if your machine has 4GB RM, you can load at
most a 2GB system image.

But DVDs can hold ~4.7GB. So if your machine has 8GB RAM, you can load
4GB from the DVD. Years ago, I built a live ISO with Debian, VirtualBox,
a pfSense VPN gateway VM, and stripped-down Whonix gateway and
workstation VMs. The workstation VM had just a simple openbox GUI. It
took several minutes to boot, but was very responsive afterward.

>> Running a live system on a USB would still have some risk as the USB could
>> read/write data to the attached Hard Disk of the PC or Laptop.
>>
>> A DVD-RW can't read/write to the attached Hard Disk on its own, am I right?
>>
>>
>>
> It can just as easily as the same ISO running off the USB could. If you
> need that level of security, then you're going to want to remove the
> harddrive from the system.

Or just unplug the data and power cables.

> Alternatively make sure whatever system you've got installed on the
> harddrive is using software Full Disk Encryption. At which point the ISO
> cannot read any data from it, and write attempts will (at most) corrupt
> your filesystem.
> 
> 
> 
> 
> 
> 
> 
>>
>>
>>
>>  On Tue, 02 Apr 2019 23:12:00 -0700 Jim  wrote
>> 
>>
>>
>>
>> npdflr wrote:
>>
>>> Can you elaborate or give example on how to run a live CD/DVD for
>> internet access.
>>
>>
>>
>> It has been a while since I have done this so I am a bit out of date,
>>
>> but presumably the procedure hasn't changed.  You need to find and
>>
>> download an .iso image from the internet or obtain it from another
>>
>> source.  Hopefully the creators of the image provide a way to verify
>>
>> that the image you get is correct and unaltered (PGP signature, a signed
>>
>> list of secure hashes, etc).  You should verify your image.  Then you
>>
>> need to burn the image to a CD or DVD (as appropriate) *as an image*.
>>
>> You can find instructions on the Internet about how to to this.  Do
>>
>> *not* just write it to the optical disk as a file.  Put the disk in
>>
>> your computer and boot to it.  You will then be running from the optical
>>
>> disk and there should be no hard drive access unless you specifically
>>
>> request it.
>>
>>
>>
>> There are multiple live systems to choose from.  Probably all will give
>>
>> you Internet access but some/many may not include Tor.  TAILs does
>>
>> include Tor and is specifically set up to direct all Internet traffic
>>
>> through Tor.  There may be others.  You should be able to find any
>>
>> additional information you need through searching the Internet.
>>
>>
>>
>> My impression is these days it is more common to run live systems from
>>
>> thumb drives than optical disks.  But I specifically mentioned CD/DVDs
>>
>> because they are read-only media and therefore can't get infected
>>
>> (assuming your original image is clean).
>>
>>
>>
>>> One has to install an OS on the CD/DVD and there needs to be some means
>> for CD/DVD to access a network-specific firmware etc for using the
>> internet, am I right?
>>
>>
>>
>> Live systems auto-detect hardware and will usually "just work" with the
>>
>> hardware you have.  If it doesn't you need to either find a different
>>
>> live system or different hardware.  But if your hardware works with
>>
>> standard Linux I wouldn't expect a problem.
>>
>>
>>
>> HTH
>>
>>
>>
>> Jim
>>
>>
>>
>> --
>>
>> tor-talk mailing list - mailto:tor-talk@lists.torproject.org
>>
>> To unsubscribe or change other settings go to
>>
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>> --
>> tor-talk mailing list - tor-talk@lists.torproject.org
>> To unsubscribe or change other settings go to
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>>
> 
> 
-- 
tor-talk mailing list - 

Re: [tor-talk] Syncing bookmarks

[Mirimir]

On 03/31/2019 05:37 PM, anan wrote:
> 
> 
>> ‐‐‐ Original Message ‐‐‐
>> On Saturday, March 30, 2019 5:55 PM, anan  wrote:
>>
>>> Anyone syncs Torbrowsers' bookmarks?
>>> How do you do it?
>>> Maybe with your self-hosted server?

In the old browser, look in .../foo.default/bookmarkbackups. You'll see
a bunch of bookmarks-...jsonlz4 files. Copy the latest one somewhere. In
the new browser, go to Library / Import and Backup / Restore, and select
the file that you saved. Done.

>> Bookmarks I need to store I keep in a private Shaarli 
>> (https://github.com/shaarli/Shaarli) instance.
> 
> Wow, Shaarli seems just what I need. Thank you!
> 
> 
>> I'd rather not fight with questionable synchronization protocols if I can 
>> help it.
>>
> 
> Are you talking about Nextcloud? If so, please let me know your
> thoughts. I just know the android client is bad, they did a very
> complicated thing instead of letting the user choose per folder 2 way
> sync or one-way upload or download sync.
> 
> But thought the rest was ok...
> 
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] tor project website change

[Mirimir]

On 03/29/2019 08:36 AM, dns1...@riseup.net wrote:
> Excuse my bad English, probably I'm not writing correctly.
> 
> In the mail of 28 March 2019 11:06:07 CET, from grarpamp, I read:
> 
> "...
> 
> "
> a 501(c)3 US nonprofit.
> "
> With rather curious amounts of potentially highly
> user adversarial funding sources.
> ..."

He means the US government, I think.

> Il 29/03/19 14:36, Mirimir ha scritto:
>> On 03/29/2019 06:07 AM, dns1...@riseup.net wrote:
>>> I'm not in the position to talk about the architecture or other
>>> technical aspects because I'm not expert enough. I don't say that the
>>> network doesn't have problems.
>>>
>>> But i think that some things you said are a bit of stretch; for example,
>>> why adversaries should finance tor project and publicly it if they have
>>> a malicious intent?
>> Where do you see that? I've reread his post several times, and see
>> nothing about "adversaries should finance tor project". It is true that
>> some criticize Tor because it was originally a US Navy project, and
>> still gets funding from US governmental entities. But that's not an
>> argument that I recall grarpamp ever making. Unless he's juan, anyway.
>>
>>> It would be interesting to me to know what other people think about what
>>> you said.
>> The main thrust of his criticism, as I interpret it, is that Tor
>> explicitly doesn't protect against global passive adversaries. Let alone
>> global _active_ adversaries, such as the NSA. As I understand it, that
>> reflected both "it would be too hard to do that, without unacceptable
>> latency and traffic overhead" and "they don't likely exist, or if they
>> do, they're our friends".
>>
>> Some systems have been proposed that use padding and chaff to make
>> traffic analysis harder. But as grarpamp says, it'd be hard for the Tor
>> Project to implement stuff like that in the existing Tor network. Much
>> harder than the v3 onion upgrade, anyway. And the other side of it is
>> that Tor works well enough that implementing one of the newer designs
>> seems unlikely. Given that potential volunteers are working on Tor.
>>
>>> Il 29/03/19 03:08, grarpamp ha scritto:
>>>> On 3/28/19,dns1...@riseup.net    wrote:
>>>>> I think you are affected by cognitive bias.
>>>> Tor is effected by lack of external thought.
>>>>
>>>>> You are blindly looking only for bad things.
>>>> Your adversaries are assuredly looking at those things and more.
>>>> If you are not looking at them, you're done in mate.
>>>>
>>>>> Of course the network is not perfect, but is the best we have
>>>> That's apologist talk to avoid clean slate researching
>>>> and creating better architectures, even to the
>>>> then at that point possibly legit point of being
>>>> able to actually make that declaration.
>>>>
>>>>> and we should make our best to improve it.
>>>> Tor is and will always be 20 year old architecture
>>>> from time before current adversary models were
>>>> say matured if not known. Tor's relatively
>>>> simple and effectively static with only marginal
>>>> improvements left. And has outright traded off
>>>> and/or discarded design models that others
>>>> might not today.  (And obviously Tor arch cannot
>>>> be substantially changed while still calling itself Tor.)
>>>>
>>>> Before declaring Tor sufficient against today threats
>>>> you need to analyse it against today threats
>>>> vs new networks being research and deploy
>>>> against today threats.
>>>>
>>>>> trying to delegitimate everything.
>>>> Those concerned with messengers vs
>>>> messages are prone to miss some dead canaries.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] tor project website change

[Mirimir]

On 03/29/2019 06:07 AM, dns1...@riseup.net wrote:
> I'm not in the position to talk about the architecture or other
> technical aspects because I'm not expert enough. I don't say that the
> network doesn't have problems.
> 
> But i think that some things you said are a bit of stretch; for example,
> why adversaries should finance tor project and publicly it if they have
> a malicious intent?

Where do you see that? I've reread his post several times, and see
nothing about "adversaries should finance tor project". It is true that
some criticize Tor because it was originally a US Navy project, and
still gets funding from US governmental entities. But that's not an
argument that I recall grarpamp ever making. Unless he's juan, anyway.

> It would be interesting to me to know what other people think about what
> you said.

The main thrust of his criticism, as I interpret it, is that Tor
explicitly doesn't protect against global passive adversaries. Let alone
global _active_ adversaries, such as the NSA. As I understand it, that
reflected both "it would be too hard to do that, without unacceptable
latency and traffic overhead" and "they don't likely exist, or if they
do, they're our friends".

Some systems have been proposed that use padding and chaff to make
traffic analysis harder. But as grarpamp says, it'd be hard for the Tor
Project to implement stuff like that in the existing Tor network. Much
harder than the v3 onion upgrade, anyway. And the other side of it is
that Tor works well enough that implementing one of the newer designs
seems unlikely. Given that potential volunteers are working on Tor.

> Il 29/03/19 03:08, grarpamp ha scritto:
>> On 3/28/19,dns1...@riseup.net    wrote:
>>> I think you are affected by cognitive bias.
>> Tor is effected by lack of external thought.
>>
>>> You are blindly looking only for bad things.
>> Your adversaries are assuredly looking at those things and more.
>> If you are not looking at them, you're done in mate.
>>
>>> Of course the network is not perfect, but is the best we have
>> That's apologist talk to avoid clean slate researching
>> and creating better architectures, even to the
>> then at that point possibly legit point of being
>> able to actually make that declaration.
>>
>>> and we should make our best to improve it.
>> Tor is and will always be 20 year old architecture
>> from time before current adversary models were
>> say matured if not known. Tor's relatively
>> simple and effectively static with only marginal
>> improvements left. And has outright traded off
>> and/or discarded design models that others
>> might not today.  (And obviously Tor arch cannot
>> be substantially changed while still calling itself Tor.)
>>
>> Before declaring Tor sufficient against today threats
>> you need to analyse it against today threats
>> vs new networks being research and deploy
>> against today threats.
>>
>>> trying to delegitimate everything.
>> Those concerned with messengers vs
>> messages are prone to miss some dead canaries.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] tor project website change

[Mirimir]

On 03/28/2019 02:27 AM, Nicolas Vigier wrote:
> On Wed, 27 Mar 2019, Mirimir wrote:
> 
>> On 03/27/2019 08:01 AM, Udo van den Heuvel wrote:
>>> Hello,
>>>
>>> Who changed the web content at https://www.torproject.org/download/ ?
>>> Previously I could relatively easily check for the latest tor version
>>> but now I get only a number of tor browser options in a page that is way
>>> too big for what it offers. (and I use a 4K screen)
>>> Why was this done? What purpose does it serve for tor? (not the browser)
>>> And where is one supposed to find the tor download page from that (now)
>>> tor browser page?
>>>
>>> Udo
>>
>> Yes, the Tor Project site has increasingly focused on Tor browser.
> 
> And the blog post is saying:
> https://blog.torproject.org/meet-new-torprojectorg
> 
> In addition to this update, we are also better organizing all the
> other content into different portals. For instance, last year we
> launched our support portal to host all the content related to user
> support. Coming next will be our community.torproject.org portal
> that will feature content related to the different ways you can join
> our community and spread the word about Tor. The portal for all of
> our free software projects will soon be dev.torproject.org.
> 
> So there are plans to add the informations that is currently missing
> from the new website to those new portals. And in the meantime the old
> website is still available at https://2019.www.torproject.org/.

Is there a link to that on the new version? I didn't see one on the
first page.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] tor project website change

[Mirimir]

On 03/27/2019 11:19 PM, Shreyas Zare wrote:
> Tor (Expert Bundle) for Windows link is also missing in new download page.
> I hope it gets added on the advance install option page.
> 
> *Shreyas Zare*
> Technitium <https://technitium.com>

The Tor Project has been discouraging standalone use of Tor in Windows
for some years. And so has gradually buried links to anything but Tor
Browser.

> On Thu, Mar 28, 2019 at 11:23 AM Udo van den Heuvel 
> wrote:
> 
>> On 27-03-19 18:46, Mirimir wrote:
>>> Yes, the Tor Project site has increasingly focused on Tor browser.
>>
>> I see.
>> Is that helping tor?
>> It looks like the website maintainers do not understand tor well enough.
>>
>> Udo
>>
>> --
>> tor-talk mailing list - tor-talk@lists.torproject.org
>> To unsubscribe or change other settings go to
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>>
> 
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] tor project website change

[Mirimir]

On 03/27/2019 08:01 AM, Udo van den Heuvel wrote:
> Hello,
> 
> Who changed the web content at https://www.torproject.org/download/ ?
> Previously I could relatively easily check for the latest tor version
> but now I get only a number of tor browser options in a page that is way
> too big for what it offers. (and I use a 4K screen)
> Why was this done? What purpose does it serve for tor? (not the browser)
> And where is one supposed to find the tor download page from that (now)
> tor browser page?
> 
> Udo

Yes, the Tor Project site has increasingly focused on Tor browser.

I find https://www.torservers.net/wiki/setup/server far more useful.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] [Cryptography] Implementing full Internet IPv6 end-to-end encryption based on Cryptographically Generated Address

[Mirimir]

On 01/25/2019 04:32 AM, Alec Muffett wrote:
> On Fri, 25 Jan 2019, 10:43 Mirimir  
>>
>> I don't do audio on this box.
> 
> 
> I'll wait; most questions about "what do [I] mean?" are answered in that
> video.

OK. Hopefully you point to some resources for learning that stuff.

> Let's say that I have a bunch of VPS, running Tor and OnionCat. Each has
>> the others' OnionCat IPv6 addresses in its /etc/hosts. Now I can use any
>> app that talks TCP/IP, without customization (except re latency).
>>
> 
> How are you going to inhibit leaks and connections to "promiscuous" service
> listener-sockets over the LAN interface? Perhaps firewalls? Yet more /
> additional server misconfiguration opportunities?

Yes, with OnionCat, you're on an open LAN. So I use restrictive iptables
rules for IPv6. Just as I do for IPv4. I drop all packets by default,
and allow only required addresses and ports.

> Safer, instead, for the client to be clear and explicit about what manner
> of network address it wishes to connect to.

I suppose. But way back when, one could have used the same argument
against development of TCP/IP. Perhaps you do. But damn, it'd be a very
different Internet. And perhaps you would have preferred that. Yes?

> I'm sure that one could write code that did all the same stuff, using
>> actual v3 onion hostnames.
> 
> 
> 
> I've done similar hacks using /etc/hosts:
> 
> https://github.com/alecmuffett/the-onion-diaries/blob/master/basic-production-onion-server.md
> 
> ... but that is mostly a server-side convenience, and not strictly
> necessary.

OK, thanks.

> .What do you mean by "services"?
> 
> 
> As above.
> 
> 
> If all you have is SOCKS5, you're pretty
>> limited.
> 
> 
> My experience suggests otherwise, and I am calling for expansion in this
> space.
> 
> 
> you use shims like AF_X25. I never had to use that, but I'm sure that
>> OnionCat is far less hassle.
>>
> 
> How many systems do you have using it?
> 
> -a

My friends and I use OnionCat quite heavily. We're interested in
reliable private networking for mutually anonymous servers. Primarily as
a capability, and not for any particular application. But for example,
say that one must transfer filesystem images or VMs, for backup or
sharing. We've found that bbcp (using the MPTCP kernel, with multiple
OnionCat interfaces) works very well for that.

Stuff that requires UDP transport is especially problematic with Tor.
Private Docker registries, for example. We've tested a few VPNs in TCP
mode, but nothing has proved as reliable as OnionCat. It is necessary to
use custom wrappers, I admit, because the stock systemd service is quite
fragile. Or maybe it's just that OnionCat is no longer maintained.

In recent years, my friends and I have played with various P2P networks
(such as Freenet, BitTorrent and various VoIP apps) and distributed
filesystems (such as LizardFS, QFS and Tahoe-LAFS). The P2P stuff tends
to work well enough with Tor+OnionCat. But high latency tends to be
problematic for distributed filesystems (albeit less so for Tahoe-LAFS).

I appreciate concerns about overloading the Tor network. However, it's
arguable that increased traffic among onions, as chaff, would actually
improve anonymity for other users. And it's my understanding that it's
exit bandwidth that's most limited. But OnionCat puts no explicit load
on exit-only relays.

From https://metrics.torproject.org/bandwidth-flags.html I get that
relays without the exit flag (middle relays and most guards) are
underutilized. Currently, 110 Gbit/s out of 240 Gbit/s is consumed.
That's less than 50%, on average. Also, it's my impression that, given
Tor's relay-selection logic, only the fastest non-exit relays get much
use at all. And based on a recent thread on tor-relays, even some
high-speed non-exit relays see only ~20% utilization.

Anyway, that's why I value OnionCat. If I had to, I could learn to use
v3 onion sockets. But I fear that it would be painful.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] [Cryptography] Implementing full Internet IPv6 end-to-end encryption based on Cryptographically Generated Address

[Mirimir]

On 01/25/2019 02:40 AM, Alec Muffett wrote:
> On Fri, 25 Jan 2019 at 08:54, Mirimir  wrote:
> 
> I've not heard of "Tor v3 Onion Networking". Does it exist? Or if not, are
>> there plans? Or do you mean just using v3 onion-onion sockets? That would
>> be painful.
>>
> 
> Yes, I mean almost precisely that.

I was afraid that you were going to say that.

> Explanatory video: https://www.youtube.com/watch?v=qcPfJj7CY1A

I don't do audio on this box. I do a pretty good job of keeping cameras
out of my workspace, but don't have sound-proofinng :( And Youtube CC is
painful. But hey, I'll watch it all later :)

> All this talk about making Onions pretend to be TCP/IP is ... not
> maximising the value proposition of Onion Networking, in pursuit of some
> result where I cannot see a clear benefit. (Adoption of a substandard[*]
> solution, for adoption's sake?)

Let's say that I have a bunch of VPS, running Tor and OnionCat. Each has
the others' OnionCat IPv6 addresses in its /etc/hosts. Now I can use any
app that talks TCP/IP, without customization (except re latency).

I'm sure that one could write code that did all the same stuff, using
actual v3 onion hostnames. There are probably Python (or whatever)
libraries for that. And maybe that's the best approach. But whatever it
was, it'd be cool if tools like ping, bbcp, etc could interface with it.

> Tor's "presentation layer" is SOCKS5, which is okay ; perhaps eventually we
> will have AF_ONION in the same way that AF_X25 exists:
> 
> http://man7.org/linux/man-pages/man7/x25.7.html

Yeah, something like that :)

> ...and like I had to use for sending/receiving email at X.25-based UK
> universities in the early 1990s.
> 
> But we don't need AF_ONION and a socket stack yet; what I think we need
> right now is people making more services available on v3 onion addresses,
> because it's faster and more secure.

What do you mean by "services"? If all you have is SOCKS5, you're pretty
limited. Unless you use shims like AF_X25. I never had to use that, but
I'm sure that OnionCat is far less hassle.

> Easing client connectivity by any means, does not provide benefit when
> there are no servers/peers to talk to (see video).
> 
> [*]Simply: I am happier to see the end clients knowing that they are
> talking directly to Tor rather than relying upon some per-operating-system
> "shim" to make Tor available to them; aside from any other reason, shims
> tend to get pushed upstream (NAT-boxes, anyone?) and further break the
> end-to-end principle.
> 
> - alec
> 
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] [Cryptography] Implementing full Internet IPv6 end-to-end encryption based on Cryptographically Generated Address

[Mirimir]

On 01/24/2019 12:44 PM, Alec Muffett wrote:
> On Thu, 24 Jan 2019 at 19:33, grarpamp  wrote:
> 
>> As readers may be aware,
>> Tor has an interesting capability via OnionCat and OnionVPN
>> ...
> 
> There's an open project for anyone who wants it...
>> To bring IPv6 over v3 onions to Tor.
>>
> 
> Hi Grarpamp,
> 
> I'm aware of this.  I've seen you mention it, several times recently.
> 
> I'm wondering: could you please expand upon how this compares in importance
> to simply promoting the native adoption of Tor v3 Onion Networking, amongst
> the community of tool-developers and tool-users whom you envision the above
> solution (OnionCat/OnionVPN/IP-routing) benefitting?
> 
> Thanks!
> 
> -alec

I've not heard of "Tor v3 Onion Networking". Does it exist? Or if not,
are there plans?

Or do you mean just using v3 onion-onion sockets? That would be painful.

If there were native overlay networking among v3 onions, which handled
UDP as well as TCP, that would arguably be a better solution. But you
can't just invent an addressing scheme, because none of the existing
tools and apps could use it. For compatibility, isn't IPv6 the only
workable approach? The IPv4 space is way too small.

Indeed, as discussed in other threads, v3 onion mapping would take a
large chunk of IPv6. And that would mean stepping on assigned public
IPv6 ranges. Or just using a restricted v3 address space.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] WTF? [was Re: Why do you use Tor?]

[Mirimir]

On 12/11/2018 12:13 AM, Masayuki Hatta wrote:
> HI,
> 
>> Mirimir wrote:
>>> So hey, I just got this. Anyone else?
> 
> I got this too.  Seems a list member (allmyjenks at gmail.com?) uses
> this service and reply to the author of the mail.  Very annoying.

Yes, that's him/her/it.

I get maybe 1-2 sex spam now. Lately all from gmail accounts. And I
can't really drop everything from gmail. But whatever. It's the price of
freedom, I guess.


-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Why do you use Tor?

[Mirimir]

On 12/10/2018 10:05 AM, Nathaniel Suchy wrote:
> Hi,
> 
> I'm curious to learn the reasons that various people on the lists, for those 
> who are comfortable sharing, why they use Tor. I'm also curious as to whether 
> users on this list only use Tor or if there are times they use a normal 
> browser (if so what tasks).
> 
> I use Tor mainly as an incognito browser probably once or twice a day 
> depending on my needs. Often there's things I don't want to leave in a 
> browser history or my home ISP to know about. It's also nice if I want to 
> watch a specific video or resource on a website and don't want it in my 
> recommendations later on. That said there are some things I just look at in 
> Safari (please don't judge me for using a WebKit Browser :P    )
> 
> What about people on this list? Look forward to hearing from you all :)
> Cordially,
> Nathaniel Suchy

It's a lot like that for me. But I do formalize, considering that I have
various online personas, and compartmentalize them. So for example, as
my meatspace persona, I never use Tor. Just a mainstream VPN service,
usually one of the ones that consumer sites recommend. Maybe even HMA ;)

That's so I blend in. Where I am, it's quite common to use VPN services
for torrenting, streaming, etc. So my family and I do all that, and I
just chain additional VPN services for other personas. But Tor, that
would be unusual, and the less of that the better.

Mirimir uses nested VPN chains. But never Tor. Some of my other personas
use other nested VPN chains. But most of them add Tor to the mix. Also,
I lease (as anonymously as possible) servers and VPS, for various
projects. I hit those with SSH via Tor (sometimes via exits, and
sometimes via .onion SSH. And then, from them, I lease and manage other
stuff.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] What happens when an .onion site is compromised?

[Mirimir]

On 12/06/2018 01:51 PM, Nathaniel Suchy wrote:
> If an onion site is compromised, you can serve the user malicious content and 
> with a Tor Browser Vulnerability can harm it's users.
> 
> If your private key is compromised, your only recourse is to go create a new 
> onion address.
> 
> We don't know what vulnerabilities exist in the current version of Tor 
> Browser. If IP Leaks and zero day vulerabilites put you in physical danger, 
> consider Tor Tails. It uses firewall rules to try and block non-tor traffic. 
> It's not bulletproof but simple proxy bypasses are mitigated.

Whonix is arguably more bulletproof, in that the tor daemon and Tor
browser (along with many other apps) are on separate virtual machines,
which can be running in VirtualBox (easiest), KVM (harder) or Qubes
(arguably hardest).

So Tor browser and other userland apps can not reach the Internet except
via Tor. And for malware dropped in the Whonix workstation VM to mess
with the tor daemon, or reach the Internet, guest-to-host breakout is
required.

Also, Whonix gateway and workstation can be separate physical machines.
That makes breakout even harder. Not impossible, of course, but harder.

> Regarding the "CP Site" that you mentioned, the thing is that if the 
> pedophiles had been using an up to date version of Tor Browser or you know, 
> not looking at child pornography on Windows (macOS / Linux builds were not 
> targeted as far as we know), they would not of been caught and would have 
> remained free.

Yeah, that was all Windows malware.

> Some lessons learned...
> 1) Keep Tor Browser up to date2) Don't do illegal things on Windows, it has 
> more users and is easier to mass target the most criminals by focusing on 
> Windows hosts
> 3) Maybe, just maybe, don't look at child pornography in the first place
> 
> Cordially,
> Nathaniel Suchy
> 
> 
> 
> Dec 6, 2018, 3:33 PM by jiggytwi...@danwin1210.me:
> 
>> Imagine that an .onion site is compromised. This could be by the owner who
>> wishes to expose visitors or by the police who want to target the
>> clientele.
>>
>> (I remember, in the later case, reading something on Deep Dot Web about
>> when the FBI took over a CP site and installed malware).
>>
>> The goal is to acquire users' real IP addresses.
>>
>> What would happen to a visitor if they visited a booby trapped .onion
>> site? The visitor would be using the current version of TBB. How would it
>> be possible for a visitor to be in danger?
>>
>>
>> -- 
>> tor-talk mailing list - > tor-talk@lists.torproject.org 
>> 
>> To unsubscribe or change other settings go to
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk 
>> 
>>
> 
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor official list of new .onion addresses?

[Mirimir]

On 12/04/2018 08:41 AM, Aaron Johnson wrote:
> If you want to keep your onion address hidden, you should run a v3 onion 
> service. An improvement of v3 over v2 is that Hidden Service Directories can 
> no longer identify the onion address of the onion-service descriptors they 
> store. As a result, there is no point in any Tor protocol at which a v3 onion 
> address is leaked to any relay. As long as you keep the address to yourself, 
> noone will be able to find it. For more information about v3 onion services, 
> see <https://trac.torproject.org/projects/tor/wiki/doc/HiddenServiceNames 
> <https://trac.torproject.org/projects/tor/wiki/doc/HiddenServiceNames>>.
> 
> Aaron

That is very cool. But the problem for me is that v3 breaks OnionCat.
There was that sweet matchup between v2 onions and an IPv6 /48.

So is there an efficient way to specify a v2-sized subset of v4 onions?

>> On Dec 3, 2018, at 10:28 PM, Mirimir  wrote:
>>
>> On 12/03/2018 10:42 PM, Nathaniel Suchy wrote:
>>
>> 
>>
>>> You mentioned "HiddenServiceAuthorizeClient", a feature I did not know 
>>> about. I'm going to figure out if this is possible to implement on the SSH 
>>> System as that would solve some concerns about a leaked onion address. 
>>> Could you elaborate a bit more on this functionality?
>>
>> 
>>
>> I've just used basic authentication.
>>
>> In the .onion server torrc:
>>
>> $ sudo nano /etc/tor/torrc
>> ...
>> HiddenServiceDir /var/lib/tor/foo
>> HiddenServiceAuthorizeClient basic [16-chracter-string]
>> HiddenServicePort 22 127.0.0.1:22
>> ...
>>
>> $ sudo cat /var/lib/tor/foo/hostname
>> [v2-hostname].onion [22-character-string] # client: [16-chracter-string]
>>
>> The client ID must be 16 alphanumeric characters. Then you use the 22
>> character string in the client torrc.
>>
>> In the client:
>>
>> $ sudo nano /etc/tor/torrc
>> ...
>> HidServAuth [v2-hostname].onion [22-character-string]
>> ...
>> -- 
>> tor-talk mailing list - tor-talk@lists.torproject.org
>> To unsubscribe or change other settings go to
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>>
> 
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor official list of new .onion addresses?

[Mirimir]

On 12/03/2018 10:42 PM, Nathaniel Suchy wrote:



> You mentioned "HiddenServiceAuthorizeClient", a feature I did not know about. 
> I'm going to figure out if this is possible to implement on the SSH System as 
> that would solve some concerns about a leaked onion address. Could you 
> elaborate a bit more on this functionality?



I've just used basic authentication.

In the .onion server torrc:

$ sudo nano /etc/tor/torrc
...
HiddenServiceDir /var/lib/tor/foo
HiddenServiceAuthorizeClient basic [16-chracter-string]
HiddenServicePort 22 127.0.0.1:22
...

$ sudo cat /var/lib/tor/foo/hostname
[v2-hostname].onion [22-character-string] # client: [16-chracter-string]

The client ID must be 16 alphanumeric characters. Then you use the 22
character string in the client torrc.

In the client:

$ sudo nano /etc/tor/torrc
...
HidServAuth [v2-hostname].onion [22-character-string]
...
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor official list of new .onion addresses?

[Mirimir]

On 12/03/2018 02:35 PM, s7r wrote:



> There are other techniques lower at little-t-tor protocol level that
> suite your concerns, like HiddenServiceAuthorizeClient - you should
> better look into those if you are concerned about someone trying to
> connect to your onion address.



I use that, sometimes. But how secure is it?
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] tor-talk@lists.torproject.org

[Mirimir]

On 11/21/2018 06:56 PM, mi...@secmail.pro wrote:
>> https://www.dan.me.uk/tornodes
> 
> No.
> 
> Forbidden - TOR Node / Anonymous Proxy
> I'm sorry, but I really don't see why anyone would need to use a TOR node
> or Anonymous Proxy server to look at my site.
> So i'm afraid you can't look. Stop running TOR / using an anonymous proxy
> and you can view my site.
> 
> 
> 
> Alternative, anyone!?

Damn. The StartPage proxy used to work, but they've changed to
"Anonymous View", and that no longer works.

I can see it through a VPN.

>> On 11/19/2018 05:33 PM, mi...@secmail.pro wrote:
>>> now the torstatus.blutmagie.de is going down, I need an alternative.
>>>
>>> I need a list of "Tor nodes IPv4".
>>> The IP list of (All Tor nodes) - (Tor Exit nodes) if possible.
>>>
>>> Can't Tor Project host one PHP script for this?
>>> I really need it for my server.
>>>
>>> e.g.
>>> Firewall:
>>> Allow only outgoing IF destination is Tor Nodes
>>> Deny all
>>
>> https://www.dan.me.uk/tornodes
>>
>> --
>> tor-talk mailing list - tor-talk@lists.torproject.org
>> To unsubscribe or change other settings go to
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>>
> 
> 
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] tor-talk@lists.torproject.org

[Mirimir]

On 11/19/2018 05:33 PM, mi...@secmail.pro wrote:
> now the torstatus.blutmagie.de is going down, I need an alternative.
> 
> I need a list of "Tor nodes IPv4".
> The IP list of (All Tor nodes) - (Tor Exit nodes) if possible.
> 
> Can't Tor Project host one PHP script for this?
> I really need it for my server.
> 
> e.g.
> Firewall:
> Allow only outgoing IF destination is Tor Nodes
> Deny all

https://www.dan.me.uk/tornodes

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Yet another Tor failure - DanWin1210.me Hosting hacked

[Mirimir]

On 11/16/2018 05:31 PM, bo0od wrote:
> or use Qubes OS , its useful with some knowledge about it to make it
> great OS for hosting (i didnt test that for web hosting , but
> theoretically possible).And more secure than docker or plain debian or
> bsd ...etc.

Yes, Qubes would be an other good choice. But, I suspect,  harder to
implement. Especially interesting are recent developments that allow
Qubes system components to be distributed across multiple servers. With
secure connections, of course.

I've been meaning to play with it, off and on, for some years. Who
knows, maybe I'll give it a shot. If I can find suitable hardware for
anonymous lease, anyway :)

> Mirimir:
>> On 11/15/2018 10:23 PM, Daniel Winzen wrote:
>>> Hello,
>>>
>>> yes my server got hacked. How - I do not know yet and I will need to do
>>> an extensive analysis. I did indeed not maintain backups, partly for the
>>> reason that users should have the right to be forgotten immediately when
>>> deleting their accounts. Around 1TB of data is gone.
>>
>> Hey, sorry about that :( And I do got your point about backups.
>> Although, in retrospect, a backup setup with relatively fast rotation,
>> and thorough deletion of old backups, would be prudent.
>>
>>> The scripts are open source and anyone who would like to build something
>>> similar is welcome to do so. However you should note there might be a
>>> risk of getting hacked too in case the vulnerability is hidden in those
>>> scripts. I will re-instantiate my hosting only after the vulnerability
>>> is found and fixed. https://github.com/DanWin/hosting/
>>
>> As I said, shared hosting is a security nightmare. As I understand it,
>> you're depending on not much more than permissions to protect users from
>> each other. And in that situation, it's not _that_ hard for a skilled
>> hacker to get root, and do what they like.
>>
>> If I were going to attempt such an .onion hosting setup, I'd use a
>> couple levels of isolation between users. But first, I'd use LUKS with
>> dropbear for server FDE. It ain't perfect, but an attacker would need to
>> take some care while impounding the server.
>>
>> Basically, I'd setup several KVM domains, to help limit damage from a
>> compromise. Within each domain, I'd put each website in a Docker
>> container. Given a custom Docker-optimized kernel for the host, and XFS
>> storage, it's possible to set hard limits on CPU, RAM and storage for
>> each Docker container.
>>
>> Docker containers rely on kernel namespaces and cgroups. That's not as
>> secure as using full VMs, but _far_ lighter. And _far_ more secure than
>> chroot, which many shared-hosting setups still rely on. Alternatively,
>> one could use FreeBSD jails, and maybe that can also work with Docker.
>>
>> Anyway, if you're interested, I'd be happy to help. I'm just a hobbyist,
>> and totally self-taught. I mostly just use shell scripts. And I lack the
>> patience and organization to actually operate a shared-hosting site.
>>
>>> Any updates will be posted on my front page: https://danwin1210.me/
>>>
>>> Regards,
>>> Daniel
>>>
>>> On 16/11/2018 06:13, Mirimir wrote:
>>>> On 11/15/2018 09:52 PM, tor...@secmail.pro wrote:
>>>>> DanWin1210.me hosting service was hacked.
>>>>> https://danwin1210.me/
>>>>>
>>>>> All Tor Onions are dead.
>>>>
>>>> I guess that he didn't maintain backups :(
>>>>
>>>> Maybe some of those .onion owners did, though.
>>>>
>>>>> FH1: Unknown
>>>>> FH2: Took down by FBI
>>>>> FH3: Unknown
>>>>> Danwin1210: Ripped by Anonymous
>>>>>
>>>>> Now where is "Freedom Hosting IV"?
>>>>
>>>> Shared hosting is a security nightmare. Just sayin'.
>>>>
>>>>> And why so hate on Tor Onion service?
>>>>
>>>> This was just for lulz, no?
>>>>
>>>
>>>
>>>
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Yet another Tor failure - DanWin1210.me Hosting hacked

[Mirimir]

On 11/15/2018 10:23 PM, Daniel Winzen wrote:
> Hello,
> 
> yes my server got hacked. How - I do not know yet and I will need to do
> an extensive analysis. I did indeed not maintain backups, partly for the
> reason that users should have the right to be forgotten immediately when
> deleting their accounts. Around 1TB of data is gone.

Hey, sorry about that :( And I do got your point about backups.
Although, in retrospect, a backup setup with relatively fast rotation,
and thorough deletion of old backups, would be prudent.

> The scripts are open source and anyone who would like to build something
> similar is welcome to do so. However you should note there might be a
> risk of getting hacked too in case the vulnerability is hidden in those
> scripts. I will re-instantiate my hosting only after the vulnerability
> is found and fixed. https://github.com/DanWin/hosting/

As I said, shared hosting is a security nightmare. As I understand it,
you're depending on not much more than permissions to protect users from
each other. And in that situation, it's not _that_ hard for a skilled
hacker to get root, and do what they like.

If I were going to attempt such an .onion hosting setup, I'd use a
couple levels of isolation between users. But first, I'd use LUKS with
dropbear for server FDE. It ain't perfect, but an attacker would need to
take some care while impounding the server.

Basically, I'd setup several KVM domains, to help limit damage from a
compromise. Within each domain, I'd put each website in a Docker
container. Given a custom Docker-optimized kernel for the host, and XFS
storage, it's possible to set hard limits on CPU, RAM and storage for
each Docker container.

Docker containers rely on kernel namespaces and cgroups. That's not as
secure as using full VMs, but _far_ lighter. And _far_ more secure than
chroot, which many shared-hosting setups still rely on. Alternatively,
one could use FreeBSD jails, and maybe that can also work with Docker.

Anyway, if you're interested, I'd be happy to help. I'm just a hobbyist,
and totally self-taught. I mostly just use shell scripts. And I lack the
patience and organization to actually operate a shared-hosting site.

> Any updates will be posted on my front page: https://danwin1210.me/
> 
> Regards,
> Daniel
> 
> On 16/11/2018 06:13, Mirimir wrote:
>> On 11/15/2018 09:52 PM, tor...@secmail.pro wrote:
>>> DanWin1210.me hosting service was hacked.
>>> https://danwin1210.me/
>>>
>>> All Tor Onions are dead.
>>
>> I guess that he didn't maintain backups :(
>>
>> Maybe some of those .onion owners did, though.
>>
>>> FH1: Unknown
>>> FH2: Took down by FBI
>>> FH3: Unknown
>>> Danwin1210: Ripped by Anonymous
>>>
>>> Now where is "Freedom Hosting IV"?
>>
>> Shared hosting is a security nightmare. Just sayin'.
>>
>>> And why so hate on Tor Onion service?
>>
>> This was just for lulz, no?
>>
> 
> 
> 
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Yet another Tor failure - DanWin1210.me Hosting hacked

[Mirimir]

On 11/15/2018 09:52 PM, tor...@secmail.pro wrote:
> DanWin1210.me hosting service was hacked.
> https://danwin1210.me/
> 
> All Tor Onions are dead.

I guess that he didn't maintain backups :(

Maybe some of those .onion owners did, though.

> FH1: Unknown
> FH2: Took down by FBI
> FH3: Unknown
> Danwin1210: Ripped by Anonymous
> 
> Now where is "Freedom Hosting IV"?

Shared hosting is a security nightmare. Just sayin'.

> And why so hate on Tor Onion service?

This was just for lulz, no?
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] (no subject)

[Mirimir]

On 10/24/2018 06:23 AM, Nathaniel Suchy wrote:
> I thought this wasn't sent to the list server. Reporting the archive link
> on IRC. They can get this handled :)

From the message source, it surely seems that it was ...

...
Received: from eugeni.torproject.org (eugeni.torproject.org\
  [94.130.28.202])
  (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
  (Client CN "clientcerts/eugeni.torproject.org", Issuer\
  "auto-ca.torproject.org" (not verified))
  by mx1.riseup.net (Postfix) with ESMTPS id 394DD1A04F4;
  Wed, 24 Oct 2018 02:34:35 -0700 (PDT)
Authentication-Results: mx1.riseup.net; dkim=fail
  reason="verification failed; unprotected key"
  header.d=gmail.com header.i=@gmail.com header.b=m91qVvbr;
  dkim-adsp=none (unprotected policy); dkim-atps=neutral
Received: from eugeni.torproject.org (localhost [127.0.0.1])
  by eugeni.torproject.org (Postfix) with ESMTP id 68AB1E161F;
  Wed, 24 Oct 2018 09:34:32 + (UTC)
Received: from localhost (localhost [127.0.0.1])
  by eugeni.torproject.org (Postfix) with ESMTP id 60A2BE161F
  for ; Wed, 24 Oct 2018 09:34:28\
  + (UTC)
...
Received: from eugeni.torproject.org ([127.0.0.1])
  by localhost (eugeni.torproject.org [127.0.0.1])\
  (amavisd-new, port 10024)
  with ESMTP id BX0svQDLp3CT for ;
  Wed, 24 Oct 2018 09:34:28 + (UTC)
Received: from mail-lf1-x141.google.com (mail-lf1-x141.google.com
  [IPv6:2a00:1450:4864:20::141])
  (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
  (Client CN "smtp.gmail.com",
  Issuer "Google Internet Authority G3" (not verified))
  by eugeni.torproject.org (Postfix) with ESMTPS id 3C7D4E15C0
  for ; Wed, 24 Oct 2018 09:34:28\
  + (UTC)
Received: by mail-lf1-x141.google.com with SMTP id n26-v6so3434767lfl.1
  for ; Wed, 24 Oct 2018 02:34:28\
  -0700 (PDT)
...

Unless they did a good job at spoofing. My email skills are iffy :(

> On Wed, Oct 24, 2018 at 9:10 AM Mirimir  wrote:
> 
>> On 10/24/2018 02:34 AM, Today's Yug wrote:
>>> Contact to me in case of girlfriend  trace
>>
>> So is this grounds for unsubscribing this address from the list, and
>> blocking it and its IP address from resubscribing?
>> --
>> tor-talk mailing list - tor-talk@lists.torproject.org
>> To unsubscribe or change other settings go to
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>>
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] (no subject)

[Mirimir]

On 10/24/2018 02:34 AM, Today's Yug wrote:
> Contact to me in case of girlfriend  trace

So is this grounds for unsubscribing this address from the list, and
blocking it and its IP address from resubscribing?
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Does Facebook .onion work?

[Mirimir]

On 10/15/2018 02:35 PM, bobby...@danwin1210.me wrote:
> Facebook https://www.facebookcorewwwi.onion/ has existed since 2014.
> However, I am unconvinced that it works.
> 
> I go to the URL, register, get a confirmation email, click it, then have
> to enter my phone and receive a code. Fair enough.
> 
> When I login I get:
> 
> Upload a Photo of Yourself
> To get back on Facebook, upload a photo that clearly shows your face. Make
> sure the photo is well-lit and isn't blurry. Don't include other people in
> the shot.
> We use this photo to help us check that this account belongs to you. We'll
> delete the photo once we've done this, and it will never appear on your
> profile.
> 
> This is a new account - I've just created it.
> 
> I upload a random photo and apparently this will be manually checked to
> ensure it's me. I've no idea how they will do that since it's a new
> account. Until then, I can't use the account.
> 
> Has anyone successfully created an account using the .onion address?

I created one a few months ago. I wasn't asked for a phone number, or a
photo. I just logged in, and all seems cool.

I did all that with Whonix, for what it's worth.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Media Write Protection / Crypto Devices / BadUSB - #OpenFabs #OpenHW

[Mirimir]

On 10/12/2018 11:56 PM, grarpamp wrote:
 This is the use case for Tails. . . . [T]here are no writes to storage,
 unless users configure [otherwise] . . . .
> 
>> Sure, but this isn't a _Tor_ issue. It's just about Tor browser, which
>> is just (heavily) modified Firefox. And although I'm no software expert,
>> I'm guessing that it's impossible to guarantee what some code will or
>> won't leave behind when it crashes. Even if you tweaked the browser to
>> never write temp files to disk, and keep everything in RAM, you couldn't
>> guarantee that the OS won't write stuff to disk.
> 
>> That is, unless there _is_ no disk, as in Tails. Even with Whonix,
>> traces likely remain in the virtual disk.
> 
> There is never "no" disk, just a matter of which ones
> are plugged into the box, physically, or remotely.

OK, I should have said "unless there _is_ no disk, as there _can be_ in
Tails". I've run Tails (and my own LiveCDs) on diskless machines. And
yes, using USB for live systems is iffy. But write-once CDs are pretty
safe, I think. No?


-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] if browser remembers URLs visited before shutdown even during Never Remember History

[Mirimir]

On 10/12/2018 01:47 PM, Nick Levinson wrote:
>> This is the use case for Tails. . . . [T]here are no writes to storage, 
>> unless users configure [otherwise] . . . .
> 
> One need not use Tails to use Tor (I used to sometimes use Tor and never used 
> Tails), so, while Tails may be a good idea, the question remains for Tor and 
> its security architecture when not using Tails.

Sure, but this isn't a _Tor_ issue. It's just about Tor browser, which
is just (heavily) modified Firefox. And although I'm no software expert,
I'm guessing that it's impossible to guarantee what some code will or
won't leave behind when it crashes. Even if you tweaked the browser to
never write temp files to disk, and keep everything in RAM, you couldn't
guarantee that the OS won't write stuff to disk.

That is, unless there _is_ no disk, as in Tails. Even with Whonix,
traces likely remain in the virtual disk. And sure, you can run Whonix
with virtual disks, which don't persist changes. But even then, who's to
say what might get left on the host. I'm less familiar with other
sandboxing options, but I suspect that there are similar issues.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] if browser remembers URLs visited before shutdown even during Never Remember History

[Mirimir]

On 10/05/2018 05:19 PM, Nick Levinson wrote:
> This replies to a September 26 post with the same title.



> It took some effort to find the bug in FF, it took some more effort
> to convince people at FF that data is persistently stored, and a FF
> derivative is being used in Tor, so I would not be surprised if no
> one reported the bug at Tor before my question last month. The
> discussion at FF was going on for years. So the open question for> Tor is not 
> whether it's unreported but whether Tor behaves
> differently, and you and I have narrowed it down to the difference
> between design and behavior at shutdown time and similar times. If
> you or someone else knows the answer to that question, please post
> accordingly.

This is the use case for Tails. It's a Debian live system with Tor
browser etc. So everything runs in RAM. And there are no writes to
storage, unless users configure encrypted USB storage. If you like, you
can run in a diskless machine. At shutdown, it explicitly wipes RAM, so
no traces remain. In case of a hard shutdown, data would remain in RAM
for a while, but would be gone within hours at most.

I'm not qualified to have opinions about other issues that you raise.


-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] ascertain trustworthyness of entry-nodes and obfs4 bridges?

[Mirimir]

On 10/03/2018 04:36 AM, ithor wrote:
> Ok, so basically I have to stick with trust... kinda dangerous really in my 
> geographical location.
> 
> I know there's a lot of talk about the pro and contra of using some kind of 
> VPN before entering the Tor network, how it can deanonymize you and how you 
> basically still have to trust someone.
> 
> But still, in order to defeat the possibility of a malicious entry-node or to 
> avoid having my ip broadcasting i'm connecting to blacklisted obfs4 bridges, 
> wouldn't a "trustworthy" VPN tackle that issue? I'm thinking of providers 
> that employ a mix of obfuscating servers, like PSIPHON. It obfuscates a SSL 
> layer with an http one and is conceived especially for activists living under 
> censorship.
> 
> So ok, one could state: maybe most of the ip's of those servers (even being 
> over 6000 worldwide) are known to the gvt trolls and they're just letting you 
> through in order to get information about you. That's right, but then one 
> should add another security layer by connecting over public wifi and not home 
> router and f.ex. spoofing MAC addresses at every connection.
> 
> It would still be a protecting layer before connecting to the entry-node, 
> even over a obfs4 bridge.

From devices that are identifiably mine, and not some ~anonymous VPS, I
only connect to Tor via nested VPN chains, typically three deep. Some
VPN providers, such as IVPN, even offer obfs4 tunneling. Others, such as
AirVPN, offer SSH and TLS.

It's not prudent to trust VPN services, any more (or less, really) than
it is to trust any particular Tor relay. Or any particular ISP, for that
matter. But with three VPN services in a nested chain, adversaries would
need data from at least two of them. And they'd need to work through the
chain, from one end or the other. Or do traffic analysis.


-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor browser and VPN or web proxy

[Mirimir]

On 09/29/2018 08:35 PM, Paul Syverson wrote:
> On Sat, Sep 29, 2018 at 04:28:46PM -0700, Mirimir wrote:
>> On 09/29/2018 09:29 AM, panoramix.druida wrote:
>>>
>>> ‐‐‐ Original Message ‐‐‐
>>> El sábado, 29 de septiembre de 2018 11:58, J B  
>>> escribió:
>>>
>>>> Hi,
>>>> Could you please explain in what sequence the two should be activated and
>>>> why
>>>> (which setup is secure) ?
>>>> TB -- VPN or web proxy
>>>> or
>>>> VPN or web proxy -- TB
>>>
>>> I am playing with QubeOS and I try Tor -> VPN (with Bitmask) and I found 
>>> this useful for not having captchas everywhere as it does happend with Tor 
>>> alone. I try this thanks to this talk: 
>>> https://www.youtube.com/watch?v=f4U8YbXKwog
>>
>> True. But this is the most dangerous way to combine Tor and VPNs.
>>
>> If you connect first through a VPN (yours or a commercial service) and
>> then to Tor, the VPN becomes like your ISP. It encrypts and obscures
>> your traffic. So your ISP can't easily tell that you connect with Tor,
>> or what you otherwise connect with directly.
>>
>> But your VPN provider _does_ know all that. Also, some argue that VPN
>> services are more likely malicious than ISPs, and so potentially
>> compromise your Tor use. But others (including Mirimir) argue that ISPs
>> are more readily compromised by local adversaries, so using VPN services
>> increases security and privacy for Tor use.
>>
>> Also, if you connect to Tor through a VPN, entry guards can't easily
>> know your ISP-assigned IP address. So malicious entry guards (or those
>> who had compromised them) would need to get that information from your
>> VPN provider. That would have provided some protection against CMU's
>> relay-early exploit, which pwned many .onion services and users.
>>
>> However, connecting first to Tor, and then through Tor circuits to a
>> VPN, is _far_ more dangerous. Bottom line, you throw away all of the
>> anonymity that Tor can provide. That's because your VPN provider may
>> know who you are. Perhaps because you paid them in some traceable way.
>> Or perhaps because you accidentally connected directly, and not through
>> Tor, revealing your ISP-assigned IP address to them.
> 
> While that is all roughly on-average correct, it depends entirely on your
> adversary and intended activity. (You might not be average.)  If, as
> one example, you need to connect to a corporate VPN and you don't
> want a local adversary (such as the ISP) to know your affiliation with
> that corporation, then this is the order to do things.
> 
> aloha,
> Paul

Right. Didn't think of that. And yes, that _is_ a safe use case. Because
you don't need/want to be anonymous to that corporation. Or for anything
you do through that VPN connection.

Even so, for that you might as well use a VPN service, instead of Tor.
Because performance will be much better. Unless it's important to hide
corporate affiliation from more than just local adversaries.

>> However, if you're careful, you can use VPNs through Tor to 1) avoid
>> Tor-specific CAPTCHAs, 2) route UDP traffic, and 3) use online services
>> that generally don't work well with Tor alone.
>>
>> 
>> -- 
>> tor-talk mailing list - tor-talk@lists.torproject.org
>> To unsubscribe or change other settings go to
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>>
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor browser and VPN or web proxy

[Mirimir]

On 09/29/2018 09:29 AM, panoramix.druida wrote:
> 
> ‐‐‐ Original Message ‐‐‐
> El sábado, 29 de septiembre de 2018 11:58, J B  
> escribió:
> 
>> Hi,
>> Could you please explain in what sequence the two should be activated and
>> why
>> (which setup is secure) ?
>> TB -- VPN or web proxy
>> or
>> VPN or web proxy -- TB
> 
> I am playing with QubeOS and I try Tor -> VPN (with Bitmask) and I found this 
> useful for not having captchas everywhere as it does happend with Tor alone. 
> I try this thanks to this talk: https://www.youtube.com/watch?v=f4U8YbXKwog

True. But this is the most dangerous way to combine Tor and VPNs.

If you connect first through a VPN (yours or a commercial service) and
then to Tor, the VPN becomes like your ISP. It encrypts and obscures
your traffic. So your ISP can't easily tell that you connect with Tor,
or what you otherwise connect with directly.

But your VPN provider _does_ know all that. Also, some argue that VPN
services are more likely malicious than ISPs, and so potentially
compromise your Tor use. But others (including Mirimir) argue that ISPs
are more readily compromised by local adversaries, so using VPN services
increases security and privacy for Tor use.

Also, if you connect to Tor through a VPN, entry guards can't easily
know your ISP-assigned IP address. So malicious entry guards (or those
who had compromised them) would need to get that information from your
VPN provider. That would have provided some protection against CMU's
relay-early exploit, which pwned many .onion services and users.

However, connecting first to Tor, and then through Tor circuits to a
VPN, is _far_ more dangerous. Bottom line, you throw away all of the
anonymity that Tor can provide. That's because your VPN provider may
know who you are. Perhaps because you paid them in some traceable way.
Or perhaps because you accidentally connected directly, and not through
Tor, revealing your ISP-assigned IP address to them.

However, if you're careful, you can use VPNs through Tor to 1) avoid
Tor-specific CAPTCHAs, 2) route UDP traffic, and 3) use online services
that generally don't work well with Tor alone.


-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Bridge and Hidden service

[Mirimir]

On 09/27/2018 12:45 PM, MegaBrutal wrote:
> Hi,
> 
> If I'm about to run a Hidden service, can I run it on a bridge node,
> or at least on the same IP as a bridge node without uncovering the
> bridge node?

I'm not sure what you mean by this.

> Maybe it boils down to the question whether a node that serves a
> Hidden service has to be a public Tor node. If it has to be public, it
> spoils the IP.

Does "node that serves a Hidden service" mean the machine that's running
the web server or whatever, or the machine that's serving as its Tor
guard? Normally, machines running .onion web servers _never_ reveal
their public IP addresses, and indeed, shouldn't even have them.

Guards for .onion server are typically public guards. However, you can
use your own bridge, and not publish it.

> Moreover, can I make a Tor node to only serve the Hidden service and
> not to relay regular Tor traffic? I mean, my node should only serve
> incoming traffic to the Hidden service.

If we're talking about a private bridge, yes. You can just not tell
anyone about it, and so it will only serve as a guard for your .onion.

Also, just to be clear, it's a bad idea to run an .onion web server on
the same machine as a Tor relay, even a private guard.

> Thanks for your help in advance,
> MegaBrutal
> 
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] TBB 8 GUI changes

[Mirimir]

In Whonix 13 (Debian jessie with KDE) TBB 8 seems to ignore themes.

On 09/12/2018 12:00 PM, Joe wrote:
> Can anyone in Torland confirm whether any Linux TBB version - or latest
> v8, ever uses any UI colors from the active Linux theme, that usually
> affects all Linux apps?
> 
> On 09/08/2018 02:00 AM, Joe wrote:
>> In Tor Browser 8 - Linux, I guess Tor Browser never uses the selected
>> theme's colors (in Linux Preferences - Themes), modifying scrollbars and
>> sliders (or thumbs, in Windows)?
>>
> 
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Measuring on-line anonymity

[Mirimir]

On 08/15/2018 06:34 AM, Nathaniel Suchy wrote:
> Someone recommended that email was a more "anonymous" protocol. That really
> depends. Most email servers, by default, forward the client IP Address in
> headers. Make sure you are using Tor Browser with webmail or TorBirdy in
> Thunderbird if you want to use email "anonymously". Going to add at best
> email is a pseudonymous protocol. At some point there is an identity,
> ideally it's not linkable to you in real life but...

Yes, of course. And yes, pseudonymity <> anonymity. But pseudonymity is
useful sometimes, when you need to tell plausible lies. Not that Mirimir
is all that plausible, of course. But that's intentional.

> Gmail for example
> almost always requires you register from a residential IP Address and
> verify a phone number - I won't even call Gmail pseudonymous, it's directly
> linkable to you. The prepaid burner phone argument is silly - anyone
> remember: https://muckrock.s3.amazonaws.com/foia_files/7-3-14_MR6608_RES.pdf
> ?

Sure, but why would anyone use Gmail? There's CounterMail, Tutanota,
ProtonMail and ScryptMail. Even VFEmail and cock.li have .onion servers.

I do agree that the burner phone stuff is silly. I mean, surveillance
video. License plate tracking. Phone tracking. Plus the need to travel
long distances before using, to fuzz geolocation.

The hosted SIM approach seems far better. Region-scale blacklisting is
possible, of course, to mitigate bot abuse. But it's a large planet.

> On Tue, Aug 14, 2018 at 8:28 PM, Mirimir  wrote:
> 
>> On 08/14/2018 04:48 PM, panoramix.druida wrote:
>>> ‐‐‐ Original Message ‐‐‐
>>> El 14 de agosto de 2018 8:17 PM, Mirimir  escribió:
>>>
>>>> On 08/13/2018 07:52 PM, panoramix.druida wrote:
>>>>
>>>>> Hi, is there a way to measure the level of anonymity on a system?
>>>>
>>>> Sure. There's some literature. Check out
>>>> https://www.freehaven.net/papers.html.
>>>
>>> Thanks, lots of good stuff!!!
>>
>> Yeah, it's a _great_ resource.
>>
>>>>> Ricochet is way better to protect anonymity. I don’t need a phone
>> number, not even a name, I just use the onion service hostname. With
>> Richochet I am anonymous all the time unless I identify myself.
>>>>> Email may not be as good as Signal for end to end encryption (even
>> with pgp), but it can be way better for anonymity. For instance, this email
>> account was created using Tor in Protonmail, and there are other mail
>> providers that allow me to this. If I always use Protonmail with Tor, it is
>> very hard for Protonmail to learn who am I and where I live, doing that
>> with Signal is harder. However with Ricochet is way easier.
>>>>
>>>> Well, there's a huge metadata issue with email. Using .onion webmail
>>>> mitigates much of it. But everyone needs to watch their OPSEC, to avoid
>>>> deanonymization.
>>>>
>>>> And why do you say that deanonymization is way easier with Ricochet?
>>>> It's all via .onion instances. But I gather that Tor Project no longer
>>>> actively supports the work.
>>>
>>> What I meant is that is easier to stay anonyumouse on a system like
>> Ricochet.
>>
>> OK, got it.
>> --
>> tor-talk mailing list - tor-talk@lists.torproject.org
>> To unsubscribe or change other settings go to
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>>
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Measuring on-line anonymity

[Mirimir]

On 08/14/2018 04:48 PM, panoramix.druida wrote:
> ‐‐‐ Original Message ‐‐‐
> El 14 de agosto de 2018 8:17 PM, Mirimir  escribió:
> 
>> On 08/13/2018 07:52 PM, panoramix.druida wrote:
>>
>>> Hi, is there a way to measure the level of anonymity on a system?
>>
>> Sure. There's some literature. Check out
>> https://www.freehaven.net/papers.html.
> 
> Thanks, lots of good stuff!!!

Yeah, it's a _great_ resource.

>>> Ricochet is way better to protect anonymity. I don’t need a phone number, 
>>> not even a name, I just use the onion service hostname. With Richochet I am 
>>> anonymous all the time unless I identify myself.
>>> Email may not be as good as Signal for end to end encryption (even with 
>>> pgp), but it can be way better for anonymity. For instance, this email 
>>> account was created using Tor in Protonmail, and there are other mail 
>>> providers that allow me to this. If I always use Protonmail with Tor, it is 
>>> very hard for Protonmail to learn who am I and where I live, doing that 
>>> with Signal is harder. However with Ricochet is way easier.
>>
>> Well, there's a huge metadata issue with email. Using .onion webmail
>> mitigates much of it. But everyone needs to watch their OPSEC, to avoid
>> deanonymization.
>>
>> And why do you say that deanonymization is way easier with Ricochet?
>> It's all via .onion instances. But I gather that Tor Project no longer
>> actively supports the work.
> 
> What I meant is that is easier to stay anonyumouse on a system like Ricochet.

OK, got it.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Measuring on-line anonymity

[Mirimir]

On 08/13/2018 07:52 PM, panoramix.druida wrote:
> Hi, is there a way to measure the level of anonymity on a system?

Sure. There's some literature. Check out
.

> For example Signal es a very good keeping secret on communications, but is 
> very bad for anonymity as it need a real phone number to work. Using a real 
> phone number to communicate makes an association of all your chats with your 
> real identity. In many countries in latinamerica you need to give you 
> document id to get a phone number.[1] It is also a centralized service so 
> that the sysadmins and the people behind Signal can have a look at the 
> metadata if they want.

Micah Lee's article has some good suggestions. And you can also use
hosted SIMs. For example, https://speedyverify.com/. Before creating
your messaging, social media, etc account, you login at SpeedyVerify,
and start a chat with support. You tell them which SIM / mobile number
you'll be using. Then you create the account, with mobile
authentication. SpeedyVerify support will give you the authentication code.

There's also an API, which can handle bulk authentication. I suspect
that services like this facilitate bot networks and scamming on Twitter,
Facebook, and so on.

It's true that the SIM host sees your activation code. But that process
isn't really secure, in any case. And I don't believe that it lets them
hack your account, because it's a one-time code. And they don't know
your password.

It's also true that you must provide email and contact information to
SpeedyVerify, including a telephone number. But they don't seem to
verify that stuff, and they accept Bitcoin.

> Ricochet is way better to protect anonymity. I don’t need a phone number, not 
> even a name, I just use the onion service hostname. With Richochet I am 
> anonymous all the time unless I identify myself.
> 
> Email may not be as good as Signal for end to end encryption (even with pgp), 
> but it can be way better for anonymity. For instance, this email account was 
> created using Tor in Protonmail, and there are other mail providers that 
> allow me to this. If I always use Protonmail with Tor, it is very hard for 
> Protonmail to learn who am I and where I live, doing that with Signal is 
> harder. However with Ricochet is way easier.

Well, there's a huge metadata issue with email. Using .onion webmail
mitigates much of it. But everyone needs to watch their OPSEC, to avoid
deanonymization.

And why do you say that deanonymization is way easier with Ricochet?
It's all via .onion instances. But I gather that Tor Project no longer
actively supports the work.

> Is there a way to measure the “level o anonymity”. I am very interested in 
> comparing email, chat and voip tools to find out witch tool is better for 
> anonymity. For instance in email is hard to be anonymouse to the server 
> provider and in Signal is even harder, however in Ricochet is very simple as 
> there is no service provider.
> 
> [1] Actually you don’t need to use your real phone number, advance users can 
> do tricks. That is not for everyone. 
> https://theintercept.com/2017/09/28/signal-tutorial-second-phone-number/
> 
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] ProxAllium - A Tor frontend for Windows

[Mirimir]

On 08/04/2018 10:17 AM, Damon (TheDcoder) wrote:
> Hello everyone!
> 
> I would like to first say that [ProxAllium](https://proxallium.org/) is in no
> way affiliated with the Tor
> Project and it is developed independently by me at the moment.
> 
> Introduction: ProxAllium is a simple GUI frontend for Tor which works in
> Windows, the main goal of this program is to allow the user to get Tor up and
> running without the need of using Tor Browser Bundle (TBB) and configuring
> it.
> 
> ProxAllium makes the process easy by automatically generating a safe
> configuration for Tor without any user interaction on the first launch!
> 
> It's GUI displays useful information like the port, proxy type, PID etc of Tor
> in a single place so that this information is very accessible.



Hey, I get where you're coming from. The Tor Project wiki isn't all that
helpful about standalone Tor setup in Windows. However, although I have
zero affiliation with the Tor Project, it's my impression that this
hasn't entirely been an oversight. In particular, I get that running
relays in Windows is discouraged, in light of security concerns. That
is, they're arguably more likely pwned by adversaries, and used to
attack the network. And I suspect also that there are concerns about
torrenting, which stresses the system.

Perhaps more fundamentally, there are concerns about surveillance by
Microsoft. I mean, using Tor arguably secures network traffic from
adversaries, but what secures the system from Microsoft? In particular,
unless users take extreme effort, Microsoft knows their identityies. And
if Microsoft is logging browsing and other network traffic, and file
operations, it arguably knows what users are doing, notwithstanding Tor.

So anyway, how does ProxAllium address those concerns?
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] torjail - run programs in tor network namespace

[Mirimir]

On 07/27/2018 05:34 AM, Udo van den Heuvel wrote:
> On 24-07-18 16:58, lesion wrote:
>> On Tue, Jul 24, 2018 at 02:51:36PM +0200, Udo van den Heuvel wrote:
>>> On 23-07-18 09:51, bic wrote:
 I want to share a project made in _to hacklab.

 https://github.com/torjail/torjail
>>>
>>> Very interesting!!
>>> Would it make sense to run tor itself also in such an environment?
>>> If so: any examples?
>>
>> You cannot run tor inside torjail.
> 
> Sure!
> But can we use a network namespace to separate it a bit more?
> 
> Kind regards,
> Udo

Well, you could run tor inside "vpnjail" ;)
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] torjail - run programs in tor network namespace

[Mirimir]

On 07/25/2018 01:26 AM, Roman Mamedov wrote:
> On Wed, 25 Jul 2018 01:14:12 -0700
> Mirimir  wrote:
> 
>> True. But I'd rather use the Whonix approach. It's doable using two VPS.
>> That is, if the provider will cooperate. One VPS runs the web server,
>> and it has no Internet connectivity or public IP, just a private IP on a
>> local network. The other VPS runs the Tor client, and it has two
>> interfaces. One with Internet connectivity and a public IP. And the
>> other on the same local network as the server VPS.
> 
> And all your traffic before even entering Tor goes across the provider's
> "local" network, where it can be captured in the clear and analyzed.

Well, sure. But you're pretty much at providers' mercy whenever you use
VPS. Even dedicated servers can be easily compromised.

And OK, I should have recommended encrypting local traffic with
WireGuard or whatever.

Alternatively, you could use a dedicated server, and run your own VPS.
Or you could use a KVM VPS that can run VMs. It's sluggish, but it works.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] torjail - run programs in tor network namespace

[Mirimir]

On 07/24/2018 07:58 AM, lesion wrote:



> the whole point of torjail is to force all traffic via a virtual network
> interface that's routed into tor's sock5 (tor is started by torjail
> itself).
> 
> an use case could be an hidden service:
> let's say you're running a website as an hidden service and your website got
> hacked. without torjail an attacker could found the real ip of your
> website easily.

True. But I'd rather use the Whonix approach. It's doable using two VPS.
That is, if the provider will cooperate. One VPS runs the web server,
and it has no Internet connectivity or public IP, just a private IP on a
local network. The other VPS runs the Tor client, and it has two
interfaces. One with Internet connectivity and a public IP. And the
other on the same local network as the server VPS. There's no routing on
the local network, just HiddenServicePort forwarding.

> thunderbird is another use case: if you got hacked, it's easier to
> deanonimize you without torjail.

I'd rather just use Whonix. But this is for sure a lot lighter.

> I hope this clarifies.
> 
> https://torjail.github.io/
> 
> ps. 
> if you think the project's name is a real issue, suggestions are welcome :)

As others suggest, maybe OrJail, as with OrBot. I gather that TorBirdy
is OK, because it's a Tor Project app.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] How do tor users get past the recapacha and it's super short 2min exemption

[Mirimir]

On 07/11/2018 02:04 AM, Alec Muffett wrote:
> On Wed, 11 Jul 2018 at 09:33, Roger Dingledine  wrote:
> 
>> They did some internal measurements and realized that the number of
>> people connecting to Facebook over Tor was growing and had become huge:
>>
> 
> I wrote this process of realisation up at some length:
> 
> 
> https://www.facebook.com/notes/alec-muffett/how-to-get-a-company-or-organisation-to-implement-an-onion-site-ie-a-tor-hidden-/10153762090530962/
> 
> ...or here, if you prefer onion networking:
> 
> 
> https://www.facebookcorewwwi.onion/notes/alec-muffett/how-to-get-a-company-or-organisation-to-implement-an-onion-site-ie-a-tor-hidden-/10153762090530962/
> 
> I should really put a copy of this essay somewhere that it will get more
> traction.
> 
> - alec

That's very cool!

And I am _very_ impressed. Using https://www.facebookcorewwwi.onion/, I
created an account, and didn't need to supply a mobile number. Just an
email address.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] How do tor users get past the recapacha and it's super short 2min exemption

[Mirimir]

On 07/10/2018 06:59 AM, Lara wrote:
> On Tue, 10 Jul 2018, at 12:12, David Niklas wrote:
>> grarpamp  wrote:
>>> One email, and ticket opened, and tweet complaint, per each
>>> captcha click, from each affected tor user... that should do the
>>> trick ;-)
>>
>> I think I'll try that.
> 
> Hence proving to the world that the Tor community is tiny, yet a
> major pain in the rear and as most generate only negative income
> they should be blocked for ever.

You have a point. For example, how did Facebook come around to have an
onion? Was it just that Alec Muffett championed it? Did complaints from
excluded users play a role? Positive or negative?

Me, I've never been much into complaining. If there's something in my
way, I just work around it. For example, some time ago, I decided to
have a Twitter account. And it had to be via Tor. But Twitter didn't
like that. So via Tor, I leased a VPS with well-mixed Bitcoin, installed
Debian with a light Openbox desktop, and setup an RDP onion. And Twitter
was cool with that.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Digital IDs needed to end 'mob rule' online, says UK security minister Ben Wallace - Digital IDs should be brought in to end online anoymity that permits "mob rule" and lawlessness onli

[Mirimir]

On 06/10/2018 09:13 PM, Kevin Burress wrote:
> It is like they are saying they want the apocalypse without saying it by
> really saying it (anonymous) that's their way of asking, and christians who
> are good christians and israel says "yes come Lord"

But hey, some Islamic fundamentalists also want it. And they think that
God and Christ will be on _their_ side.

> On Mon, Jun 11, 2018, 2:28 AM Kevin Burress  wrote:
> 
>> I mean for example historically the people of Canaan worshipped God but
>> Canaan was cursed. And it was about the place of the Hittites and
>> Canaanites who were slaughtered. But they worshipped the same God.
>>
>> On Mon, Jun 11, 2018, 2:23 AM Kevin Burress 
>> wrote:
>>
>>> In fact I would imagine given the content and staining and such it would
>>> make it more sure that He wants to do it.
>>>
>>> On Mon, Jun 11, 2018, 2:21 AM Kevin Burress 
>>> wrote:
>>>
 Well I just want to bring up that should it be the end Yahweh may want
 to use anonymity to not reveal Himself to the masses.

 On Mon, Jun 11, 2018, 2:19 AM grarpamp  wrote:

> On Sun, Jun 10, 2018 at 12:08 PM, Ben Tasker 
> wrote:
>>>
> https://www.independent.co.uk/news/uk/politics/online-digital-identification-mob-rule-online-security-minister-ben-wallace-a8390841.html
>
>> As I see it, there are two complimentary ways to fight it
> .
>> Firstly, explain (again) why it's a stupid and flawed idea.
>
> History shows that method always loses long term.
>
>> Second, keep building and supporting systems that help protect
> privacy and
>> anonymity online. That means running more tor relays as well as
> developing
>> new privacy friendly services etc. Essentially, make sure there are
>> alternatives that cannot be affected by whatever half-baked
> implementation
>> they try to foist on us.
>
> Tools themselves will not stop the continual foisting that always wins
> long term.
>
> Note this UK US scam has been spooling up for a wider G7 drop for a
> while now...
> https://lists.cpunks.org/pipermail/cypherpunks/2017-May/037851.html
> https://lists.cpunks.org/pipermail/cypherpunks/2017-March/036940.html
> https://lists.cpunks.org/pipermail/cypherpunks/2017-May/037948.html
>
> The subject problem is that government is now redundant to your own
> better
> capabilities as human beings, now evolved and connected to the wealth of
> instant global knowledge and comms. There's no longer a need for such a
> central store of knowledge, action, and programming that, among other
> things,
> says that murder and theft are good, since now you can go online and see
> that it is plainly bad, and contribute to better together, directly.
> The solution is thus to go further this time and finally discontinue
> that old redundant system.
>
> That connectedness is a "mob rule" they speak of... more properly a
> "decentralized" mode, with voluntarist, anarchist, libertarian
> flavors, coordinated
> under realtime feedback for good... an unexpected result (to their
> geriatric
> selves and their decades expired models and thinking) of the true power
> of the Internet now arrived... a curiously interesting process taking
> shape
> globally... a discussion.. an exploration of alternative models, of
> local
> and self governance, an elimination of redundancy and inefficiency,
> reclamation and redeployment of all things ceded.
>
> So of course they want to "Digital ID" that, to censor it, balkanize,
> shape,
> track, control, criminalize, and shut it down before they
> themselves are.
>
> The fact that they've resorted to deploying worldwide surveillance,
> the Four Horsemen of the Infocalypse FUD and more, spinning
> it out 24x365 nonstop now in survival mode, shows they know their
> own end is coming.
>
> Make, keep and use tools... "systems that help protect privacy and
> anonymity online... develop new privacy friendly services etc"...
> not just to hide and shield from the foisting, but to fix and learn
> new thinking, thus ending it for good.
>
> The math is simpler than crypto...
> https://www.youtube.com/watch?v=H6b70TUbdfs
> https://www.youtube.com/watch?v=DVEzdh4PMDI
> --
> tor-talk mailing list - tor-talk@lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Digital IDs needed to end 'mob rule' online, says UK security minister Ben Wallace - Digital IDs should be brought in to end online anoymity that permits "mob rule" and lawlessness onli

[Mirimir]

On 06/10/2018 08:28 PM, Kevin Burress wrote:
> I mean for example historically the people of Canaan worshipped God but
> Canaan was cursed. And it was about the place of the Hittites and
> Canaanites who were slaughtered. But they worshipped the same God.

They worshiped a bunch of gods. Including El and his consort, Asherah.
Although El later became conflated with Yahweh, that was arguably just
Israelite propaganda.

If you're interested in that stuff, I highly recommend Stover's first
two novels, _Iron Dawn_ and _Jericho Moon_. He portrays the early Habiru
as basically demon worshipers. Yahweh has a variety of aspects, which
can be invoked by particular rituals.

> On Mon, Jun 11, 2018, 2:23 AM Kevin Burress  wrote:
> 
>> In fact I would imagine given the content and staining and such it would
>> make it more sure that He wants to do it.
>>
>> On Mon, Jun 11, 2018, 2:21 AM Kevin Burress 
>> wrote:
>>
>>> Well I just want to bring up that should it be the end Yahweh may want to
>>> use anonymity to not reveal Himself to the masses.
>>>
>>> On Mon, Jun 11, 2018, 2:19 AM grarpamp  wrote:
>>>
 On Sun, Jun 10, 2018 at 12:08 PM, Ben Tasker 
 wrote:
>>
 https://www.independent.co.uk/news/uk/politics/online-digital-identification-mob-rule-online-security-minister-ben-wallace-a8390841.html

> As I see it, there are two complimentary ways to fight it
 .
> Firstly, explain (again) why it's a stupid and flawed idea.

 History shows that method always loses long term.

> Second, keep building and supporting systems that help protect privacy
 and
> anonymity online. That means running more tor relays as well as
 developing
> new privacy friendly services etc. Essentially, make sure there are
> alternatives that cannot be affected by whatever half-baked
 implementation
> they try to foist on us.

 Tools themselves will not stop the continual foisting that always wins
 long term.

 Note this UK US scam has been spooling up for a wider G7 drop for a
 while now...
 https://lists.cpunks.org/pipermail/cypherpunks/2017-May/037851.html
 https://lists.cpunks.org/pipermail/cypherpunks/2017-March/036940.html
 https://lists.cpunks.org/pipermail/cypherpunks/2017-May/037948.html

 The subject problem is that government is now redundant to your own
 better
 capabilities as human beings, now evolved and connected to the wealth of
 instant global knowledge and comms. There's no longer a need for such a
 central store of knowledge, action, and programming that, among other
 things,
 says that murder and theft are good, since now you can go online and see
 that it is plainly bad, and contribute to better together, directly.
 The solution is thus to go further this time and finally discontinue
 that old redundant system.

 That connectedness is a "mob rule" they speak of... more properly a
 "decentralized" mode, with voluntarist, anarchist, libertarian
 flavors, coordinated
 under realtime feedback for good... an unexpected result (to their
 geriatric
 selves and their decades expired models and thinking) of the true power
 of the Internet now arrived... a curiously interesting process taking
 shape
 globally... a discussion.. an exploration of alternative models, of local
 and self governance, an elimination of redundancy and inefficiency,
 reclamation and redeployment of all things ceded.

 So of course they want to "Digital ID" that, to censor it, balkanize,
 shape,
 track, control, criminalize, and shut it down before they themselves
 are.

 The fact that they've resorted to deploying worldwide surveillance,
 the Four Horsemen of the Infocalypse FUD and more, spinning
 it out 24x365 nonstop now in survival mode, shows they know their
 own end is coming.

 Make, keep and use tools... "systems that help protect privacy and
 anonymity online... develop new privacy friendly services etc"...
 not just to hide and shield from the foisting, but to fix and learn
 new thinking, thus ending it for good.

 The math is simpler than crypto...
 https://www.youtube.com/watch?v=H6b70TUbdfs
 https://www.youtube.com/watch?v=DVEzdh4PMDI
 --
 tor-talk mailing list - tor-talk@lists.torproject.org
 To unsubscribe or change other settings go to
 https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

>>>
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Anonymity and Voip

[Mirimir]

On 05/10/2018 01:35 PM, panoramix.druida wrote:
> 
> 
> ‐‐‐ Original Message ‐‐‐
> 
> El 10 de mayo de 2018 7:41 PM, Mirimir <miri...@riseup.net> escribió:
> [] 
>> However, keep in mind that VoIP is fundamentally inconsistent with
>>
>> anonymity. Because voice analysis is so effective. And because it's very
>>
>> hard to obfuscate voice enough to frustrate analysis. You basically need
>>
>> to do voice-to-text conversion, and then text-to-voice conversion. And
>>
>> once you've done voice-to-text, why bother with text-to-voice?
>>
> 
> I don't want hide who am I  to the other end. I want to hide the fact that I 
> am calling someone and that the conversation actually took place.
> 
> So Alice wants to talk to Bob but neither of them want anybody to know that 
> the conversation happend. If the conversation is end to end encrypted no one 
> should now that they where talking and that the converation happend. So from 
> my understunding there is anonymity in the fact that they are separeting from 
> the act of having  a conversation. Am I right?
> 
> Please if you want to be philosophical about it go ahead. I really want to 
> improve my understunding of anonymity and privacy.
> 
> Thanks!

OK, then voice analysis isn't an issue. Everything's encrypted. And with
Tor, there's no linkable metadata. Barring such exceptional
circumstances as Tor 0day, anyway.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Anonymity and Voip

[Mirimir]

On 05/10/2018 01:43 AM, panoramix.druida wrote:
> 
> ‐‐‐ Original Message ‐‐‐
> 
> El 9 de mayo de 2018 5:22 PM, grarpamp  escribió:
> 
>> On Wed, May 9, 2018 at 10:57 AM, Nathan Freitas nat...@freitas.net wrote:
>>
>>> In general, the issue with VoIP over Tor, is that Tor only supports TCP,
>>>
>>> and not UDP, which most voice and video services require.
>>
>> And until tor supports UDP, or even more generally over
>>
>> say IPv6 transport internally, you can do exactly that with...
>>
>> https://www.onioncat.org/
>>
>> https://github.com/david415/onionvpn
>>
>> So now all other cool UDP and IPv6 applications work fine inside tor.
>>
>> VoIP, bittorrent, CJDNS, mosh, ping, DNS, etc...
>>
>> Have fun :)
> 
> So my understunding is that I could use any IP protocol and communicate with 
> each other as if we where in a LAN. Is that right? If so is there any FLOSS 
> VOIP program that allows me to comunicate directly to other IP without the 
> need of a server?

It's very easy to run your own Mumble server locally as an onion
service. So that's effectively P2P, in that you need not trust any
third-party server.

However, keep in mind that VoIP is fundamentally inconsistent with
anonymity. Because voice analysis is so effective. And because it's very
hard to obfuscate voice enough to frustrate analysis. You basically need
to do voice-to-text conversion, and then text-to-voice conversion. And
once you've done voice-to-text, why bother with text-to-voice?
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Fwd: TOR

[Mirimir]

On 04/21/2018 09:33 AM, RONALD DOMINIC wrote:
> i get the same results. "Your Tor Browser profile cannot be loaded. It may
> be missing or
>  inaccessible."

Wow. That's bizarre.

What OS are you using?

Did "torbrowser-install-7.5.3_en-US.exe" run without errors?

Do you see the Tor browser unpacked on the desktop?

Or wherever you put it?

> On Sat, Apr 21, 2018 at 12:36 AM, Mirimir <miri...@riseup.net> wrote:
> 
>> On 04/20/2018 04:46 PM, RONALD DOMINIC wrote:
>>> CAN YOU HELP ME?
>>
>> Caps don't help ;)
>>
>> So hey, Tor browser has _nothing_ to do with your system's browser (such
>> as Firefox) or what search service you use there (such as DDG).
>>
>> And it's really _very_ simple. As Jacki M wrote, you download and
>> install Tor browser. For Windows, that's
>> https://www.torproject.org/download/download-easy.html.en#windows. That
>> gives you "torbrowser-install-7.5.3_en-US.exe". Which is a
>> self-extracting archive file. Just double click to run it, and it will
>> unpack Tor browser, by default to the desktop. And it runs a setup
>> wizard. Detailed instructions are at
>> https://www.torproject.org/projects/torbrowser.html.en
>>
>> OK?
>>
>>> On Mon, Apr 16, 2018 at 1:03 AM, Jacki M <jackiam2...@yahoo.com> wrote:
>>>
>>>> Install TorBrowser and set the default search engine to Duckduckgo
>>>> TorBrowser download <https://www.torproject.org/
>>>> download/download-easy.html.en>
>>>>
>>>>
>>>>> On Apr 15, 2018, at 10:00 PM, RONALD DOMINIC <expired4...@gmail.com>
>>>> wrote:
>>>>>
>>>>> -- Forwarded message --
>>>>> From: RONALD DOMINIC <expired4...@gmail.com>
>>>>> Date: Sat, Feb 3, 2018 at 3:14 PM
>>>>> Subject: Re: [tor-talk] TOR
>>>>> To: tor-talk@lists.torproject.org
>>>>>
>>>>>
>>>>> I am still lost ,i have mozilla firefox and i use duckduckgo.What
>>>> should i
>>>>> do with each one?? Don't forget i am a "LAYMAN".Please explain.
>>>>> Thank You again Ron
>>>>>
>>>>>
>>>>>
>>>>>>  Original Message 
>>>>>> On February 2, 2018 2:52 AM, CANNON <cannon@cannon-file. ota.info>
>>>> wrote:
>>>>>>
>>>>>>> On 01/30/2018 04:32 AM, RONALD DOMINIC wrote:
>>>>>>>> Your Tor Browser profile cannot be loaded. It may be missing or
>>>>>>>> inaccessible.
>>>>>>>> I have been trying to open tor for weeks know luck.
>>>>>>>> Can anyone help me???
>>>>>>>> RON
>>>>>>>> expired4...@gmail.com
>>>>>>>>
>>>>>>>
>>>>>>> What OS are you using?
>>>>>>>
>>>>>>> Have you tried re-install?
>>>>>>>
>>>>>>> tor-talk mailing list - tor-talk@lists.torproject.org
>>>>>>> To unsubscribe or change other settings go to
>>>>>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> tor-talk mailing list - tor-talk@lists.torproject.org
>>>>>> To unsubscribe or change other settings go to
>>>>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>>>>>>
>>>>> --
>>>>> tor-talk mailing list - tor-talk@lists.torproject.org
>>>>> To unsubscribe or change other settings go to
>>>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>>>>
>>>> --
>>>> tor-talk mailing list - tor-talk@lists.torproject.org
>>>> To unsubscribe or change other settings go to
>>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>>>>
>> --
>> tor-talk mailing list - tor-talk@lists.torproject.org
>> To unsubscribe or change other settings go to
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>>
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Fwd: TOR

[Mirimir]

On 04/20/2018 04:46 PM, RONALD DOMINIC wrote:
> CAN YOU HELP ME?

Caps don't help ;)

So hey, Tor browser has _nothing_ to do with your system's browser (such
as Firefox) or what search service you use there (such as DDG).

And it's really _very_ simple. As Jacki M wrote, you download and
install Tor browser. For Windows, that's
https://www.torproject.org/download/download-easy.html.en#windows. That
gives you "torbrowser-install-7.5.3_en-US.exe". Which is a
self-extracting archive file. Just double click to run it, and it will
unpack Tor browser, by default to the desktop. And it runs a setup
wizard. Detailed instructions are at
https://www.torproject.org/projects/torbrowser.html.en

OK?

> On Mon, Apr 16, 2018 at 1:03 AM, Jacki M  wrote:
> 
>> Install TorBrowser and set the default search engine to Duckduckgo
>> TorBrowser download > download/download-easy.html.en>
>>
>>
>>> On Apr 15, 2018, at 10:00 PM, RONALD DOMINIC 
>> wrote:
>>>
>>> -- Forwarded message --
>>> From: RONALD DOMINIC 
>>> Date: Sat, Feb 3, 2018 at 3:14 PM
>>> Subject: Re: [tor-talk] TOR
>>> To: tor-talk@lists.torproject.org
>>>
>>>
>>> I am still lost ,i have mozilla firefox and i use duckduckgo.What
>> should i
>>> do with each one?? Don't forget i am a "LAYMAN".Please explain.
>>> Thank You again Ron
>>>
>>>
>>>
  Original Message 
 On February 2, 2018 2:52 AM, CANNON 
>> wrote:

> On 01/30/2018 04:32 AM, RONALD DOMINIC wrote:
>> Your Tor Browser profile cannot be loaded. It may be missing or
>> inaccessible.
>> I have been trying to open tor for weeks know luck.
>> Can anyone help me???
>> RON
>> expired4...@gmail.com
>>
>
> What OS are you using?
>
> Have you tried re-install?
>
> tor-talk mailing list - tor-talk@lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>

 --
 tor-talk mailing list - tor-talk@lists.torproject.org
 To unsubscribe or change other settings go to
 https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

>>> --
>>> tor-talk mailing list - tor-talk@lists.torproject.org
>>> To unsubscribe or change other settings go to
>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>>
>> --
>> tor-talk mailing list - tor-talk@lists.torproject.org
>> To unsubscribe or change other settings go to
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>>
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] What is the name of the project that maps onion addresses to IPv6 addresses?

[Mirimir]

On 03/26/2018 05:46 PM, Griffin Boyce wrote:
> Try it and report back =)

Sure, I could do that.

But the v3 onion address space is vastly larger than the IPv6 address
space (256-bit addresses vs 128-bit addresses). So I don't see how a 1:1
mapping is possible.

What am I missing?

> On March 27, 2018 12:41:13 AM EDT, Mirimir <miri...@riseup.net> wrote:
>> On 03/26/2018 12:05 PM, grarpamp wrote:
>>> On Mon, Mar 26, 2018 at 6:22 PM, Yuri <y...@rawbw.com> wrote:
>>>> I remember seeing this project. It creates a virtual IPv6 network by
>> such
>>>> onion->IPV6 mapping.
>>>
>>> There are two of them, the first being more well known,
>>> they interoperate, useful for UDP apps, mosh, the torrent
>>> communities, etc...
>>>
>>> https://www.onioncat.org/
>>> https://github.com/david415/onionvpn
>>
>> Neither works for next-generation (v3) onion services, right?
>> -- 
>> tor-talk mailing list - tor-talk@lists.torproject.org
>> To unsubscribe or change other settings go to
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> 
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] What is the name of the project that maps onion addresses to IPv6 addresses?

[Mirimir]

On 03/26/2018 12:05 PM, grarpamp wrote:
> On Mon, Mar 26, 2018 at 6:22 PM, Yuri  wrote:
>> I remember seeing this project. It creates a virtual IPv6 network by such
>> onion->IPV6 mapping.
> 
> There are two of them, the first being more well known,
> they interoperate, useful for UDP apps, mosh, the torrent
> communities, etc...
> 
> https://www.onioncat.org/
> https://github.com/david415/onionvpn

Neither works for next-generation (v3) onion services, right?
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor and TBB Issues Needing Good Advice

[Mirimir]

On 01/24/2018 06:20 AM, Wanderingnet wrote:

You rather highjacked the thread, but hey ;)

> I'm afraid you miss the point.
> 1. To operate TBB with an attendant IPTables setup, including for reasons of 
> potential leaks, admittedly more of a risk in Torification of other apps. DNS 
> leaks are regarded as a widespread issue, quite apparent in looking into tor 
> configurations, though I personally agree (?) that this smacks of bad 
> programming, perhaps in OS design (though again, this tends to be regarded as 
> more of an issue with diverse proxying). Isolating TBB in iptables has proven 
> problematic, since it lacks a native UID, etc.

It's not that hard to reconfigure Tor browser to work with standalone
Tor. In Debian, debian-tor typically has uid 108, as I recall. Then you
can allow only debian-tor process to access eth0 or wlan0.

> 2. To operate Tor with the full range of transports: I have started looking 
> at the possibility of operating debian-tor with the transports included in 
> TBB, ie. pointing tor at the pluggable transports and libs in the TBB data 
> and Tor folders, but would love some help with this. This would give the best 
> of both.

That's an excellent idea.

> 3. Further isolating tor or TBB behind a user account, and ultimately a 
> network namespace, which is touted as a light weight container option, but I 
> have not seen documented for this purpose.

Yes, isolation by network namespace would be even better than iptables,
I think. But still less secure than isolation by VMs. Or using Qubes. Or
better, hardware isolation.

> Sent from [ProtonMail](https://protonmail.com), Swiss-based encrypted email.


-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor and TBB Issues Needing Good Advice

[Mirimir]

On 01/21/2018 10:06 PM, Andreas Krey wrote:
> On Sun, 21 Jan 2018 11:05:01 +0000, Mirimir wrote:
>> On 01/21/2018 04:52 AM, Andreas Krey wrote:
> ...
>>> TBB works right out of the box. Dear casual reader, please don't be alarmed 
>>> by this post.
>>
>> It does indeed. But it's a fragile thing, in that there's no protection
>> against malware that bypasses Tor. FBI's NIT is a clear demonstration.
>> There's no firewall, unless the user configures one.
> 
> Ok, s/alarmed/overly alarmed/. :-)

Hey :)

I do get the benefit of making Tor browser dead simple to use. And I get
that it's secure enough for most Tor users, who likely aren't at risk
from Tor-bypassing malware.

But it would be very cool if its vulnerabilities were clearly disclosed.
On the download page. There's already disclosure (but maybe not explicit
enough) that Tor isn't secure against global adversaries. So why not
disclosure that Tor browser isn't secure against Tor-bypassing malware?

> The problem, even with the FBI's NIT, is not that tor needs to run
> firewalled, but rather that firefox needs to be denied anything but the
> SOCKS port (and X11, on unix).

As I understand it, FBI's NIT gets dropped through Firefox, but it
phones home through a standalone process. So restricting Firefox to Tor
wouldn't be enough. But even if I'm wrong about existing malware, what I
describe is doable. It's already a risk when opening downloaded files.

> ...
>> Documentation for using Tor as a standalone service is rather iffy and
>> poorly maintained, is it not? Especially for Windows.
> 
> Windows services are iffy as they are. :-( And otherwise this
> is too much distro-dependent (and too much dependent on the
> wishes of the operator) to provide a click-through installer.
> 
> I.e. to some extend you need to know what you are doing there.

I can't deny that :) But OP does have a point about the difficulty in
learning how "to know what you are doing".

>> Not that I'd
>> encourage anyone to use Tor in Windows.
> 
> I have to 'admit' that I have a TBB instance running
> partially so I can use putty to reach hidden services.

Why not standalone Tor?

> ...
>>> have a good tor there is nothing to protect against, and if you somehow
>>> got a subverted tor, it will not be as stupid as to use separate outbound
>>> TCP connections for phoning home, but instead do that through tor.
>>
>> Maybe "a subverted tor" wouldn't be stupid enough to do that, but that's
>> what FBI's NIT does. And that's how many Tor users got pwned by it.
> 
> Yes, but it wasn't tor that was subverted, it was the browser. And
> the subversion was needed to locate the victim, not to phone home
> the result of the location.

What I said above.

> Basically, what we'd want to do is to isolate firefox, by iptables
> or by putting it (but not tor) into a container without network
> access - but either of these may not be available to a normal
> user installing TBB - and then there is windows.

That would be cool. But yeah, Windows :(

> ...
>>> https://hub.docker.com/r/hkjn/tor-browser/
>>> https://blog.jessfraz.com/post/running-a-tor-relay-with-docker/
>>
>> This _is_ good stuff.
> 
> Interesting, but not quite right. It isolates the browser
> from the system, but not from the network.

Good point.

> - Andreas
> 
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor and TBB Issues Needing Good Advice

[Mirimir]

On 01/21/2018 04:52 AM, Andreas Krey wrote:
> On Sun, 21 Jan 2018 09:13:29 +, Wanderingnet wrote:
>> So far I have been unable to gain a working torrc and iptables setup for 
>> either tor, or, particularly, Tor Browser Bundle.
> 
> TBB works right out of the box. Dear casual reader, please don't be alarmed 
> by this post.

It does indeed. But it's a fragile thing, in that there's no protection
against malware that bypasses Tor. FBI's NIT is a clear demonstration.
There's no firewall, unless the user configures one.

>> And believe me, I've read, searched and tried - alot. Funnily, many of the 
>> security advantages of using Tor are defeated by the need for heavy research
> 
> You fail to indicate what research is needed, and for that matter why.

Documentation for using Tor as a standalone service is rather iffy and
poorly maintained, is it not? Especially for Windows. Not that I'd
encourage anyone to use Tor in Windows.

> ...
>> For examples, TBB does not run as a service as tor does,
> 
> Well yes, that is the point. TBB is something a user starts.
> 
> How do you want to run a browser in a service (and for that matter,
> what even is a 'service' under unix)?

Agreed.

> ...
>> 1. A clear explanation of how Linux solicits and maintains network 
>> connections, particularly with regard to public wifi negotiation.
> 
> How is that specific to tor?
> 
>> 3. A clear explanation of all required allowances in iptables, of Tor, 
>> including by port if possible, and including of addresses like those for LAN 
>> et al. NAT table routing has proven particularly challenging.
> 
> Wat? The only thing tor connects to are either some guards, or some
> bridges, and at least for the former there is no way to predict what IP
> addresses or ports they have.
> 
> The question is what you want to achieve with iptable rules regarding
> tor. tor does only do outbound connections, and those are to unpredicable
> addr/ports, and the question is what you want iptables to prevent. If you
> have a good tor there is nothing to protect against, and if you somehow
> got a subverted tor, it will not be as stupid as to use separate outbound
> TCP connections for phoning home, but instead do that through tor.

Maybe "a subverted tor" wouldn't be stupid enough to do that, but that's
what FBI's NIT does. And that's how many Tor users got pwned by it.

> So basically, while you could go on and download the consensus to find
> out what addresses tor should be able to connect to, you can just as well
> trust it do to exactly that.

Yes, it doesn't work to secure Tor using iptables rules that are based
on IPs and ports. What does work is only allowing outbound traffic from
the Tor process. Or better yes, running Tor in a separate gateway
machine/VM, and allowing the workspace machine/VM to connect only to Tor
in the gateway. Which is what Whonix does, right out of the box.

>> 4. A method for running TBB with custom torrc, observing the failure of 
>> default port specification (which is part of port securing in custom hashed 
>> passwords, etc.)
> 
> What do you mean with 'failure of default port specification'?
> 
>> 6. A walkthrough for advanced isolation methods like dedicated user 
>> accounts, which have so far proven impossible to run with TBB from a 
>> separate account,
> 
> Huh? Create separate account, run tbb there via 'ssh -X account 
> .../tor-browser-me/Browser/start-tor-browser'?
> 
>> and network namespaces, which appear to be a potentially powerful isolation 
>> solution but which I have not seen adapted to this purpose yet, despite 
>> being considerably lighter than complete OS virtualisation/containers.
> 
> https://hub.docker.com/r/hkjn/tor-browser/
> 
> https://blog.jessfraz.com/post/running-a-tor-relay-with-docker/

This _is_ good stuff.

> ...
>> Any helpful advice would be appreciated.
> 
> It would also help to state in more detail what you want to achieve,
> and what you want to guard against.
> 
> - Andreas
> 
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] hidden service - for dummies ?

[Mirimir]

On 09/27/2017 11:52 PM, Franps wrote:
> Hi, Whonix is other free distro that forces all Internet connection through 
> Tor Network. However, if your friend search a good tutorial, it is not 
> difficult to install Tails (you need 30 minutes and 2 USB )

Yes, it's not hard to run an onion in a Whonix workstation VM.

> Sent with [ProtonMail](https://protonmail.com) Secure Email.
> 
>>  Original Message 
>> Subject: [tor-talk] hidden service - for dummies ?
>> Local Time: September 26, 2017 9:21 PM
>> UTC Time: September 26, 2017 9:21 PM
>> From: muppe...@protonmail.com
>> To: tor-talk@lists.torproject.org 
>>
>> Hi,
>>
>> today my colleague told me that he would like to start to write some kind of 
>> blog and publish it in the tor network. Because I`m not use to say people 
>> that I`m using TOR Network, I answered that I simply do not know how its 
>> working and who can help him.
>>
>> My colleague is very good journalist but he doesnt have any IT experience. 
>> Every day at work he using some kind of CMS system where he is able to start 
>> publishing new articles and so on and so on. Unfortunately as a real normal 
>> user (as far as I know) without an IT knowledge, he will not be able to 
>> publish his articles in the tor network on his own hidden service. Please 
>> correct me if I am wrong...
>>
>> I know many people with small IT experience which a running relay nodes. 
>> This is quite easy process to build new relay. Unfortunately, building of 
>> the hidden service portal seems to be that part of the knowledge reserved to 
>> the masters of IT.
>>
>> Is there any free distro like (tails) with a possibility to build TOR Hidden 
>> Service in minutes to start publishing html pages ? Distro which can be 
>> easily installed/booted by the user with low IT skills ? Distro which will 
>> have a properly compiled secure HTTP server with some kind of CMS System ?
>>
>> Does any one could support / advice here ?
>>
>> Greetz
>>
>> Muppet96
>>
>> Sent with [ProtonMail](https://protonmail.com) Secure Email.
>> --
>> tor-talk mailing list - tor-talk@lists.torproject.org
>> To unsubscribe or change other settings go to
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] hidden service - for dummies ?

[Mirimir]

On 09/26/2017 10:21 AM, Muppet96 wrote:
> Hi,
> 
> today my colleague told me that he would like to start to write some kind of 
> blog and publish it in the tor network. Because I`m not use to say people 
> that I`m using TOR Network, I answered that I simply do not know how its 
> working and who can help him.
> 
> My colleague is very good journalist but he doesnt have any IT experience. 
> Every day at work he using some kind of CMS system where he is able to start 
> publishing new articles and so on and so on. Unfortunately as a real normal 
> user (as far as I know) without an IT knowledge, he will not be able to 
> publish his articles in the tor network on his own hidden service. Please 
> correct me if I am wrong...
> 
> I know many people with small IT experience which a running relay nodes. This 
> is quite easy process to build new relay. Unfortunately, building of the 
> hidden service portal seems to be that part of the knowledge reserved to the 
> masters of IT.
> 
> Is there any free distro like (tails) with a possibility to build TOR Hidden 
> Service in minutes to start publishing html pages ? Distro which can be 
> easily installed/booted by the user with low IT skills ? Distro which will 
> have a properly compiled secure HTTP server with some kind of CMS System ?
> 
> Does any one could support / advice here ?

Using Micah Lee's OnionShare, one can easily create Tor onion sites.[0]
They can be transient (for file-sharing) or persistent. It's based on
his txtorcon library,[1] specifically TCPHiddenServiceEndpoint.[2]

0) https://onionshare.org/

1) https://github.com/meejah/txtorcon

2)
https://txtorcon.readthedocs.io/en/latest/txtorcon-endpoints.html#txtorcon.TCPHiddenServiceEndpoint

> Greetz
> 
> Muppet96
> 
> Sent with [ProtonMail](https://protonmail.com) Secure Email.
> 
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] can't connect data bases and scientific journals

[Mirimir]

On 09/15/2017 07:36 AM, Franps wrote:
> Dears, I am Fran.
> I am a new member of this list. I would like to ask you an important question 
> for me:
> Using TAILS OS (which forces all Internet connections through Tor Network), I 
> need to get access to data bases related to academic and scientific journals, 
> but connections through Tor Network are refused by those servers, so I must 
> use other OS or other web browser, but I would prefer don't do it.
> Is it possible to manage Tor browser settings in order to get into those data 
> bases using Tails?
> Sorry for the annoyances and thank you very much for your attention.
> Kind regards,
> Fran

You could route a VPN through Tor. If those resources accept the VPN
exit IPs, it should work. AirVPN has instructions for routing their
client Eddie through Tor.[0] But with Tails, you'd need to install and
configure Eddie at each boot. You can also do it in Whonix, and the
setup will persist. But for both, you'd need to tweak Tor browser so it
doesn't connect directly via Tor, but through AirVPN which is routed
through Tor.

0) https://airvpn.org/topic/15253-using-airvpn-with-tor/

> Sent with [ProtonMail](https://protonmail.com) Secure Email.
> 
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor E-mail gateway - how to transfer messages from the Tor Network ?

[Mirimir]

On 07/27/2017 06:36 PM, Random User wrote:
>> On 07/24/2017 11:07 PM, Random User wrote:
> 
>>> My impression was that all of the major free email providers required a
>>> valid phone number in order to sign-up. I would find it quite
>>> interesting if Yandex does not.
> 
> On Tue, Jul 25, 2017, at 07:35 PM, Mirimir wrote:
>  
>> Neither VFEmail.net nor Cock.li require phone numbers.
> 
> Thanks, I appreciate that info. and I'm sure that it can be useful to
> others as well.
> 
> I think you would agree, though, that as much as those two email
> providers may have to offer in their own right, neither could be
> considered "major".  One consideration, I believe, with lesser-known
> email providers is that mail sent from them and/or mail from addresses
> with their domain are more likely than mail sent from one of the "Big
> Guys" to get  caught in spam filters.

I don't recall messages from either being rejected.

> As always, a trade-off.

As always ;)
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor E-mail gateway - how to transfer messages from the Tor Network ?

[Mirimir]

On 07/24/2017 11:07 PM, Random User wrote:
> On Sat, Jul 22, 2017, at 06:03 PM, Katya Titov wrote:
>> Yandex has a light version that works without JS. The others require it.
> 
> Thanks. 
> 
> Come to think of it, what about a valid phone number? Did you have to
> provide one? 
> 
> My impression was that all of the major free email providers required a
> valid phone number in order to sign-up. I would find it quite
> interesting if Yandex does not.

Neither VFEmail.net nor Cock.li require phone numbers.

>> You now owe me 5 minutes of internet.
> 
> I appreciate it but you certainly didn't have to.
> 
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Alec Muffet "Tor is a very attractive proposition for secure networking"

[Mirimir]

On 06/01/2017 10:45 AM, grarpamp wrote:



> And many application protocols are incompatible with onion addressing.
> 
> So you'll need OnionCat to do those and other cool things... :)
> 
> https://www.onioncat.org/
> https://cypherpunk.at/onioncat_trac/

Requisite reminder about how well MPTCP works with OnionCat:

https://ipfs.io/ipfs/QmUDV2KHrAgs84oUc7z9zQmZ3whx1NB6YDPv8ZRuf4dutN/
https://ipfs.io/ipfs/QmSp8p6d3Gxxq1mCVG85jFHMax8pSBzdAyBL2jZxCcCLBL

You can get 50 Mbps with bbcp between onions.

> And you'll need to find some users and developers interested
> in continuing / new development of such enabling tools / layers.
> Because OnionCat is both unmaintained, and Tor is killing
> it off with prop224 in a few years.

Yes, that will be sad :(

I wonder if something like OnionCat could be readily implemented in Python.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] TBB users, please give 1 minute of your time for science

[Mirimir]

On 04/25/2017 04:26 PM, krishna e bera wrote:
> On 25/04/17 05:37 AM, c...@browserprint.info wrote:
>> I'm a PhD student.
>> I have no employer other than my university.
>> All my work is done with the intention of publishing it in academic
>> journals, conferences, my blog, and my thesis.
> 
> Going to the site we can see this project purports to be run by
> Lachlan Kang of University of Adelaide and funded by ACEMS.org.au
> with code available on https://github.com/qqTYXn7/browserprint
> MIT licence and website CC-by 4.0.
> Including all that info in the original call for our time might have
> reduced the number of raised hackles - or at least mine.
> 
> Now using iceweasel plus RequestPolicy-Continued add-on, clicking on the
> fingerprint me button i fill the captcha and see "Please wait..."
> followed by "An error has occurred."
> 
> My TBB results are like others reported here.

Just to be clear, I am not at all opposed to research that helps Tor.
Finding vulnerabilities is a key part of that. What annoyed me was op's
statement: "The aim of this is to detect and defeat browser spoofing."
As if spoofing is a bad thing, that ought to be defeated. An aim like
"identifying bugs in browser spoofing" would have been more diplomatic.

Also, it would perhaps have been more useful to first contact Tor
Project privately, after reading  and
.


-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] TBB users, please give 1 minute of your time for science

[Mirimir]

On 04/24/2017 07:00 PM, c...@browserprint.info wrote:
> Hello, Tor community!
> 
> Could you please do me (and science) a favor and go to my site (
> https://browserprint.info ) using the Tor Browser Bundle and submit a
> fingerprint, making sure to fill in the optional questionnaire?
> 
> At the moment I'm working on detecting a person's underlying
> operating system and browser family using their browser fingerprint. 
> The aim of this is to detect and defeat browser spoofing. The number
> of Tor Browser Bundle users who have gone to my site and done this is
> extremely low, so I'm not able to properly train my detector to
> defeat the TBB, nor am I able to gauge how effective my detector is
> against the TBB.
> 
> Rest assured that I will not use your data for anything malicious,
> nor will I attempt to deanonymise you in any way.
> 
> Thank you!

Not malicious, you say? Browser spoofing is a key feature of Tor
browser. Defeating that sounds rather malicious.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Suspicious rise in direct users connection from Israel (from ~9k to >100k)

[Mirimir]

On 04/13/2017 08:52 AM, Lolint wrote:
>> This can mean that something is forcing rapid reconnection, right?
> 
> Yes, as with the Turkey block (see Annex A):
> 
> https://turkeyblocks.org/2016/12/18/tor-blocked-in-turkey-vpn-ban/

Right, that's what I was thinking (vaguely) of.

https://metrics.torproject.org/userstats-relay-country.html?start=2016-11-01=2017-04-13=tr=off
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] tbb (disable network is set)

[Mirimir]

On 04/05/2017 07:01 AM, 0xdog wrote:
> 2017-04-04 12:30 GMT-04:00, Mirimir <miri...@riseup.net>:
>> Is there another uplink that you could test on? Alternatively, you could
>> try connecting through a VPN. If either eliminates the problem, you know
>> that your normal uplink is at fault.
> 
> I do not have another uplink to test. I can try using a VPN, yes. Can
> you point out which is the best way to configue TBB using a VPN if you
> have used before.
> Thanks in advance.

What OS?

https://securitykiss.com/ has a free tier, and is reputable.

Are you comfortable using command line?
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] tbb (disable network is set)

[Mirimir]

On 04/04/2017 10:01 AM, 0xdog wrote:
> 2017-04-03 21:46 GMT-04:00, Mirimir <miri...@riseup.net>:
>> Tor browser may do this if your uplink gets interrupted at a particular
>> stage in getting the network consensus. I believe that it's a defense
>> against attempts to force use of malicious relays. The simplest fix is
>> to delete and reinstall Tor browser, after saving bookmarks if desired.
>> Or you could manually reset the flag.
> 
> I have deleted/reinstalled TBB many times and even updated TBB version
> any time there is a new one.  I have edited torrc file but when I
> start TBB again the DisableNetwork 0 line is deleted. Could you please
> explain me the correct way to do this? I have the same results using
> Custom Bridges for obfs4. Here are the whole logs:

Yes, adding "DisableNetwork 0" to torrc doesn't seem to work. I just
nuked the state file. But if the problem reoccurs after reinstalling Tor
browser, there must be something else causing it. If obfs4 bridges don't
help, I'm rather at a loss.

Is there another uplink that you could test on? Alternatively, you could
try connecting through a VPN. If either eliminates the problem, you know
that your normal uplink is at fault.



-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] tbb (disable network is set)

[Mirimir]

On 04/03/2017 09:13 AM, 0xdog wrote:
> Hello.
> I don't know if this is the correct mailing list to post this
> question, so in that case my apologies in advance.
> 
> Last year I was using TBB (on windows server 2003 32bits PC) for a
> while and it was working perfect, suddenly it stopped working and the
> logs said "DisableNetwork is set. Tor will not make or accept
> non-control network connections. Shutting down all existing
> connections...". At that time I just stopped using TBB and I checked
> TBB frequently, one day, suddenly again, apparently with no change on
> my computer or my network it started working again for a while but
> right now I have the same problem as before, it stopped working again
> and the logs said "DisableNetwork is set. Tor will not make or
> accept...".
> 
> Now I have a strong decision to find where is the problem:

Tor browser may do this if your uplink gets interrupted at a particular
stage in getting the network consensus. I believe that it's a defense
against attempts to force use of malicious relays. The simplest fix is
to delete and reinstall Tor browser, after saving bookmarks if desired.
Or you could manually reset the flag.

> 1. I have spent a lot of hours surfing the web looking for a solution.
> Many many people has the same problem, but only a few have found a
> solution.
> 
> 2. The rules and firewall of my antivirus are fine,  even with the
> antivirus totally deactivated it does not work.
> 
> 3. I have normal access to torproject.org throught firefox browser so
> I don´t think my ISP is blocking the tor network or doing DPI.
> 
> 4. I have checked my timezone against an internet service and the time
> of my system seems to be incorrect but since I am behind a proxy
> server that is far from my hands my timezone is that of the proxy
> server and I can not fix it. Do you think this is the cause of the
> problem? In this case is there a workarround for this?
> 
> 5. I have been viewing the tor source code trying to figure out under
> which conditions the DisableNetwork flag is set to 1, no much advance.
> Can someone point out which source file is the one I´m looking for?
> 
> I can post the whole logs if someone is interested.
> 
> Thanks. Best regards.
> 
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] This video has been censored by YouTube many times

[Mirimir]

On 04/01/2017 06:17 PM, Kevin wrote:
> Maybe youtube doesn't know about this vid yet.  By the way that
> was...interesting.

That was fucking evil. And totally off-topic. Just sayin'.

> On 4/1/2017 5:32 PM, John Pinkman wrote:
>> it explains problems that the world faces today
>> https://w1r3.net/yBQEEe.webm
> 
> 
> ---
> This email has been checked for viruses by Avast antivirus software.
> https://www.avast.com/antivirus
> 
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] BitPay seems to be rejecting payments via Tor

[Mirimir]

On 03/18/2017 12:38 AM, grarpamp wrote:
> On Fri, Mar 17, 2017 at 5:49 PM, Mirimir <miri...@riseup.net> wrote:
>> it arguably ought to be a private VPN.
> 
> Run by relay operators was the general idea, a bit more spine,
> and more flexible setup. But certainly not restricted to that.

Right.

>> Problematic is limited IPv4 resource. I wonder if there's some way to do
>> ephemeral routable IPv6. I mean, why do proxies need addresses that last
>> more than a day? Why not give every circuit a different IPv6?
> 
> Some streams last more than a day, some apps are resumable,
> but breaking the tuple and forcing a reneg or getexitbridges
> more than once a day will seriously piss users off.

OK, some streams do last more than a day. But then they must pin the
exit relay, right? So in that case, you'd keep the IPv6 until the stream
ended, even if there were circuit changes with different middle relays.

I don't get why changing exit IPv6 would break resuming by client-side
apps. They don't (and shouldn't, obviously) manage exit IPs. Tor daemon
handles that. So they'd be oblivious as long as exit IPv6 persisted as
long as relevant streams, right?

> Millions of circuits worth of v6 a day also happen.
> But yes you could get and SWIP a v6 /whatever worth
> and throw them once a week or whatever your get and use
> model for users rationally permits. Once a week is 52.
> One per requestor, spread across all exits, probably possible.
> v6 are unlimited but hosters probably still charge like gold for them.
> Some operators should try it and see.

Well, I got a couple /64 for free from GigaTux for a low-end VPS. For
the VPN-testing project. And they do run a Tor relay, if I recall
correctly. A /64 gives you 1.8 x 10^19 IPv6. With ~2 x 10^6 daily users,
that's ~10^13 circuit days per user. So hey, I'll ask.

But how would Tor Project's relay monitoring work for exits with no
stable IPv6 address? Wouldn't they lose the exit flag?
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] BitPay seems to be rejecting payments via Tor

[Mirimir]

On 03/17/2017 02:40 PM, grarpamp wrote:
> An 'exit bridge' in this sense could just be requesting
> 'getexitbridges' to send you connection details to
> such an OpenVPN termination point.
> Operators and others could run this without TPI
> involvement and perhaps resist what accurates TorDNSEL.

Well, I recall complaints from AirVPN about people routing Tor exits
through it. Which was adding to their abuse and block-list problems. So
it arguably ought to be a private VPN.

> Or simply run a parallel network with other exit IP until such
> a time as it becomes heavily blocked too, then repeat :)
> Having only one exit overlay network is an easy target.

Problematic is limited IPv4 resource. I wonder if there's some way to do
ephemeral routable IPv6. I mean, why do proxies need addresses that last
more than a day? Why not give every circuit a different IPv6?

> Defense in depth.

Always good :)
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] BitPay seems to be rejecting payments via Tor

[Mirimir]

On 03/17/2017 04:01 AM, Mirimir wrote:
> I've checked a few VPN and VPS providers that use BitPay, and payments
> are being rejected. No CAPTCHA, just a message to check with the
> provider. I've heard similar reports from others.
> 
> What to do? If anyone has contacts at BitPay, please use them. And what
> are possible workarounds? Maybe specify exits with unlisted IPs. It's
> too bad that Tor doesn't have exit bridges ;) I'll probably end up
> routing a free VPN service through Tor.
> 
> Longer term, what Tor-friendly Bitcoin/altcoin payment processors can we
> recommend to service providers?

I get that it was a Cloudflare problem:[0]

| In this case, Cloudflare is intercepting a BitPay invoice request
| (what's happening when you go to pay with bitcoin at a BitPay
| merchant) and is requiring a captcha to prove that the user is
| a person and not a robot.
|
| Cloudflare tends to do this with requests made over Tor at a much
| higher rate. The way this captcha is delivered by Cloudflare to
| the Tor browser is taking users to an archived invoice page and
| not allowing them to proceed with a payment. The captcha itself
| may not be displayed depending on how risky/trustworthy Cloudflare
| considers a particular IP address.

Just think about that. Cloudflare is requiring a CAPTCHA, _but is not
showing the CAPTCHA to the user_. That is fucking insane.

But it's fixed now. Users now see a link to a BitPay no-script invoice,
which works perfectly.

0)
https://www.reddit.com/r/Bitcoin/comments/5zy2al/boycott_bitpay_bitpay_used_by_majority_of/?ref=share_source=link
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk