Re: Unique properties and realtime entry-exit check
Thus spake Total Privacy ([EMAIL PROTECTED]): Two hypothetical examples: 1. I?m using the normal Firefox (without Tor) with cookies enabled to log in on Yahoo email to make some stuff as my real identity. Then I close the normal Firefox and start Torpark Firefox with cookies enabled to log in on another Yahoo email to make some stuff as an fake identity. Now the question is, are the cookies capable to retrieve some unique information about my computer, that later is comparable at Yahoo head quarter, to figure out this two different Yahoo webmail accounts was actually runned from one same computer? That depends on your profile directory.. If torpark and firefox are sharing the same profile, cookies will be shared. If they are sharing profiles, extensions probably will be shared also. An easy to check this without devling through arcane browser settings is to install a cookie monitoring extension. I really like Add N' Edit cookies myself. You can search for yahoo via each browser and make sure no cookies are cross-populating. 2. The same base as in the example 1 above, but with the difference that no cookies enabled anywhere and the webmail account is at Fastmail with complete https connection for everything. Now the question is, are there some unique properties by my computer?s https handling that appear the same on the Fastmail head quarter to make sure the two webmail accounts was runned from the one same computer? I think that unless you have installed a client certificate, there should be no identifying information in an SSL handshake. If you do have a client certificate installed (you will know if you do), I think the client only uses it if the server requests it. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Firefox through Tor
Thus spake Michael Holstein ([EMAIL PROTECTED]): So the problem is that a motivated adversary can subpoena or simply ask DoubleClick to hand over their IP/cookie logs. If you are using Tor for /everything/, then what they get from DoubleClick for that email address is just a Tor IP, no harm no foul. However, if the user had set up a filter that only sends *yahoo.com through Tor, then DoubleClick will have their /real IP/ on file in association with whatever unique ID yahoo passed for that email address, even though yahoo's records show only the Tor IP. Swichproxy (as well as CTRL+SHIFT+DEL) in Firefox will clear all cookies. Anytime you switch between TOR/Direct you should close down to all but one blank window, clear cookies/cache one way or another, and *then* proceed. Just clearing cookies every time there is a switch is not enough if there is an automatic Tor filter in place. The problem is that yahoo can custom-generate its links to DoubleClick so they encode your email address (dunno if they do do this, but I'm sure some sites and ad parters do). Therefore identifiying information is sent independent of the cookie. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Firefox through Tor
Thus spake Michael Holstein ([EMAIL PROTECTED]): The problem is that yahoo can custom-generate its links to DoubleClick so they encode your email address (dunno if they do do this, but I'm sure some sites and ad parters do). Therefore identifiying information is sent independent of the cookie. Which is why one should have separate accounts created for anonymous use, and do everything (including setup of those accounts) from an anonymized connection. Once you've touched your anonymous account from a session involving anything that *isn't* anonymous, it's game over. Agreed. This is also why an automatic filter is dangerous if it is not done properly. Just one slip-up, accidental click, etc, and you're toast. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Firefox through Tor
Thus spake Eric H. Jung ([EMAIL PROTECTED]): Hello Michaels, I apologize for the delayed reply. Please don't interpret the delay as a lack of interest--it surely isn't. Quoting Mike Perry: Just clearing cookies every time there is a switch is not enough if there is an automatic Tor filter in place. The problem is that yahoo can custom-generate its links to DoubleClick so they encode your email address (dunno if they do do this, but I'm sure some sites and ad parters do). Therefore identifiying information is sent independent of the cookie. I hope you'll both agree there's nothing FoxyProxy can do about this. Unless you have a striking relevation which could solve the problem programmatically, I'm just going to add this to the FoxyProxy FAQ as a be careful warning in an attempt to educate. Depending on the flexibility of XPCOM, it should be possible to solve this problem programatically (but it is error-prone). I probably should summarize everything from this thread again just so you have it all in one place: The way to solve the problem is to make sure that all embedded object links are in fact loaded through the active proxy for the parent tab/page. This includes frames, iframes, css, js, images, java, flash, and other misc plugin objects. Probably some other stuff too. So long as the 'evil' link-object is loaded through Tor, the problem is solved. The assumption is that the information encoded in the link isn't compromising by itself, but that the danger is that the browser will autoload the link in the clear and thus your real IP will be in that server's logs associating you with your Torrified email account. Also, because of accidental clicks, phishing attacks, and referrer urls, user followed links should also be protected. Pretty much anything the user follows from a protected, proxied page should inherit that page's proxy settings (including links followed by opening them in a new tab/window). Lastly, as Michael pointed out, you have to clear all cookies everytime a proxy switch is done (mega bonus points for a mechanism to protect certain cookies from deletion a-la http://cookieculler.mozdev.org/). If you do not do this, a cookie accessed from an ad banner displayed while you are visiting a site in the clear can be transmitted again when you access your email account through Tor, thus ruining your pseudonymity against an adversary with access to the ad server's data (assume everyone). The reverse is also possible, so cookies have to be cleared in each direction of the switch. Even with all these countermeasures, the type of filter where you specify only untrusted/Tor sites is error prone and should carry heavy warnings for people who truly need anonymity, and needs to be tested heavily by vigilant people with a wide variety of usage habits. I do think that it should be possible to build such a filter though. And it would be very very nice to have. I forgot to mention that if a URL doesn't match any patterns defined in FoxyProxy, FoxyProxy *does not* default to a direct connection. Instead, it defaults to the whatever proxy (if any) has been defined in Firefox's Connection Settings. By defining Tor as the proxy in Firefox's Connection Settings, Tor is used as a catch-all for non-matches. I'll shortly be adding blacklist capability to FoxyProxy (it already has whitelist ability). That, in conjunction, with the above catch-all, should provide enough ingredients to come up with some safe recipe for some of the problems both of you describe, no? Yes, inverting the filter so that you list only sites that you trust to connect to in the clear is a much safer option (and much easier to implement!), but my guess is that it will be much less popular than the ability to specify the sites you only want to visit through Tor (ie gmail/yahoo/.onion). There in lies the dillemma. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Firefox through Tor
Thus spake glymr ([EMAIL PROTECTED]): Yes, inverting the filter so that you list only sites that you trust to connect to in the clear is a much safer option (and much easier to implement!), but my guess is that it will be much less popular than the ability to specify the sites you only want to visit through Tor (ie gmail/yahoo/.onion). There in lies the dillemma. what about changing the proxy program so it always runs through privoxy, and having foxyproxy switch the upstream proxy to none or tor. this solves the problem of identifiable information from the beginning because it strips most of the identifiable stuff. you don't even see those evil spy-cookie producing ads with privoxy. if there is any simple way to make it possible to quickly switch privoxy to and from tor that would strengthen the anonymity a lot. I regularly purge tons of cookies from doubleclick, informit, googlesyndication, ad nauseum that have been collected even through privoxy. Unfortunately privoxy really should only be depended upon as a SOCKS to HTTP proxy converter. It is not a reliable privacy tool anymore. I do think that it should be possible to build such a filter though. And it would be very very nice to have. While I'm at it, let me strengthen this statement by saying that such a filter for selective torrification is pretty much a necessity for the simple reason that every Tor user *has* to do all the countermeasures by hand anyway as-is if they ever turn Tor off (which I imagine most of them do, esp during periods of network lag). If an extension such as Foxyproxy can perform these tasks automatically, and can be verified to be performing them correctly each time, this is a vast improvement over everyone doing it by hand (especially for Tor newbies). -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Some legal trouble with TOR in France
Thus spake Eric H. Jung ([EMAIL PROTECTED]): Tony's point was that you could arrange not to have the authentication tokens anymore. You better hope they believe you when you say you don't have it, though. Not having the authentication tokens counts as refusing to surrender them. Per US law, if a judge subpoenas you to hand them over and you refuse and/or remain silent, it means indefinite jail time (until you hand over the tokens) and/or fines. Where is your source on this? As I understand it, there are a few fundamental principles of the US legal system that should render this statement completely false. One is Habeas Corpus.. You can't just throw someone in jail indefinitely without a criminal charge and a trial. http://en.wikipedia.org/wiki/Writ_of_habeas_corpus Though it seems BushCo are violating it with enemy combatant charges, I do not think they have the political power (at least anymore) to name an anonymity provider as an enemy combatant (especially if they are a natural born US citizen). The same applies to the 72 hour warrant deal, at least as far as I can tell from http://www.fff.org/comment/com0601c.asp Second, if it is a criminal charge, you are not under any obligation to testify against yourself in a criminal court of law (5th ammendment). There are various exceptions to this, main one being if you are not the person charged of the crime (though I think you can still claim that such testimony may incriminate you for unrelated matters). I suppose it could also be argued that the passphrase does not count as testimony, but it sure seems like it is. Finally, some googling on subpoena compliance seems to indicate that punishment for subpoena non-compliance is 'contempt of court' charge and fines. http://www.rcfp.org/cgi-local/privilege/item.cgi?i=questions That page advises you not to answer any subpoenas without challenging them first, among other things (ie one state's court cannot usually subpoena someone from another state). Contempt of court charges for non-compliance may be repeated, but any contempt law I can find on the web has some form of maximum limit. The longest I've seen so far is North Carolina, which is a max of 1yr in 90 day increments: http://www.rosen.com/ppf/cat/statco/laws.asp Also, dunno how accurate it is, but Wikipedia seems to claim that the key disclosure provisions of the RIPA (Part III) are not yet in force in the UK: http://en.wikipedia.org/wiki/Regulation_of_Investigatory_Powers_Act_2000 We seriously have to watch our paranoia on this one. This is one of those situations that if we believe we have no rights, it will be very easy to knock us over, simply by playing off our fears and demanding keys without any legitimate basis to do so. If any Tor operator is arrested/detained in the US, they would do well to refuse to surrender any passphrase until they are actually in court and ordered to do so by a Judge (and then only after voicing protest, to allow for clear appeal to a higher court). Cops will probably just lie to you and try to convince you that you are required on the spot. Ask for a lawyer immediately. This is not just to protect the Tor network either. With computer laws as crazy as they are, and with the IPPA coming down the road, soon simply having something like an Open Source DVD player or archiver on your machine will be enough to land you in jail for a while, if it's not already... -- Mike Perry Mad Computer Scientist fscked.org evil labs
Speak of the Devil
British govt just started pushing for Part III of RIPA citing terrorism and kiddie porn as major reasons to require people to disclose encryption keys... http://arstechnica.com/news.ars/post/20060518-6870.html Seems we may have a strong ally on our side on this one. International bankers might not want the local police requiring them to hand over keys either, though they certainly have enough political influence to stop investigations before they start I'm sure... The UK Crypto thread that spawned this article is here: http://www.chiark.greenend.org.uk/pipermail/ukcrypto/2006-May/080742.html One can only hope that the Bill of Rights is enough to keep this bullshit out of the US, but who knows. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Threats to anonymity set at and above the application layer; HTTP headers
Thus spake Anothony Georgeo ([EMAIL PROTECTED]): IMO a needed and important feature of any 'filtering/scrubbing' proxy appliction is some sort of 'on-the-fly' decryptionscrubbingencryption scheme for ingress/egress HTTPS traffic. [needlessly complicated stuff removed] K.I.S.S. This has all sorts of issues with certificate verification and so on. Not to mention that I think that any sort of user configurable scrubber is not going to be used effectively by more than 1% of the population (if even that). Hell, I don't understand privoxy's configuration to the degree I'd feel safe relying on it by itself and I'm a programmer. The only way to do this is via extensions to the browser. That way you do not interfere with CRL/OCSP for true cert verification (which sadly seems very broken in Firefox currently) and it makes it easy to switch components on/off if something doesn't work because one of your filters isn't quite right. And you get SSL for free, because your extensions see the web data AFTER the browser has performed (optional) rigorous checks to make sure the cert has not been revoked or otherwise compromised/spoofed. I really think that we desperately need an intelligent proxy selection mechanism such as Eric Jung's FoxyProxy (so long as it properly isolates cookies for each proxy and does the proxy filtering on a per-tab basis as discussed previously). Combine this with NoScript, Adblock, and a user agent switcher, and I really don't see any reason for privoxy anymore (except to remove maybe a stray HTTP header here and there, but since those aren't logged, that may not be needed). It sucks that we lose browser independence with this mechanism, but thems the breaks. They should all should be compatible with xpi anyways ;) -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Tor and Google Image search
Thus spake [EMAIL PROTECTED] ([EMAIL PROTECTED]):
Brian C wrote:
Hi,
Shatadal wrote:
Hi,
Whenever I use google image search via tor the search page serves up
empty pages. Without tor google image search behaves as it normally
does. Does anybody else face this problem?
Thanks.
Just tried http://images.google.com using tor on Debian. Did two
searches which worked great.
Brian
i've the problem on w2k with the last vidalia bundle.
I think it's a new privoxy default config, if I use tor as a socks proxy
i can see the thumbs images.google
Dan
Actually, I've started noticing this even though my privoxy config
hasn't changed in a long while. I think its something new that
images.google.com is doing that privoxy doesn't like.
If you add:
{ fragile }
images.google.com
to your Privoxy action file, it works again. To declare everything as
fragile:
{ fragfile }
.
Perhaps the images.google.com declairation should be added to the
Privoxy that is shipped with vidalia/tor. It is likely to be pretty
frustrating to new users.
--
Mike Perry
Mad Computer Scientist
fscked.org evil labs
Re: following on from today's discussion
Thus spake Roger Dingledine ([EMAIL PROTECTED]): It's certainly hard to pin down the exact risks here -- there are clearly huge risks on both sides. Somebody should write up a clear concise explanation, perhaps based on some statements from this thread. :) I'd like to also add that it is possible for rogue Tor servers to go beyond simply evesdropping on traffic. On one occasion I recieved a corrupt .exe file via Tor.. It appeared to be just noise, but it woke me up to the possibility that it is quite feasible that Tor exit nodes can do all sorts of things to traffic: modifiying .exes, injecting browser/media format exploits, etc etc. Since the Tor client scrubbs logs, it can be difficult to tell which exit server was in fact responsible, especially if they only target a small percentage of connections. It might be nice if Vidalia had an option to retain some connection history in-memory only for a period of time on the order of 10s of minutes for the purposes of monitoring for malicious/censored exit nodes. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Tor and Google Image search
Thus spake Mike Perry ([EMAIL PROTECTED]):
to your Privoxy action file, it works again. To declare everything as
fragile:
{ fragfile }
..
Ouch. Two typos, one caused by me, one by mailinglist/MTA.
This should be one period. And { fragile }, just like before.
{ fragile }
.
--
Mike Perry
Mad Computer Scientist
fscked.org evil labs
Re: following on from today's discussion
Thus spake Roger Dingledine ([EMAIL PROTECTED]): Correct. Woe is the day when a malicious Tor exit node also has a stolen or purchased copy of a trusted CA's key. Eeep. The next thing we need to do is continue to work on interfaces and usability for end-user applications like Firefox. What does that lock mean really? If I do (or don't) see the lock, what should I trust? How can we make use of the plethora of anti-phishing schemes currently under research? And lastly, there's the issue of advocacy for authentication, integrity, and confidentiality on the Internet in general. Translation: we need to get everybody using SSL for everything. Time for a nice tinfoil-amplified SSL rant.. Is anyone in the world actively watching and tracking SSL certs beyond simply verifying CA key signatures? By looking at teh OCSP RFC (http://rfc.sunsite.dk/rfc/rfc2560.html) it appears as if you are hard pressed to tell if a cert is a dup or not: 'The good state indicates a positive response to the status inquiry. At a minimum, this positive response indicates that the certificate is not revoked, but does not necessarily mean that the certificate was ever issued or that the time at which the response was produced is within the certificate's validity interval.' I mean good goddess. So even if you are watching for revokations, you are only handling half of the SSL threat model... Some form of ssh-like fingerprint tracking really needs to be coupled with CRL-style checks so that you only accept a different cert than normal for citibank.com if a revocation has been actually issued by them. Especially when we have over 100 root certs spanning multiple countries trusted by most browsers now. To add insult to injury, the only public OCSP server I can find seems completely broken. Everything comes back with 'unknown' with bad timestamps. Yes, even their demo key. http://www.openvalidation.org/en/info/openssl.html This client seems to be somehow issuing correct queries to verisign's OCSP according to ethereal (even though it is configured to use openvalidation.org), but the UI reports the same 'unknown' status as 'openssl ocsp' did: http://www.openvalidation.org/ValWorks.html Madness. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: following on from today's discussion
Thus spake Matej Kovacic ([EMAIL PROTECTED]): I was thinking about a solution to prevent traffic injection in non-encrypted public websites. What about having TWO conection open and do some kind of checking if the content is the same (maybe access the content from two different locations and do some MD5 check). I know the idea is hard to implement, since website can serve different content for each location or every second, and this could also mean double load of Tor network. But maybe someone will develop my idea into the usable form... If not, feel free to drop it away. So what about a stochastic solution instead: 1. Create some listing of exe files, commonly vulnerable doc formats, and SSL sites that changes periodically, possibly scraped off google 2. Use some perl glue to go through the Tor node list and try each exit to make sure they aren't modifying this data. a. Certs can be checked byte by byte to make sure they don't differ across exit nodes. b. Images, doc files, ppt files, exes can be verified by multiple sources A handful of hosts could run this thing and publish their results, perhaps along with some other manually created list of undesirable exits. I think this is doable with perl, the Tor control port, wget, md5sum, tsocks and 'openssl s_client', and is a lot more efficient than having everyone verify everything always. The testing can be periodic, can manually associate streams with connections so exits are known, etc. If I'm not distracted by something shiny in the next couple days I'll give it a shot. I mean, we've got to get these motherfuckin snakes off this motherfuckin plane. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: following on from today's discussion
Thus spake Matej Kovacic ([EMAIL PROTECTED]): Hi, A handful of hosts could run this thing and publish their results, perhaps along with some other manually created list of undesirable exits. Great, that could be an interesting research. However, if someone is doing this (injection/modifying) not all the time, it would be harder to detect him. Yeah, thats why we need a few people running it continuously over a long period of time. It serves as a deterrent that the network is actually monitoring for this behavior, since nodes doing this will eventually be noticed. Though for botnet operators who presumably are able to sign up their botnet hosts as tor nodes anonymously via their own relay network, they may not care if the individual nodes are caught or not.. Scary thought. I've managed to keep myself sufficiently insulated from shiny things, and have finished a script that uses Tor to md5sum a list of URLs and also track the SSL certs of a list of https hosts. This script saves corrupted files, so if we catch infected exes, it's possible we can use these samples to go after botnet command and control. That ability may also be a sufficient deterrent to keep teh snakes off teh Tor. I also have a seperate script that parses the Tor directory and choses nodes based on exit port policy and bandwidth. I'm working to make this one operate with the tor control port to actually build and attach circuits and inform the first script which exit node it is choosing via a named pipe. This way we can experiment with different strategies for choosing exit nodes to scan, short path lengths, and so on easily. I'd guestimate about 2 days before I have a prototype that works fully with a fixed list of URLs. Possibly end of next weekend before I have something that picks docs exes randomly off google. P.S. Does anyone know a clean way to do line-buffered select()able socket IO via perl? From looking at IO::Socket it seems like the timeout is only used for accept/connect... I may have to restort to multithreaded perl.. *shudder*. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Snakes On A Tor
be nice to build a list of nodes that do this to either fix them or simply shitlist them. 3. Some SSL websites (for example citibank.com) actually have a whole collection of SSL certificates for some unknown reason. Even saving SSL certs specific to each IP of a round-robin DNS host still isn't good enough. Ugh. 4. When you exit via multiple control-C's, the last couple MD5s will show up as bogus because system() function causes the SIGINT to be delivered to wget and not perl. The fix for this listed in the perlfaq did not work. :( 5. SOAT is likely to not work optimally if you are using the same Tor client for other things. In some cases this can cause the exit to change between the time that SOAT uses it and the time that it detects an error and asks Metatroller what exit was used. It is probably best to run a secondary Tor client with a different control port just for SOAT and the Metatroller. You probably want this for anonymity reasons also, especially since the default path length used by SOAT is only 2. Note that Tor node operators can concievably run SOAT on their Tor nodes with a path length of 1, since for them scanned nodes won't be able to tell for sure if they are the originators, or just relaying another circuit. http://fscked.org/proj/minihax/SnakesOnATor/ I will be running this thing myself. If I notice anything interesting, I'll post it to the list. Of course my own exit node is always clean and never ever ever injects malicious code. So no one needs to scan it at all. You can all trust me. Nobody else should scan. ;) So far my Connection: close list is: - baphomet - err - moulticastfrsrv - ni - pax Anyone know what causes this? They don't do it all the time. Just sometimes. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Snakes On A Tor
Thus spake [EMAIL PROTECTED] ([EMAIL PROTECTED]): Permissions for the zip file prevent downloading. ??? Sorry I'm an idiot. Forgot to also set grsec permissions for teh file. Fixed. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Snakes On A Tor
Thus spake Mike Perry ([EMAIL PROTECTED]): -- BIG FAT WARNING - Another possible giveaway is that I do not use uptime information in the node selection process. Nodes may be able to tell you are a Metatroller client if one of their neighbors for that circuit has extremely low uptime. Oh, I also forgot to implement guard nodes. Woops. Maybe I will get to that later. It also bothers me slightly I don't verify directory signatures, but unless there's a perl RSA implementation that's compatible with the one used to sign the dir, there's not much chance in me doing that ever. I do use key names instead of node names for path specification. So the worst that could happen is that nodes disappear/change their exit policies. Just don't download the directory through Tor for now and it should be fine. P.S. Nick/Roger, where is the TorCtl.py module mentioned in contrib/TorControl.py? Not seeing it on the SVN web portal. It's a pity I didn't see this contrib python before I went on my mad quest. I've been looking for a reason to learn Python. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Skype Call Traced
Thus spake [EMAIL PROTECTED] ([EMAIL PROTECTED]): On Sat, Aug 26, 2006 at 03:48:54PM -0400, [EMAIL PROTECTED] wrote 0.3K bytes in 12 lines about: : I believe Skype is UDP-based, and Tor can only work with TCP : connections. There are probably other issues as well. Skype works fine over Tor. Depending upon your circuit, voice calls can be very laggy. Hrmm.. According to: http://www.secdev.org/conf/skype_BHEU06.handout.pdf Skype does TCP if UDP attempts fail. However it appears to encode your IP address in messages. Sort of defeats the purpose of Torifying it. Probably the case with a lot of voice clients, unless you can find a way to get them to not discover your IP... I also find it unpossible that actual watermarking was used against this fellow as opposed to simple IP tracking. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Skype Call Traced
Thus spake Andrew Del Vecchio ([EMAIL PROTECTED]): Damn. Unpossible? This sounds like Double-Plus ungood newspeak man! :P Yes, I actually am an agent of an unknown branch of an unmentionable TLA dedicated to the slow and subtle corruption of teh english language to suit our nefarious ends for world domination. Snakes On A Tor was just my cover to distract you long enough to become infected by our neurolinguistic virus, and the Metatroller has hidden code in its regular expressions that report your wearabouts directly to our array of orbiting mind control lasers. ;) -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Holy shit I caught 1
Thus spake Anothony Georgeo ([EMAIL PROTECTED]): Hi Mike, Nice catch :-) I would like to use your Snakes on a Tor but I'm not sure how to use it. I downloaded it and I have all the required apps (md5summer, wget and openssl) on my Windows XP Home. Could you give me a quick how-to? BTW, I have my HTTP_PROXY and HTTPS_PROXY environmental variables set to 127.0.0.1:8118. Thanks and sorry for the asking, I'm guessing actually scanning is going to be WAY over your head. It's really meant for people who run Tor servers on Linux boxen and know what they're doing, because right now you have to manually eyeball the SSL certs and MD5 error files to double-check everything is Ok. I'll try to improve that in a few weeks. But, the Metatroller is a neat toy if you just want to investigate censorship conditions in China/Germany for a day or whatever. For that you DO NOT actually need md5summer, wget, and openssl. You only need those if you want to run soat.pl. For the Metatroller to work, you need to tell Vidalia to start Tor with an alternate torrc. Open a new 'torrc' textfile on your Desktop somewhere and put the lines: ControlPort 9051 __LeaveStreamsUnattached 1 in it. Tell Vidalia in its config window to use this file as an alternate torrc location. Restart Tor. Once you have everything in your path, ActivePerl installed and Vidalia set up to use this Torrc, either Start-Run.. cmd.exe or launch cygwin, and cd to the directory you unzipped SOAT into. You should be able to type 'metatroller.pl cached-directory country-codes' and it shoud print a WARN and a NOTICE that it is ready. Periodically you should hit up http://moria.mit.edu:9031/tor/ and save that output to 'cached-directory' in the SOAT dir. Ditto for http://serifos.eecs.harvard.edu/cgi-bin/exit.pl?textonly=1. Save that to 'country-codes' in the same dir. Once it's all set up, if you want to play with the Metatroller's options, you can open another cmd.exe and type 'telnet 127.0.0.1 9052' and you should be able to give it the commands it lists under 'HELP'. You can actually watch the metatroller build circuits in the Vidalia network status window. Now mind the warnings I gave about the Metatroller and anonymity, ESPECIALLY if you fire up soat.pl also. If you run soat.pl, you should be running it on a seperate machine than you are using normally (or inside a vmware image or simply another instance of Tor) because of shortened pathlengths, strange exit selection strategy, etc etc etc. To actually scan, you need md5summer to be renamed to md5sum.exe, and you need all those tools to be in your path. Perhaps c:\windows if you don't mind the clutter. Hopefully the output from md5summer is the same as UNIX md5sum.. I'm guessing these complications probably will make it beyond your ability to actually scan at this time.. Between these ramblings and the README file, hopefully you can at least tinker with the Metatroller for a bit so you can bask in the glory of some orbiting mind control lasers. Winter is coming, maybe you can save on the heating bill. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Holy shit I caught 1
Thus spake Jay Goodman Tamboli ([EMAIL PROTECTED]): On 2006.08.27, at 22:44, Mike Perry wrote: If you run soat.pl, you should be running it on a seperate machine than you are using normally (or inside a vmware image or simply another instance of Tor) because of shortened pathlengths, strange exit selection strategy, etc etc etc. To clarify, is this warning because we shouldn't try to use the circuits soat.pl builds, or is there some other reason? In other words, would it be ok to run soat.pl as long as we're not using Tor at that time on that machine? Hrmm. Depends... Using the same Tor client as soat.pl uses is really bad of course, because for those circuits, pathlen is only 2 and exits are chosen in a round-robin fashion. Also it will likely confuse soat.pl as well. However, in the case where your internet IP is being shared by a Metatroller/SOAT client, it essentially boils down to how dangerous it is for entry nodes, over time, to infer that there is an abnormal Tor client at your IP. I'm not sure exactly how damaging this could be. It would seem to me that so long as your regular, important connections go through a Tor client NOT running the Metatroller, middle and exit nodes should not be able to tell you are running Metatroller, and should not be able to partition/fingerprint you (which I think is the most dangerous aspect). Maybe Roger/Nick can shed more light on this, though. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Holy shit I caught 1
Thus spake Roger Dingledine ([EMAIL PROTECTED]): Actually, it would be smarter to add a controller interface to let the controller inform Tor of new opinions it should have. For example, this server is not running. Then we could do all the smarts in the controller, where they should be. The actual interface will be a bit delicate though, since we want Tor to do some of the thinking and the controller to do other of the thinking. As a first step though, we could make the controller changes sticky, meaning that Tor doesn't do any thinking for servers that the controller has given it an opinion on. KO. An interface to suck a signature-verified directory out of Tor via the control-port or some other means would also be nice. Check out https://tor-svn.freehaven.net/svn/torctl/trunk/python/ Ok, I will consider rewriting it for this python interface. Have to learn python first, which has been on my TODO list for some time, so hopefully it will happen. I would guess the directory notification interface won't appear for a while in Tor either, so I probably have time. When 0.1.2 stabilizes? In the meantime I will keep my rickety perl running and will keep in contact with the list when I notice things. Also check out Geoff's python Tor controller (which uses the above scripts) at http://afs.eecs.harvard.edu/~goodell/blossom/ I actually had a look at blossom, but didn't see that it was using a standard torctl interface. Probably just me not groking python tho. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Holy shit I caught 1
Thus spake Arrakistor ([EMAIL PROTECTED]): Mike, My torpark mirrors are not providing pre-localized downloads. They all come in english flavor by default, but include the lang packs for chinese simp and german. Tell me more about the corrupt downloads, are they recent? From karotte or sectoor? Weirdest shit in the world. Privoxy is dumping temporary failure messages mid-stream into the binaries, yet keeping the sizes exactly the same. Perhaps this was the source of the original mysterious binary corruption that sent me on this quest oh so long ago. Unfortunately then I was in a hurry and just deleted the file without thinking :) So even so, it's unsettling.. You download some app, iso, video, or whatever via Privoxy and it kindly tells you there's a temporary failure mid-binary stream. How nice of it. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Holy shit I caught 1
Thus spake Fabian Keil ([EMAIL PROTECTED]): So even so, it's unsettling.. You download some app, iso, video, or whatever via Privoxy and it kindly tells you there's a temporary failure mid-binary stream. How nice of it. How nice of you to back up your claims with enough information to reproduce the problem. Which error message did you get and did you verify the problem with another client? I assumed that anyone who actually cared to reproduce the problem would just run the script, because that's all I did. Running the script out of the box with the default settings will reproduce the problem within a few hours of scanning. You will get tons of corrupted Torpark exes in your docs dir. Seems to really like Torpark more than anything else. Probably cause its the biggest. Here is the error: title503 - Connect failed ([EMAIL PROTECTED])/title This is a href=http://www.privoxy.org/;Privoxy/a 3.0.3 on localhost.localdomain (127.0.0.1), port 8118!-- @if-can-toggle-start --, It's embedded in the exe. strings won't find it, but grep will. Especially the keeping the size exactly the same part sounds more like a problem in the fetching client. Are you sure that your application doesn't retry failed fetch attempts without caring about status codes? Client is wget. Apparently it does retry after failure. Manpage says nothing about status codes. Maybe it doesn't know what to do with 503. Is it impossible that the download was started but the connection broke down, your application tried again and got a 404 no such domain, saved the error message in the binary stream and tried again with a adjusted byte range? Yeah, I'm thinking the connection most likely broke down, wget retried and tried to continue the stream, but Privoxy came back with its 503 status error page instead, probably not something wget was looking for. Wget probably tried once more after that connection closed, and picked up the stream again. Unfortunately my copy of curl is ignoring HTTP proxy environment variables and --proxy command line settings, so I can't check to see if it has the same property. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Snakes On A Tor Scanner - 0.0.3
Over the past month or so I've been testing and improving my Tor network scanner, and it seems to be shaping up pretty nicely. http://fscked.org/proj/minihax/SnakesOnATor/SnakesOnATor-0.0.3.zip As a quick refresher, the scanner consists of two parts: The Metatroller: A Tor Controller that allows you to customize properties of your Tor routes. You can control path length, exit country, fast node cutoff, and lots of other neat things. Snakes On A Tor: A Scanner that uses the Metatroller to scan the network for nodes that are unstable and/or modifying exit traffic. Docs are now obtained randomly from google queries. Metatroller will work in ActivePerl on Windows without any other dependencies, however SOAT will require curl, md5sum, and openssl. I think SOAT and Metatroller are in good enough shape that they should make for good QA tools for Tor to help reduce circuit failure, and also useful tools for people who would like to monitor the Tor network. I'm also suspicious of the 7/8 node cutoff for fast nodes. I think that perhaps it should be raised to 65% or so, but I have no hard data as of yet to illustrate this cutoff point. Since adoption is critical to anonymity, and regular people won't use Tor if they think it is slow, I believe it is far more imporant that we have known reliable, fast nodes than lots of slow ones that are prone to dropping circuits. Hopefully we can discover these cutoffs using this tool. Here's the CHANGELOG for 0.0.3: Metatroller: - Now gets its node list directly from Tor using the control port - Implemented guard nodes - Added circuit/stream failure statistics - Improved reliability/recovery from circuit and stream failures - All commands can now take no arguments to print current value Soat: - obtains its doc list via google filetype queries - verifies this list contains no dynamic content - Saves long-term aggregate failure stats from metatroller I've given Roger and Nick some patches to expose circuit failure reason codes to the controller. I think part of these made it into 0.1.2.2-alpha, and hopefully the rest will be in 0.1.2.3. Metatroller does not need these reason codes to record failures, but it is more accurate if they are present. Here's the current list of Metatroller commands: 214 COUNTRY CC|ALL 214 - Pick a two letter country code to select exits from, or ALL 214 COUNTRIES 214 - List countries that have tor exits 214 PERCENTFAST # 214 - What % of the network is considered 'fast' for node selection 214 BWCUTOFF # 214 - Minimum observed bandwidth (KB) that a node must have to be selected 214 UNIFORM 1|0 214 - Should selection among fast nodes be uniform (or bandwidth-biased)? 214 ORDEREXITS 1|0 214 - Should exits be chosen one after another instead of randomly? 214 FASTEXITS 1|0 214 - Should exits be chosen from 'fast' nodes or all nodes? 214 GUARDNODES 1|0 214 - Use guard nodes? 214 PATHLEN # 214 - What should the path length of circuits be? 214 NEWEXIT 214 - Throw away all circuits and choose a new exit 214 SETEXIT NAME 214 - Hardcode an exit for all future circuits 214 GETLASTEXIT 214 - Lists the last used exit 214 FAILRATES 214 - Print out the failure rates of nodes While it is still not advisable for you to use SOAT on a machine you wish to preserve your anonymity with, Metatroller is perhaps not as dangerous as I thought. I've looked into the Tor source, and it turns out that in some cases Tor does make circuits out of low-uptime nodes. With that, and the addition of Guard Nodes to Metatroller, it is perhaps not nearly as dangerous as I had originally thought. The main dangers revolve around PATHLEN and PERCENTFAST, and are explained in the README. I believe normal usage should be comparable to Tor in safety at this point, though there are a couple of attractive fixes in 0.1.2.x I would like to adopt. Plans for the future include more finer-grained failure statistics, node max/min/avg bandwidth stats, and possible integration with the directory servers to help avoid unstable/malicious nodes (or at the very least, an internally saved blacklist for high failure-rate nodes). Also, the metatroller currently does not subscribe to router info or (non-existent) network status events, so it should be restarted periodically. When network-status events are available in 0.1.2.x I'll support them. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Snakes On A Tor Scanner - 0.0.3
Thus spake Mike Perry ([EMAIL PROTECTED]): Over the past month or so I've been testing and improving my Tor network scanner, and it seems to be shaping up pretty nicely. http://fscked.org/proj/minihax/SnakesOnATor/SnakesOnATor-0.0.3.zip Found another DNS poisoner/injector/evil upstream ISP. Exit node Andrewgao poisoned the scanners access of http://linuxmafia.com/faq/Debian/installers.html to give me instead: http://fscked.org/proj/minihax/SnakesOnATor/linux-mafia.Andrewgao.html Seems to be a javascript popup to set a cookie and then close the window. Seems to be slightly broken (the window is never closed for me), but the scary thing is if it worked, the user's experience would be that they had accessed the page un-hindered. Also, as an FYI, I'm exporting my scanner's failure statistics to http://fscked.org/proj/minihax/SnakesOnATor/fail_rates Right now it's probably difficult to do anything with that. I will try to enhance it to be broken down by failure type RSN, then it should be more clear which nodes are failing circuits/streams and why. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Snakes On A Tor Scanner - 0.0.3
Thus spake Roger Dingledine ([EMAIL PROTECTED]): Lastly, the metatroller currently does not subscribe to router info or (non-existent) network status events, so it should be restarted periodically. When network-status events are available in 0.1.2.x I'll support them. If you could help us get moving on that, that would be great. Some sort of spec patch and preliminary code patch would be fabulous. Ok, I'll try to get to this. Might be a while though. In the short term I'm going to hack on the reason stats so we can figure out why these circuits are failing, but perl's data structure limitations are proving even that to be a bit too much... 3. SOAT is not likely to work optimally if you are using the same Tor client for other things. In some cases this can cause the exit to change between the time that SOAT uses it and the time that it detects an error and asks Metatroller what exit was used. When you extendcircuit, you can specify purpose=controller, and then Tor won't ever touch those circuits on its own. Yes, but in this case Tor doesn't close the circuits when they are old/unused, and I would have to maintain that info myself. I'm opting for letting Tor maintain the destruction of them for me. However, that's not the problem with concurrent SOAT+normal usage. The problem is mainly that if you try to connect to some port where the current SOAT exit can't connect to, a new circuit will be built and a new exit will be chosen. Right now there is no notion of circuits in SOAT, so it just asks for the last exit used. Hence, if you caused metatroller to build a new circuit while SOAT was using an old one, and there is an MD5 error for some URL, the wrong exit will be blamed for it. I'm also suspicious of the 7/8 node cutoff for fast nodes. I think that perhaps it should be raised to 65% or so, but I have no hard data as of yet to illustrate this cutoff point. Since adoption is critical to anonymity, and regular people won't use Tor if they think it is slow, I believe it is far more imporant that we have known reliable, fast nodes than lots of slow ones that are prone to dropping circuits. Hopefully we can discover these cutoffs using this tool. That's an interesting question -- do the slow ones drop circuits more often? I'd be curious to hear some data on that. More generally, while using a fraction of the nodes (7/8 or 65%) lets us adapt better to whatever network we have available, it may still not be the right approach if our goal is to have high chances of getting a non-sucky circuit. On the other hand, people who sign up to be relays but never get used may be sad. On the third hand, so what? Hm. Yeah, we'll need to wait for me to do stream bandwidth statistics to best figure this out. This may be a while out, but I thought I'd throw it out there for consideration. While we're at it, would it be interesting to look into adding a country code to the network-status list, saying our best guess based on whois or whatever of where the node is? As more and more tools hardcode fetch it from serifos, unauthenticated and with a single point of failure, it might be nice to offer a better option. Yeah. If that shows up, I will make use of it. I'm a bit over-committed to do this myself though. Here's my task list: 1. Failure stats based on reason codes 2. Network/routerinfo status events 3. Node stats for stream bandwidth 4. Statstics on reasonable cutoff %-age 5. Not get fired from my day job A Rewrite in Python task may be inserted in there anywhere from 0-5, depending on how many brick walls perl presents. #1 alone is getting extremely annoying because of limitations on thread-shared structures. Due to Task 5, other tasks may experience arbitrary delays ;) -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Snakes On A Tor Scanner - 0.0.4
Thus spake Roger Dingledine ([EMAIL PROTECTED]): This looks great. Here are a few responses from reading your README: The Metatroller requires two Tor config options in your torrc: ControlPort 9051 __LeaveStreamsUnattached 1 You could have your Metatroller connect to Tor and set __LeaveStreamsUnattached=1 itself. Then the user doesn't have to mess with his torrc at all (assuming he already has the controlport set). In fact, when the metatroller exits you could unset it, so Tor becomes a normal client again. Ok, I've got a new release up with this fix and some others. No more torrc editing needed. http://fscked.org/proj/minihax/SnakesOnATor/SnakesOnATor-0.0.4.zip 0.0.4: Metatroller: - Failure stats based on reason codes - Sets __LeaveStreamsUnattached via controller. No config needed anymore. Soat: - Fixed counting bug (ratios were OK, but errors+connects were counted multiple times) - Saves REASON statistics from Metatroller - Changed scanning node selection to be fully uniform for both exits and other hops Reason-based statistics are now exported to: http://fscked.org/proj/minihax/SnakesOnATor/fail_reasons The first number is the failcount for that type, the second one is the total failcount, and the third is the total circuits made via this node. For reason statistics, it reasontotal/totalfailed. For http://fscked.org/proj/minihax/SnakesOnATor/fail_rates The first number is the total failcount, and the second is the number of circuits made via this node. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: hijacked SSH sessions
Thus spake Taka Khumbartha ([EMAIL PROTECTED]): today i have had several attempted man in the middle attacks on my SSH sessions. i am not sure which exit node(s) i was using, but the MD5 hash of the fingerprint of the spoofed host key is: 4d:64:6f:bc:bf:4a:fa:bd:ce:00:b0:8e:c9:40:60:57 and it does not matter which host i connect to, the MD5 hash presented it always the same. Interesting. Could be another upstream chinese ISP, or DNS poisoning again. Were you using SOCKS4A/SOCKS5 or did you connect direct to an IP? I just wrote a scanner for this for SOAT and have been scanning for an hour or so now. Haven't seen it yet, but I'm using tsocks so if they did it with DNS, I'm not gonna see it yet.. Or perhaps they saw your mail and shut 'er down. I'll keep scanning though. Anyone know a clever way to get a random sampling of ssh hosts without brute-force IP scanning? I don't need logins, just IPs. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: hijacked SSH sessions
Thus spake Taka Khumbartha ([EMAIL PROTECTED]): -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mike Perry @ 2006/10/16 13:25: Thus spake Taka Khumbartha ([EMAIL PROTECTED]): today i have had several attempted man in the middle attacks on my SSH sessions. i am not sure which exit node(s) i was using, but the MD5 hash of the fingerprint of the spoofed host key is: 4d:64:6f:bc:bf:4a:fa:bd:ce:00:b0:8e:c9:40:60:57 and it does not matter which host i connect to, the MD5 hash presented it always the same. Interesting. Could be another upstream chinese ISP, or DNS poisoning again. Were you using SOCKS4A/SOCKS5 or did you connect direct to an IP? i was using socks4 protocol within my ssh application, but directly passed an IP address to Tor. Hrm. Guess it wasn't random DNS redirect then. Well either they must have been scared off, or I'm blind. Cause I'm not seeing this now. Been through almost every exit node in the directory a few times now.. Probably actually malicious though, since I don't think China would be intimidated by some posts on the Tor list ;) Please post if you notice it again. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Practical onion hacking: finding the real address of Tor clients
Thus spake Jacob Appelbaum ([EMAIL PROTECTED]): Hi *, Fortconsult wrote this and it may be of some interest to people on this list: http://www.packetstormsecurity.org/0610-advisories/Practical_Onion_Hacking.pdf Wow. I think the most telling statement is that most of the people they got were from China. Probably unfortunate side effect of most of the Tor docs being in English.. Incidently, I tried out TorPark the other day, and I must say it is pretty magnificent. Having a well-configured browser like that for Tor usage solves nearly every one of these problems. Would be nice if NoScript defaulted to All-Off instead of All-On, and they used AdBlock Plus with some feeds instead of just AdBlock, but otherwise excellent for casual only sometimes Tor users who are likely to be tripped up by this sort of stuff. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Practical onion hacking: finding the real address of Tor clients
Thus spake Chris ([EMAIL PROTECTED]): Can the tor directory provider run a script every now and again that checks the content of a site/image retrieved from outside of tor and though each exit node and then look into any discrepancies. I know anyone can try this and make a better test but this will eventualy have to be done and acted upon by a trusted party. We're working on it. I'm running a multi-purpose scanner right now (see Snakes On A Tor threads in the archives), but results still have to be sifted through manually, no automatic directory integration yet. It's not easy to do this automated and be right all the time, especially in the face of changing content and dropped connections/truncation. Probably will end up having the script email a human/humans with results that they can verify. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: still slow browsing
Thus spake gabrix ([EMAIL PROTECTED]): I have already written about this but now it's red light ... i badly want to keep my tor node otherways i would have already removed the tor server but i cannot get on like this.I recently also had from my isp a bandwidth upgrade to 2MB(they say ... it's TIM!)and i still suffer of slow browsing .I also just using the or port and commented the dir port and added this in my /etc/tor/torrc BandwidthRate 20KB BandwidthBurst 20KB The minimum possible , isn't? I'm actually trying this guide http://wiki.noreply.org/noreply/TheOnionRouter/CronBandwidthLimit And i'm going to wait for a minimal iptables script that is going to deal with this problem .Yes you got it! i'm waiting this script from you , it's 2 mounthes i'm trying out but i don't know how to do it properly and you saw my previous posts i tryied it.Sorry guys i hope you collaborate otherways i will be forced to close the node ... i don't want to but help help help ! Well, if you're willing to sink some time into it, you can try to follow the ADSL bandwidth shaper howto: http://www.faqs.org/docs/Linux-HOWTO/ADSL-Bandwidth-Management-HOWTO.html (Gentoo version: http://gentoo-wiki.com/HOWTO_Packet_Shaping) Unfortunately it's probbaly hard to do if you're running an exit node and there are lots of exit ports, unless you have spare IPs and can use one for the Tor node and one for normal traffic. This is what I do. My script based on this howto is attached. It works EXTREMELY well (Tor load has NO effect on normal traffic. I don't rely on BandwidthRate/BandwidthBurst at all). The key property is that you cap your total bandwith through the box (via the shaper) to be slightly lower than your link bandwidth so that your box controls the queue size and thus ordering, not your uplink provider. I haven't posted my script anywhere cause I figured that having a spare IP for your Tor node is probably pretty rare. However if you are not an exit and thus only have one port for Tor traffic, it should be readily adaptable based on port instead of IP. -- Mike Perry Mad Computer Scientist fscked.org evil labs LIMIT-tor.sh Description: Bourne shell script
Re: still slow browsing
Thus spake gabrix ([EMAIL PROTECTED]): Cheers for the script i'm going to give it a try and than tell ya ! I assume this was supposed to be in reply to my message. If you produce a port-based one please repost and/or post on the wiki. That may be useful to more people than my IP based one. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: ff 1.5.0.7 2.0 (remote) dns leaks when using tor
Thus spake lester psigal ([EMAIL PROTECTED]): hi there, i've got a setup for anonymous browsing using firefoxf 1.5.0.7 and lately ff 2 with privoxy and tor (vidalia bundle 0.0.7) on windows xp sp2. the ff configuration option 'network.proxy.socks_remote_dns ' is set to true, the setting 'network.proxy.failover_timeout' is set to 5 and the 'network.proxy.socks_version' is set to 5 but the ethereal logs show that firefox is still leaking dns requests, i.e. ff still does the lookups itself and does not delegate them to the proxy (which is not quite true: the dns requests are always delegated to the proxy and _sometimes_ to the local dns client too). to make it worse the leaks are occuring randomly (sometimes the remote dns works and sometimes not), so i'm guessing that it is a timeout issue. does ff fallback to local dns lookup when a remote lookup request is not answered in a timely manner or is it a failure with the os dns client or even a ff bug? what else could be done to prevent ff from dns leaking? any hints or suggestions would be very nice as it does not make any sense to me to operate a quite complex and complicated system for anonymous browsing when tracking of dns requests is all a profiling facility has to do... thanks p.s. i've already posted the same message to the the mozillazine ff general forum without getting an answer Well, just so you don't feel that everyone is ignoring you, I'll voice most of our reactions: *shock*, *eyes popping*. Woops, time to turn privoxy back on (use HTTP proxy port 8118 and don't list anything in the SOCKS line). Were you able to determine exactly what network.proxy.failover_timeout governed? Was it just DNS? Did it have any effect at all on the behavior? Perhaps the units are miliseconds. Sometimes Tor takes as long as a minute to build a new circuit... It would be logical if either 0 or -1 meant infinite.. Did you try those? -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: ff 1.5.0.7 2.0 (remote) dns leaks when using tor
Thus spake lester psigal ([EMAIL PROTECTED]): then, i've tried different settings: setting ff's 'network.proxy.failover_timeout' to '-1' or '0' - no change (if a timeout occurs privoxy shows up with one of its error pages) leaving socks proxy line blank in ff's connection setting - no change setting all proxy protocols to privoxy port - no change disabling dns client service on win xp - no change disabling 'forward socks4a requests' directive in privoxy configuration - no change also, i've recognized that the local dns queries are occuring when there is an direct user interaction with the browser like entering an url, selecting a bookmark, clicking a link etc. while requests from websites (when loading a page) seem to be resolved remotely (they do not show up in the ethereal logs but are requested in privoxy and log'ged by tor). unfortunately, i don't know if ff resolves dns by an own internal resolver thread or by delegating to the system which makes the whole thing worse. so, usually i'm not easily frustated but over here i'm really missing a thing and i would not wonder if its a little configuration tweak i forgot about... Yeah, like others have said it is most likely some extension you are running. Maybe google toolbar, yahoo toolbar, something of this nature that interacts with each page? I tried watching Torbutton and socks-only and got no DNS leaks w/ ff 1.5, no matter what my timeout settings were. I did get a few Try Again timeout messages from firefox, but no leaks. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: False certificates
Thus spake [EMAIL PROTECTED] ([EMAIL PROTECTED]): I noticed that, by connecting to some https domains from some exitnodes, I receive a warning of a false certificate. Closing the circuit and using another one (so another exit node) makes the things back to normal. I could identify only one exitnode, have still doubts for 2 others bach from Germany : 212.42.236.140 Confirmed (I've found an alternate machine to do dev on, so I should be able to continuously scan now). Bach is self-signing certs still, and not just for e-gold. It is also likely the culprit as opposed to an upstream ISP, since the CN name is bach. Based on this, I'm guessing they're not intending to stop anytime soon. Is there any way to manually de-list this as an exit in the tor directory servers while we develop a way to integrate this automated scanning solution? Having everyone add this node into their ExcludeNodes is not practical. There should be some way for the Tor maintainers to override supplied exit policies for misbehaving nodes. Or is the plan going forward just to tell everyone to upgrade to alpha and have it listen to the BadExit flag? Can this be set manually right now? -- Mike Perry Mad Computer Scientist fscked.org evil labs CONNECTED(0003) --- Certificate chain 0 s:/O=TOR/CN=bach i:/O=TOR/CN=bach identity 1 s:/O=TOR/CN=bach identity i:/O=TOR/CN=bach identity --- Server certificate -BEGIN CERTIFICATE- MIIBvDCCASWgAwIBAgIERWymezANBgkqhkiG9w0BAQUFADAoMQwwCgYDVQQKEwNU T1IxGDAWBgNVBAMUD2JhY2ggPGlkZW50aXR5PjAeFw0wNjExMjgyMTEzMzFaFw0w NjExMjgyMzEzMzFaMB0xDDAKBgNVBAoTA1RPUjENMAsGA1UEAxMEYmFjaDCBnzAN BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAzr2i6hJjCjU8nGA8u2pxbD0lQnfBysIB JaKfV5LM4fdVN7FXi7tVvzpPPzco8m9LYaxRR7XRE3xP2N3VRXF12N+8YbQGK4SH 3KvmbXY+94Hw6+ruI1d1n/RHFDJ2FfSzLT29PND4C5ru6Tgk/uiypTcLgAZ92WhT yp78pjZ/vHUCAwEAATANBgkqhkiG9w0BAQUFAAOBgQA5nwoN+OhXg2qnKNuIrdkh hcZ/zVpgl8WkHbHj7Ra+l066TtfGCUr1mc4R2bju5Dv/OBA7WSASXFLnYOiKvG7T mBzhKnGwl6KxXoZi2mTOG5yp/r3GmlJoNvIMUO52QlTHmf1ym80gDXFESqJGuW7o t5obC/kGeYIh/0ng75AUiA== -END CERTIFICATE- subject=/O=TOR/CN=bach issuer=/O=TOR/CN=bach identity --- No client certificate CA names sent --- SSL handshake has read 1446 bytes and written 344 bytes --- New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA Server public key is 1024 bit SSL-Session: Protocol : TLSv1 Cipher: EDH-RSA-DES-CBC3-SHA Session-ID: Session-ID-ctx: Master-Key: 52F1E4EE58BB5185C7E0F7A47F500BCB7EFC628E9EB75B18828F31970F9B5060D71DF73B2E4AC6624C793FBF5C5AA20E Key-Arg : None Krb5 Principal: None Start Time: 1164754863 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) ---
Re: False certificates
Thus spake Roger Dingledine ([EMAIL PROTECTED]): On Tue, Nov 28, 2006 at 06:52:29PM -0600, Mike Perry wrote: bach from Germany : 212.42.236.140 Confirmed (I've found an alternate machine to do dev on, so I should be able to continuously scan now). Bach is self-signing certs still, and not just for e-gold. It is also likely the culprit as opposed to an upstream ISP, since the CN name is bach. Based on this, I'm guessing they're not intending to stop anytime soon. Yuck. Actually, Peter Palfrader just pointed out that it's probably just an iptables screw-up. bach is that Tor server's nickname. It looks like he's redirecting all outgoing port 443 requests back into his ORPort. So, yet another instance of a non-malicious attacker. :) Heheh, I guess this goes in the never blame conspiracy when you can blame incompetence column. Damn, it's so much more exciting to find malicious nodes ;) -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: How can I trust all my Tor nodes in path
Thus spake Robert Hogan ([EMAIL PROTECTED]): On Friday 01 December 2006 20:55, Tim Warren wrote: On 12/1/06, Robert Hogan [EMAIL PROTECTED] wrote: The real danger with Tor is using sensitive information over http rather than https and mixing anonymous and non-anonymous traffic over the same circuit. Those two are the most common and most easy mistakes to make. Maybe you could answer a question for me. Should I NOT login in to a site, such as a bank, when using Tor? Or do I need to make sure it is https:? Appreciate any clarification. Thanks, If you use https (and your browser hasn't complained about the ssl certificate) you're fine. The exit node can see everything (if they want) over http. Everything after the exit node is just as good or bad as if you weren't using tor. Tor just adds an extra guy to the chain of *reputable* carriers who *could* monitor your traffic - and it is best practice to assume that at least the tor exit node is doing exactly that. see http://tor.unixgu.ru It is also wise not to log in to any form over plain http, even if the form posts to an https url. This is true not just over Tor, but pretty much anywhere an attacker can manage to position themselves to rewrite your traffic, which is pretty much anywhere. Many, many, many banking sites completely disregard this attack vector in favor of ease of use. Even if the target action of a form is https, if you have retrieved the form via plain http, that post can be rewritten to go anywhere. An http redirect later and you're logged in to your banking site, no harm no foul. Except to your account balance, of course :) If your bank is braindamaged in this way, usually giving it a bullshit login until you can verify you are actually connected via https to it is probably the easiest way to deal with this. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: How can I trust all my Tor nodes in path
Thus spake Martin Toron ([EMAIL PROTECTED]): Hi. I have read in the Tor documentation that the number of Tor routers in a path is hard-coded at 3. And I understand that the path changes every 10 minutes (except for active connections). As a client not running a server, how am I sure that at least one of the nodes in the path can be trusted? A little math: assume there are 200 Tor routers, some of which have been compromised and owned by the same attacker. If the number compromised is small, I can be somewhat confident that at least one router is trusted. However, suppose the attacker massed a global attack on the Tor network: all at once the attacker introduces 10,000 new routers into the network, all of which he has control of. Now, when I choose 3 routers for my path, I only have a few that may be trusted, which are in the original 200. Has this problem been addressed elsewhere? So I'm guessing you're thinking something like someone heading over to Amazon's Elastic Computing Cloud and setting up 10,000 tor servers? I believe tor servers have to be manually approved by tor-ops before they begin to be used for normal traffic. This used to be the case at least. Perhaps it has been abandoned due to scaling issues? -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Bootstraping Tor manually to get past the Great Firewall
Thus spake Nick Mathewson ([EMAIL PROTECTED]): The long-term problem is dealing with the fact that the censors can access the directories too, and that IP-based blocks are the bread and butter of firewalls. Can't find the article now, but I once read it is more difficult for China to add IP-based blocks than keyword/url ones. It takes them longer to add IP blocks as opposed to new keywords. Couple this with the fact that there is probably a lot of churn a lot of the Tor nodes towards the middle-bottom, and a way to get this directory information across might be enough for a while... -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Tor DNS lookups failing
Thus spake Jay Goodman Tamboli ([EMAIL PROTECTED]): A few months ago I modified Snakes on a Tor to do DNS lookups through various nodes and compare the results. At the time there was a node that was intermittently giving users an ad page instead of a real page. I found then that the only node that was returning an IP address that was incorrect was whistlersmother, but I didn't report that here because I was a little unsure about my methodology. Last week I started scanning again with a better idea of what I was doing. Notably, the latest Tor alpha resets the DNS cache on NEWNYM, so I didn't have to much with the Tor source to stop it from caching the lookups. After a couple of days of scanning, I haven't found any nodes returning incorrect information, but I have seen more lookup failures than I remember seeing last time. This jibes with my personal experience, where I feel like I've seen more DNS lookup failures than previously. I was wondering, first, if other people are seeing fairly frequent erroneous DNS failures. Secondly, is there anything Tor can do to improve the situation, like requesting a second lookup via another circuit if one reports a failure, or maybe not caching failures? I'm not sure either of those is a good solution, but right now when I get a failure I have to either wait for the circuit to time out or send Tor NEWNYM. Otherwise the result seems to be cached, so a reload in my web browser just gives me the Privoxy error page again. Yeah, I just started noticing a lot of DNS failures on my most recent batch of scanning as well. I've got a fair amount of work to do before SoaT 0.0.5 is ready (I think I've just about hit the limit of maintainable complexity in a perl script :), but when it's done it should be able to help us figure out which servers this is happening at, as well as a shitload of other interesting info as well. I'm hoping to make the release next weekend. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Nodes frequently changing keys...
Several nodes seem to be rapidly rotating keys.. Over the past 24 hours or so the following nodes have changed keys: Unnamed - 11 changes, 7 keys ididedittheconfig - 6 changes, 3 keys waldi - 5 changes, 2 keys iddbadfpi2 - 3 changes, 2 keys oinc - 3 changes, 2 keys anonymous - 2 changes, 2 keys Is there any reason why these nodes are doing this? It's been going on for a while (month or more?), finally got around to recording it. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: how to prevent Tor from auto-buiding circle?
Thus spake [EMAIL PROTECTED] ([EMAIL PROTECTED]): Hi,guys. I'm working on my own Tor controller recently. I want to do full controlling on circle and stream, but i found that Tor keep auto-buiding circles. How to prevent Tor from doing it? Unfortunately I think there is no tor option for this. In my case I ignore the circuit extends I didn't cause. You can build a table/list by watching for 250 EXTENDED ([\d]+) right after you send the EXTEND.. Any events for other circuit IDs you can then ignore. However, I'm guessing you want to completely avoid touching nodes that are known to be unreachable from your location? Is it bad if you try to connect to firewalled nodes? -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Nodes frequently changing keys...
Thus spake Nick Mathewson ([EMAIL PROTECTED]): On Thu, Dec 07, 2006 at 01:46:39AM -0600, Mike Perry wrote: Several nodes seem to be rapidly rotating keys.. Over the past 24 hours or so the following nodes have changed keys: Actually, from the look of things, these are actually multiple nodes with the same nickname. This is completely kosher according to the spec. If you want to tell nodes apart, you're supposed to look at the identity key, not just at the nickname. Unless the Named flag is set in the network status docs, the nickname is not a canonical identifier. Ah. I thought the purpose of using keys was to get the same nodes after name changes. I thought names were enforced to be unique. In some cases, this is probably intentional. Unnamed is currently the default nickname used when no nickname is set. ididedittheconfig seems like an obvious riff on the line in the default torrc. anonymous seems like an obvious I didn't want to name this name. I'm not so sure abobut waldi, iddbadfpi2, and oinc. You're right, I should have just looked at the directory. All those but waldi and oinc actually have different IP addresses. I will try to be more thorough next time. -- Mike Perry Mad Computer Scientist fscked.org evil labs
A Brief Study on Circuit Construction Speed and Reliability
nodes - the last successful hop and the first unsuccesful one. So in effect, the STREAMDETACHED reason really is 2x more common than in those lists. On the other hand, it is mostly alleviated by making compute_socks_timeout() always return 15 (this was not done for this study, however). Well that's about all the detail I have time to go into right now. The complete results are up at http://fscked.org/proj/minihax/SnakesOnATor/speedrace.zip As soon as I finish polishing up my README and change log, I will put up the new release of SoaT itself up. Should be by sometime today. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Snakes on a Tor 0.0.5
I've finished off another release of my scanner and wrote another perl script to perform the timing/reliability measurments in the previous post. Release is at: http://fscked.org/proj/minihax/SnakesOnATor/SnakesOnATor-0.0.5.zip ChangeLog: 0.0.5: Metatroller: - suspicious vs naive failure rate information - New commands to support exporting these stats to SpeedRacer+SoaT - Subscribes to Network status events to get new router information from Tor - Now better able to handle concurrent streams at once SoaT: - Now scans SSH hosts present in ./known_hosts for key changes - Attributes DNS resolution to proper exit, even if different than actual data circuit - Checks for content changes outside of Tor to eliminate false positives - Filters out dynamic content ahead of time before scanning stats - Allows wildcard filetype all SpeedRacer: - Implemented. This is the last release that will be written in perl (unless some huge bug is discovered). I'm going to rewrite it in Python so I can get some decent OO support to implement some more advanced features. There might not be another release for a few months. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: A Brief Study on Circuit Construction Speed and Reliability
Thus spake Ringo Kamens ([EMAIL PROTECTED]): Thanks for that. It's interesting to have that data visualized. Yeah, it's not quite as immediately relevant as exit scanning, but it is a little more interesting with respect to studying the network as a whole I think. What I'm really looking forward to is gathering some statistics on most common peers during failure. I'm curious if those OR_CONN_CLOSED are happening because certain nodes are unreachable or partitioned from one another somehow, or if it is something else. But I need better structure object support for that than perl can provide sanely, unfortunately. I've gone back to scanning exits in the meantime. If anyone wants to join me with a different wordlist.txt, set of filetypes and other ssh hosts, it might be nice. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Exit ports 465 and 587 [was: Tor and Thunderbird]
Thus spake Michael Holstein ([EMAIL PROTECTED]): Here's another idea ... gmail allows SMTP via SSL (smtps on tcp/465). You've got to authenticate for in/out (meaning google account) but you can get one of those anonymously. They do POP via SSL as well (pop3s on tcp/995). Combine the two and you've got a functional client. This should help you out .. (applies to Outlook, but Thunderbird would use same settings in different places) : http://mail.google.com/support/bin/answer.py?answer=13278query=smtptopic=type=fctx=search For the Tor nodes that allow 465 and 587, have any of you seen abuse complaints or problems with SORBS and other vigilante spam crusader overlords? If these ports are almost always authenticated I will allow it in my exit policy without bothering with the IP list. -- Mike Perry Mad Computer Scientist fscked.org evil labs
SSH key spoofing
Deliberately breaking threading so this doesn't fall through the cracks. Thus spake Robert Hogan ([EMAIL PROTECTED]): Got this when testing an ssh connection: WARNING: DSA key found for host shell.sf.net in /home/robert/.ssh/known_hosts:8 DSA key fingerprint 4c:68:03:d4:5c:58:a6:1d:9d:17:13:24:14:48:ba:99. The authenticity of host 'shell.sf.net (66.35.250.208)' can't be established but keys of different type are already known for this host. RSA key fingerprint is cf:9b:db:c4:53:c3:f0:0d:e8:c4:15:33:61:71:01:ca. Are you sure you want to continue connecting (yes/no)? no Tor first attempted to attach a circuit with toxischnet as it's exit. This didn't work, so it then used tormentor. I then got the above. I subsequently used both toxischnet and tormentor to connect without any key authentication issues. The RSA fingerpint is not listed by sourceforge. http://sourceforge.net/docs/G04/en/#fingerprintlist Malice? Misconfiguration of some sort? Anyone care to test either of these exits? Hrmm.. My scanner seems to be getting hung on some bug (possibly one that I'm tickling in Tor or possibly my own), so I haven't seen this during automatic scanning yet, but I can confirm manually that tormentor IS in fact regularly changing ssh keys. It should be delisted as an exit ASAP. toxischnet is currently hibernating, so its hard to say on that one. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Block directory authorities, is it possible?
Thus spake Pei Hanru ([EMAIL PROTECTED]): Hi all, I live in China and was/am having difficulties in using Tor, the problem is: it takes quite a long time to build a circuit for the first time I start Tor on my Windows machine. Am I understanding correctly? Are there any actions Tor can take? After all, we cannot simply assume this will not happen in the future. If the problem right now is just IP blocking you can try the tor option HttpProxy which will route your dirserver traffic through an http proxy you specify. Unfortunately, certain areas have begun blocking by the /tor/ url postfix that dirservers use, independent of IP. There is an option in 1.2.x/SVN to tunnel this traffic via other tor nodes (via SSL), but I believe it is prone to exploding at this point in time. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: tor and p2p
Thus spake Robert Hogan ([EMAIL PROTECTED]): There's lots of work left before Tor is in a position for most users to be servers. http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#EverybodyAServer Hope that helps, --Roger My hosting provider blackholed my mail for a 24 hour period so I've had to read all the replies on the archive. Thanks for the links and input, though I did get one or two responses which misinterpreted me as suggesting the current tor network be used for anon p2p. Perish the thought! Yeah, I'm going to say that I2P is much better suited to this than Tor, especially when you're talking about creating a new network anyway. For as much bashing as poor jrandom takes on this list and the wiki, I think he deserves a bit of praise for the fabulous job of software engineering he has done with I2P. The code is clean, flexible, and elegant bordering on sexy. It also exports Java Socket compatible interfaces that Java apps can readily use to be ported over (and there are python and I think C bindings as well). This has enabled the pretty straight-forward port of the Phex gnutella client, the Azureus plugin, and a native I2P bittorrent client I2PSnark. Not to mention the vast bulk of I2P performance tuning and development effort is focused on making their hidden service-like features work well, where as Tor only devotes minimal effort to this component, focusing instead on relaying to the external Internet. Plus I2P has configurable path lengths built into the GUI allowing you to sacrifice anonymity in certain applications to boost performance (either as a client or server). However, as was pointed out by enigma, any P2P mix network is going to suffer a lot more at the lack of residential upstream than normal P2P. In fact, if you use the standard pathlen of 3, any hidden service-style system is going to only have 1/6 of the total bandwidth a normal P2P system would have :( (I fear that this residential limit will likely continue to the point where the ratio is only sufficient to get ACKS back for the downstream channel... Doesn't anyone ever have to email/upload large files to work or email vids to friends? Maybe there will eventually be demand for this not to take aeons...) One final dumb question. The torify-ing wiki says: BitTorrent is already using a mechanism similiar to Tor to communicate with other peers. Is this referring to DHT? Is it really that similar? Yes, this is absolutely correct... In the degenerate case where there is only 1 tor network per torrent, and you were sufficiently inebriated enough to handwave cells into the same abstract concept as file segments, they are the same! Oh, and also sometimes bittorrent encrypts traffic. Plus they both use the Internets to communicate between peers! So really there is no difference. (Who wrote this garbage? ;) -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Removing 1 modular exponentiation
Thus spake Watson Ladd ([EMAIL PROTECTED]): Hello! Tor currently uses RSA encrypted DH exchanges. This requires that the server and client both make 3 exponentiations: Two for DH, One for RSA. But we can reduce this significantly. I've already presented this before, but now I think I can justify security. Sanity checks are assumed. Cryptographic Personae: Anonymous Alice and Ricky the Onion Router. Protocol Paramaters: A group with a generator g that takes on m values. DDH is hard in the group. I put generator in quotes because a lot of the time it's not a mathematical generator. The group is written multiplicatively. Setup: Ricky picks a random positive integer k less then m. Let y be Ricky's public key. Then y=g^k. Protocol round 1: Alice picks a random positive integer a. Let f=y^a. Alice sends f to Ricky. Protocol round 2: Ricky picks a random positive integer b. Let h=g^b. Key calculation: Ricky computes the key as f^(b/k) where (g^(k))^(1/k)=g. Alice computes the key as h^a. Note that both Ricky and Alice perform 2 group exponentiations. Well, one immediate problem is that b/k has to be an integer.. So b=rk for some random r and b is thus not completely random.. To clarify the effects of this, you should rewrite your protocol as follows from Round 2 on: Round 2: Ricky picks positive integer b=rk. Let h=g^b = g^rk = y^r Key calculation: Ricky computes the session key as s = f^r = y^ar = g^kar. Alice computes the session key as s = h^a = g^ba = g^rka All is well and good until Echelon Eve drops in for a spell. Having recently upgraded her interception points to both evesdrop AND inject traffic, Eve has her way with Ricky and Alice in the following racy 3-way secenario (hide the kids): Alice and Eve: R1: Alice picks her f=y^a Alice sends to Ricky, intercepted by Eve. R2: Eve picks a random number e. Let h_e=y^e. Sends to Alice Key caluclation: Eve computes the session key as s=f^e=y^ae Alice computes the key as h_e^a=y^ea Eve and Ricky: R1: Eve picks her f_e=y^v Eve sends to Ricky. R2: Ricky picks his random number r. let h=y^r=g^rk. Sends to Alice (Eve) Key calculation: Ricky computes the session key as s=f_e^r=y^vr Eve computes the session key as h^v=y^rv Eve then happily relays traffic for Alice and Ricky. The fundamental problem is that all you've done is created a new (yet equivalent) generator y for the exact same group G (since the group is finite, cyclic and of prime order). Thus the same MITM authentication problems with DH still exist, our demonic overlords win, begin reading your improved Tor traffic, and start executing whistleblowers for exposing their satanic sex rings again. :( Plus a few kittens probably die too. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Security concerning Tor, BitTorrent and Firewall
Thus spake a a ([EMAIL PROTECTED]): Oh, excuses. I do not (at least not after the distinct replies) intend to use this either to leech torrents or to leech Tor. Anyways, after testing this for approximately three minutes, my ol' pa went totally nutters on the realisation that this might circumvent the firewall (and yes, he's usually nutters for a reason). A more accurate question on my behalf would therefore be: Can Tor (if you use it without (or with, for that matter) port forwarding the firewall, create holes in the firewall by allowing incoming connections through the Tor proxy. The ?Torrent case kinda implies this (riiight...?) as the other peers seemed to be able to connect to me at a higher rate... This is extremely unlikely. Most firewalls create holes for outgoing TCP connections based on tuples of (IP dest, IP src, TCP dest, TCP source). Unless your firewall is braindamaged, Tor should not open incoming holes for bittorrent, since Tor only connects to Tor IPs and ports for that first hop (which is all your firewall will see). (UDP is a different story, but neither Tor nor bittorrent use UDP). One way to verify if your firewall is braindamaged is to download the utility wireshark (http://www.wireshark.org) and start it up. Once it's running, the following filter will show you all INCOMING TCP connections to the machine running bittorrent: (tcp.flags == 2) (ip.dst == 192.168.0.XXX) Replace 192.168.0.XXX with your bittorrent machine's IP. You should see no packets other than for other holes opened in your firewall. One alternate way your firewall could be broken is that it is allowing UPNP (or Apple's equivalent.. forget its name). UPNP is used by client applications to negotiate ports to open on the firewall. If your bittorrent client supports UPNP and has it enabled, and your firewall has it enabled, holes will open automatically independent of Tor. You can also tell your dad that you are probably just as vulnerable with just a single fixed (non-UPNP) port open for bittorrent as you are running bittorrent with outgoing connecitons. So long as nothing other than bittorrent listens on that port, the only thing exploitable via that port should be bittorrent, and bittorrent is already exploitable via traffic travelling over the outbound connections it made (though outbound connections aren't visible to people scanning your IP for exploitable clients). Or am I completely off the rails? It's likely, see above ; ) It certainly should have nothing to do with Tor unless your firewall manufacturer is really really dumb (not very likely). Or should this be put to rest because it is simply exploration of exploitation ? Very few sane people shoot down public discussion exploring exploitation. The only way systems can hope to remain secure is if the net IQ of people securing them exceeds that of those attempting to break them. The only way for this to happen is public oversight and discussion (ESPECIALLY of exploits involving closed-source systems - closed-source companies have finite and small IQ compared to the rest of the world). Unfortunately, fewer and fewer people in control of systems and law are sane these days. So the world is about to get mighty interesting ;) -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Removing 1 modular exponentiation
Thus spake James Muir ([EMAIL PROTECTED]): Mike Perry wrote: Thus spake Watson Ladd ([EMAIL PROTECTED]): Well, one immediate problem is that b/k has to be an integer.. So b=rk for some random r and b is thus not completely random.. To clarify the effects of this, you should rewrite your protocol as follows from Round 2 on: that's not really a problem. all computations are done in the group ZZ_p. 1/k really means the inverse of k modulo the order of g in ZZ_p. So b/k does not have to be an integer. My abstract algebra is a bit rusty, but isn't finding this value as hard as the DLP? Problem is: (g^X)^k = g for some given k. Find X equivalent to 1/k. Rewrite as (g^k)^X = g Seems like you need to take the Discrete Log of both sides to get your X=1/k value. This is hard. Perhaps you are thinking that g^(b/k)=g^b*g^(1/k). But it doesn't, it is (g^b)^(1/k). If I'm wrong, please enlighten. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Removing 1 modular exponentiation
Thus spake Watson Ladd ([EMAIL PROTECTED]): James Muir wrote: You may already know that the current scheme has a security reduction (Goldberg, PET 2006), so I imagine there would have to be a comparable argument before the powers that be would consider a new scheme. Out of curiosity, what is it about your scheme that makes you say it is insecure? -James Mike Perry had an MITM attack. It wasn't due to a problem with my proof but a problem in that what I proved wasn't sufficient to insure security. Basically Alice was performing DH with y the generator. So Eve could easily perform an MITM attack. And Eve can connect to Ricky easily. Still, a more efficient and still *secure* protocol would be a win. Ah, right. My proof should still apply because even though b/k is not an integer, it can still be written as b = r*k mod p. r is the exponent of g you get when you do (g^b)^(1/k) after finding (1/k) mod p using the Eucliean Algorithm as James pointed out. Right? It's all coming back to me now (maybe). ;) -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Running Tor on a v-server with limited number of TCP sockets
Thus spake Stephan Walter ([EMAIL PROTECTED]): On 2007-02-21 21:25, Alexander W. Janssen wrote: From a pragmatic point of view that would also mean that you wouldn't be able to log in from remote if TOR gobbles up all sockets. It's not as bad as that, as the ssh daemon is listening all the time and therefor already has its socket. Actually, it probably is as bad as that. Each time accept() is called on this server socket to handle a new SSH connection a new socket is formed.. Unless their limit has a special exemption that they coded themselves for accept().. But most likely its some garbage usermode Linux thingy with ulimit -n set on the usermode linux process. On the plus side, if they did code this exception for accept(), it should apply to Tor as well, at least for incoming connections to the OR port. Eventually most routers should connect to you, and Tor will just use those OR connections (though they may get closed if no circuits are on them.. not sure about how long Tor keeps idle OR connections open). However, my scanner (if it ever works :) probably will end up flagging your node as unreliable.. But you've got a while before that actually means anything. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: pop3 and smtp over ssl [was: ssh]
Thus spake [EMAIL PROTECTED] ([EMAIL PROTECTED]): Kees, I connect to various safe-mail accounts through secure POP (over SSL, port 995) to read my mail and have never problems. Or better to say that when the tor exit node doesn't connect to safe-mail, I just try again a few minutes later and usually it is ok. My mail program (Thebat) even does it all alone, it checks email every xx minutes, as I wish. Sending mail is another story :) It is quite impossible in SMTP on 25 as in secure SMTP on 465, as most tor exit nodes block traffic to these ports. So, to send email, better is to connect to a web interface (in https of course), safe-mail is fine for this too. This is interesting.. According to running http://tor.eff.org/svn/trunk/contrib/exitlist, there should be about 20 nodes that exit to port 465.. The problem might be that these nodes are slower overall, and tend to drop more circuits. If either of you try setting CircuitBuildTimeout to like 10 in your .torrc, does it help? It would be nice if there was a way to specify an additional portlist Tor uses to prebuild a couple extra circuits for. Circuit construction can take a really long time and maybe this option would help people who use apps on ports other than 80 and 443. Roger/Nick, agree/disagree? Did I just volunteer? ;) -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Building tracking system to nab Tor pedophiles
Thus spake Fergie ([EMAIL PROTECTED]): Hmmm. http://blogs.zdnet.com/security/?p=114 Comments? Will they write a ZDnet article about me when my node scanner starts to delist his compromised exit nodes? ;) There's of course no way that these nodes can be allowed to continue to be exits if discovered. Any of them can be retooled into targeting a lot more than just pedophiles, for fun, profit, or via subpoena. He's also putting himself in an interesting position here wrt federal wiretap law as well (as mentioned on the Tor legal faq). Though of course, he picked a good target to pick on. The anonymous typically have little legal recourse. Especially when you claim they all just want child porn. Of course, anyone utilizing common Tor best practices will not be affected by this. (Though the one gripe I have is that NoScript allows Java if you allow scripts.. But there are also extensions that block Java globally - like QuickJava). At any rate, I welcome a good open source implementation of this. If nothing else, it will be nice to pit it against my scanner on a test network to make sure this sort of thing can be reliably detected. As an aside, it's recently become clear that a lot of people are using these Internets things to transmit child pornography. Perhaps we should just shut 'er down? Sure would be easier than actually finding the PRODUCERS of such content... -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Building tracking system to nab Tor pedophiles
Thus spake Mike Perry ([EMAIL PROTECTED]): At any rate, I welcome a good open source implementation of this. If nothing else, it will be nice to pit it against my scanner on a test network to make sure this sort of thing can be reliably detected. Oh, and we can also use this as an opportunity to definitively settle once and for all the age old question of which is the superior language, python, or ruby? He does have to waste an awful lot of lines on end statements... ;) -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Building tracking system to nab Tor pedophiles
Thus spake Freemor ([EMAIL PROTECTED]): I think what needs to be done here is to create a FAQ or other standard document that will 1.) inform the vastly misinformed public. 2.) list places and ways they can make a difference. Excellent post, even if slight off-topic. As suggested on IRC, I think the Tor documentation strategy needs to be rethought. Most people barely read the download page, let alone the reems of FAQ questions. We've had two attacks now on Tor that rely on unmasking users who use Tor incorrectly. One of them actually published a paper and had decent results at unmasking this way (mostly Asian users who probably can't read our english mailinglist or english FAQ), and the media still doesn't seem to understand that these attacks are well documented. The Tor download page should have a concice Things to know before downloading section that lists a few key points about the most easy ways your identity can be revealed through Tor. Something like Things to know before you download Tor: - Browser plugins can be made to reveal your IP. - This includes Flash, Java, ActiveX and others. - It is recommended that you use FireFox and install the extensions NoScript, QuickJava, and FlashBlock to control this behavior if you must have these plugins installed for non-Tor usage. - Make sure your browser settings have a proxy listed for ALL protocols (including Gopher and FTP). - For further details, please consult the Tor FAQ. Maybe this will stop the same attack from hitting the blogosphere every 2 months. Even better, maybe it will stop that attack from actually working.. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Building tracking system to nab Tor pedophiles
Thus spake Paul Syverson ([EMAIL PROTECTED]): I don't think it was off topic. To repeat what I already said in an individual response. I think it was not OT since your post addressed the reality of a situation for which people were designing Tor modifications and deployments and you evaluated their applicability to intended application. Good. Solid post all around then. I had advocated something similar some time ago. Actually what I proposed was that some sort of test server be set up. I know there are already many of them, but I was thinking that there could be testing stages in an install wizard (or a post-install testing wizard) that takes the user through various tests and what to do in response to results. I know a lot of work, maybe another suggestion to be listed on the volunteer page or a candidate for summer of code? You dream big (not sure which is the bigger dream ;) Heheh, well speaking of dreaming big, while both what you and Jason Edwards said are great goals to have, I think we shouldn't get distracted from stopping the bleeding now with a few sentences right up front while something more elaborate is devised (or a volunteer steps up). The problem is if it isn't right on the download page and translated into most languages, people will just assume they are good to go without bothering to read the FAQ until something breaks (as Jason pointed out). I also fall into this category with most software (even stuff I develop for ;). -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Warnings on the download page
Thus spake sy16 ([EMAIL PROTECTED]): My suggestions as a no-tech user: Perhaps the Warning should be put on top of the page, before the download links - sometimes people don't go further than the download links. Also, might I suggest NoScript to be used in conjunction with QuickJava? And please add a line reminding users to reload the page if they use QuickJava. NoScript reloads automatically but not QuickJava. The problem with NoScript is that it is incredibly complex, and unless you configure it properly (which is NOT the default), it is really no protection against an attack like Moore's. The default whitelist is enough for him to abuse. A bad tor node can fake any host it wants. Even worse, it is possible to THINK you are configuring NoScript properly and make yourself even more insecure. For example, the addons.mozilla.org people got the brilliant idea to transmit extensions over http (even though the site itself is https). They verify MD5s using javascript that runs on the https connection.. If you disable javascript for them, you are downloading extensions without any verification :(. Unfortunately, QuickJava by itself is not enough to disable java launched from a moore-style attack. http://metasploit.com/research/misc/decloak/ actually builds the applet html in a hidden div using javascript. QuickJava lets it through.. On the plus side, Sun Java 5.0r10 seems to obey SOCKS for his datagramsocket test, which is a huge surprise... Who knows if the same can be said for MS Java. This last point puts us in a catch-22. Personally, I think even if we could describe to people how to use NoScript, it is going to be waay too much of a hassle and too error prone to work reliabily for the average user, especially as more and more sites go AJAX with no other option. On the plus side, the author of QuickJava has also authored an anonymity extension for anonmouse. Perhaps he would be amenable to fixing his extension against moore's on-the-fly HTML generation. However his email address is not listed on the author page :( About the evil exit nodes, these extensions might help detect false pages: HostIP.Geolocation plugin, netcrafttoolbar, FormFox, and Shazou. FormFox is somewhat paranoid and not always accurate, but it serves as a reminder of thinking before clicking submit. About mail client: I configure my Thunderbird 995 and 465, same server name for pop and smtp, with Torbutton. So far I have had no problem retrieving and sending. There have been mentions in this list about problems with smtp, so maybe I am missing something. Am I blithely assuming my getting and sending mail through tor and SSL? About Windows (sorry guys) security, set up a normal user account for browsing, like they do in Linux. Change Administrator to some other moniker and set a password. And disable remote administration if you don't need this enabled. Yea, these are good ideas for a second page. But on the front page we just want a few paragraphs that covers all the bases. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Warnings on the download page (Re: QuickJava update req)
Thus spake light zoo ([EMAIL PROTECTED]): --- Mike Perry [EMAIL PROTECTED] wrote: Perhaps he would be amenable to fixing his extension against moore's on-the-fly HTML generation. However his email address is not listed on the author page :( Well it looks like Mr. Greene prefers to receive feature requests on his blog, not email. He seems very open to feature requests and suggestions: Quote Mr. Green: -- Please leave comments for feature requests here to be considered. -- Mr. Green's blog entry page: http://www.blogger.com/comment.g?blogID=17969172postID=112982970672088922 Yeah, I left a feature request for him. http://quickjavaplugin.blogspot.com/2006/12/features-requested.html On further investigation his plugin seems to rely on the Firefox setting 'security.enable_java', so perhaps he would have direct ability in fixing this bug.. But on the plus side, maybe the fact that this setting is under 'security' and can still be bypassed will warrant prompt response from the Firefox team.. I'm probably occupied for today.. If anyone wants to test this option for firefox 1.5 and 2.0 latest with moore's page please do so and post here. Note it's hard to tell if the applet is running. You probably have to use wireshark and filter on udp while hitting the page with tor disabled. The udp packet is to red.metasploit.com. It is easy to see with a filter of 'udp'. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Warnings on the download page (Re: QuickJava update req)
Thus spake Mike Perry ([EMAIL PROTECTED]): Thus spake light zoo ([EMAIL PROTECTED]): --- Mike Perry [EMAIL PROTECTED] wrote: Perhaps he would be amenable to fixing his extension against moore's on-the-fly HTML generation. However his email address is not listed on the author page :( Well it looks like Mr. Greene prefers to receive feature requests on his blog, not email. He seems very open to feature requests and suggestions: Quote Mr. Green: -- Please leave comments for feature requests here to be considered. -- Mr. Green's blog entry page: http://www.blogger.com/comment.g?blogID=17969172postID=112982970672088922 Yeah, I left a feature request for him. http://quickjavaplugin.blogspot.com/2006/12/features-requested.html On further investigation his plugin seems to rely on the Firefox setting 'security.enable_java', so perhaps he would have direct ability in fixing this bug.. But on the plus side, maybe the fact that Err. rather he probably has NO direct ability to fix it. this setting is under 'security' and can still be bypassed will warrant prompt response from the Firefox team.. I'm probably occupied for today.. If anyone wants to test this option for firefox 1.5 and 2.0 latest with moore's page please do so and post here. Note it's hard to tell if the applet is running. You probably have to use wireshark and filter on udp while hitting the page with tor disabled. The udp packet is to red.metasploit.com. It is easy to see with a filter of 'udp'. http://metasploit.com/research/misc/decloak/ is his url (mentioned in a previous post). Hit that with JS enabled but java disabled to test. The more platforms + JVM combos we have the better our odds are of someone at firefox listening to us and fixing it promptly and correctly. It's possible the behavior of this 'security.enable_java' flag is OS+JVM dependent. I will do what I can, but I'm probably going to be pretty occupied for the next few days with other things. Also, as much as we have given him shit, HD Moore does deserve some thanks about providing an open example of all this for us to test. That is much better than the others who have studied this have done. (Though I do suspect he may in fact simply hate Tor, at least his security and research ethics are intact). -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Warnings on the download page
Thus spake H D Moore ([EMAIL PROTECTED]): Thanks for the feedback! Keep in mind this is the first applet I have ever written :-) Any information about the new API would be appreciated. Do you happen to know what versions it is compatible with? Bizzare that they would explicitly allow non-proxied connections. I used the Datagram Socket was so that I could send requests directly to the DNS server and not have to do any extra processing on the server side. Actually, I'm also curious about your on-the-fly applet tag generation. Were you aware that it would bypass that security.enable_java setting or was it just a general evasive thing you did for filtering? Do you have any information if this is specific to certain versions/JVMs or if it is a universal hack? Have you contacted the Firefox people? -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Warnings on the download page
Thus spake Roger Dingledine ([EMAIL PROTECTED]): On Thu, Mar 08, 2007 at 04:12:10PM -0600, H D Moore wrote: I am in the process of updating the decloak demonstration to explain each of the tests and provide source code for the components. What may not be obvious (especially from the ZDNet article), is that I believe in the Tor project's goals and am not developing these types of tests to damage the project. Hi HD, Thanks for joining the discussion, and welcome. We (the Tor developers) have been working mostly on making Tor itself work, and hoping that other people would step up to help us figure out how to safely configure the supporting applications (web browsers, etc). We could sure use some help. :) The current simplest advice I can give people is to remove all plugins: http://tor.eff.org/download.html.en#Warning Do you have any suggestions on safe ways to back off from that? I have a couple more points - the second browser phrase should link to http://portableapps.com/apps/internet/firefox_portable because otherwise it's not really easy to have a second firefox installed. I think we should also mention that we do scan the exits to try to verify they are behaving well, but we may miss some. While developing the next generation of my scanner I still do scan for matching MD5s inside/outside Tor from time to time, and the next generation scanning script itself will examine script+embedded tags to handle odd content/URLS in dynamic pages, but the main danger though is in people targeting small segments of the population that I do not speak the language of to issue queries for.. Tibetan sympathizers in China come to mind.. Well, pretty much everyone in China comes to mind, and I'm sure there are plenty of other marginal groups this applies to as well (other than child porn viewers). Scanning doesn't help Moore's point 3, but hopefully some statement of vigilance on our part will help Tor seem a little less like a perpetual connection through the wireless net at Defcon.. Though unfortunately that is the level of precaution Tor users should probably be ready to take. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Warnings on the download page
Thus spake Mike Perry ([EMAIL PROTECTED]): Thus spake Roger Dingledine ([EMAIL PROTECTED]): On Thu, Mar 08, 2007 at 04:12:10PM -0600, H D Moore wrote: I am in the process of updating the decloak demonstration to explain each of the tests and provide source code for the components. What may not be obvious (especially from the ZDNet article), is that I believe in the Tor project's goals and am not developing these types of tests to damage the project. Hi HD, Thanks for joining the discussion, and welcome. We (the Tor developers) have been working mostly on making Tor itself work, and hoping that other people would step up to help us figure out how to safely configure the supporting applications (web browsers, etc). We could sure use some help. :) The current simplest advice I can give people is to remove all plugins: http://tor.eff.org/download.html.en#Warning Do you have any suggestions on safe ways to back off from that? I have a couple more points - the second browser phrase should link to http://portableapps.com/apps/internet/firefox_portable because otherwise it's not really easy to have a second firefox installed. Actually, negative on this. Cookies, extensions, and bookmarks are not transfered over, but existing plugins from other firefox installs are still detected. We just can't seem to catch a break here.. There doesn't seem to be any way to disable plugins once you have installed them... The 'about:plugins' chart does have an Enabled column.. maybe burried somewhere is a way to disable them with extensions.. Does anyone know anything about wrting firefox extensions? How do I go about finding these plugin enabled properties, if they even exist outside the compiled code? -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Warnings on the download page
Thus spake Roger Dingledine ([EMAIL PROTECTED]): Also, isn't Portable Firefox Windows-only? Or am I confused? True, just going for what I assume is the majority of our userbase first. Especially people who are going to have difficulty with this stuff. Was also in a rush and didn't check out the plugin thing right away, sorry. I think we should also mention that we do scan the exits to try to verify they are behaving well, but we may miss some. How often are you doing this scanning at this point? Couple times a week for overnight runs. Pretty much whenever I add new functionality to the stats gatherering system I do an SSL + http scan with the old perl scanner controlling the new python core before checkin. The problem is the http scanner itself is MD5 based, and it does nothing to find nodes that deliberately target dynamic content.. So maybe I'm doing nothing of substance at this point. Speaking of which, a frequently asked question that isn't answered on the FAQ is: I'm pretty sure my exit node is screwing with me. How do I figure out which exit node it is? My answers so far have been - Run at loglevel info and go look through all the stuff that makes no sense to you. Not so easy. - Use Vidalia's Network Map window and watch which circuit your stream is connecting to. Easy -- if you use Vidalia. - Connect to the control port manually and ask for stream and circuit events and then let it scroll. When something goes wrong, look at the output and piece it back together. Any ideas on a more foolproof approach? :) Heh. I haven't had much luck with 'foolproof' anything lately. It definitely shouldn't be anything other than in-memory. It would be nice is Vidalia had a list of recently used exits and a list if IPs visited for each (with some expiration time of like 5 min?) Even with Vidalia it is hard to open the network window while the stream is still attached to your circuit. Usually by the time you notice its long closed. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Work on Tor this summer, get paid by Google
Thus spake Roger Dingledine ([EMAIL PROTECTED]): The deadline for students submitting applications is _MARCH 24_. I've put up a page with more details here: http://wiki.noreply.org/noreply/TheOnionRouter/SummerOfCode and there's a big list of potential projects here: http://tor.eff.org/volunteer.html.en#Coding I just whipped up a TODO and a README file for the TorFlow library, so if you scanned this list and either didn't see anything interesting, or just went TorFlow, buh? at my item and moved on, maybe it's worth seeing if any of the stuff in http://tor.eff.org/svn/torflow/README and http://tor.eff.org/svn/torflow/TODO catches your eye. The stuff marked not GSoC isn't forbidden, it's just less likely that it will involve enough pure coding to make Google happy. But if you did see an interesting item on the list, don't let me distract you from it. Particularly any Windows coding. The Windows select bug, Polipo port, and the USB drive are all very imporant and less likely to get done by the main Tor devs who are mostly Linux-focused. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Securing teh Intarwebs (Ultimate Solution ;)
So I've spent the last week burried in javascript, xml, xbl, and something pronounced Zool. I seem to have survived, but it is quite possible I may turn into a fire breathing demondog at any moment. Hail Gozer. The result of this mad vision quest is a new and improved Torbutton. Based off of TorButton 1.0.4, it has the following additional features: 1. It turns off browser plugins when you click a button in the statusbar, and also whenever Tor is on. 2. It clears your cookies whenever you toggle tor. 3. It hooks dangerous javascript functions, including: A. The Date() object, which can reveal your timezone B. document.getElement* which can be used to probe CSS attributes to see if you have visited certain sites or issued certain google queries: http://gemal.dk/browserspy/css.html C. navigator.oscpu and navigator.platform, two OS revealing strings not managed by UserAgentSwitcher. 4. It can optionally clear history whenever tor is toggled (unfortunately saving non-tor history is not possible yet. Firefox DOES have an API to do this, but it is not implemented). http://fscked.org/proj/minihax/TorButton/TorButton-1.1.0-alpha-dev.xpi The goal of this extension is to make javascript as safe as it can be to use over Tor, modulo browser vulerabilities (which the FF people will actually fix.. They seem to enjoy arbitrary sites being able to query their history and search keywords, however.. That is a feature). ALPHA WARNING: This is ALPHA software. It desperately needs someone to review it and to try to break it. Especially the Date hooks. Those are complicated, and feeding Date various malformed strings to parse may cause it to generate a time with an offset from the actual time that reveals your timezone, among other issues. I tried my best to guard against these types of issues, but it could really use another pair of eyes. Or several. Additionally, it would be nice if someone could verify that popups, iframes, frames, and other crazy gimpy windows properly hook Date() and disable plugins. I tested iframes and frames briefly, but I did not test popups. ABANDONWARE WARNING: I am not terribly interested in maintaining this extension. Especially not for the next month or so. However, I will consider fixing serious bugs involving my hooks of Date(), but likely not in any timely fashion. If absolutely nothing happens with this after a month, I will add it to my pile of responsibilities. But I should probably find the time to pay my utilities first. I'm really hoping Scott will pick up my changes and continue maintaining this extension. KNOWN ISSUES (AKA HELP PLZ!): This extension has been tested to work on FF2.0 and FF1.5. FF1.5 unfortunately lacks a sane TabOpen event, so plugins are not properly disabled for new tabs when they open. FF2.0 seems ok. I tried the code snippets for FF1.5 for this from http://developer.mozilla.org/en/docs/Code_snippets:Tabbed_browser but I was unable to get it to deliver events just for a tab, and I eventually gave up. I am not planning on suppoting FF1.5 ever. If you like FF1.5, please submit a patch. It's possible I was just doing something dumb. I did only learn javascript 5 days ago :) It might also be nice if someone changed that J graphic to a P for plugins, and also made a button for toggling the javascript.enabled pref (and hooked it up so it actually worked). BRIEF EXPLAINATION OF SOURCE: XPIs are zips of jar files that contain javascript and xml. The jar files themselves are also zips. The javascript hooking magic is done in jshooks.js. The plugin toggling and events for javascript are in torbutton.js. Good luck! -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: My ISP block Tor Servers
Thus spake Koh Choon Lin ([EMAIL PROTECTED]): If you can't or don't want to switch ISP you could rent a server with uncensored net access and use it as proxy. I am working in Singapore and the government branded Tor as criminal skills. Thus, I have to go through a proxy even to get the Tor client! Heh. This reminds me of a lawfirm one of my friends used to work at. They told me when they tried to visit my website the content filter denied them with that same message: Criminal skills. Never did get a copy of the censor page though. This was in the USA. Content filters are awesome. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Using a Proxy with Tor
Thus spake Tarek Tag ([EMAIL PROTECTED]): 1) When setting a proxy, via the HttpProxy/HttpProxyAuthenticator commands, does anything else need to be set, or are these the minimum set of commands needed? Currently, my torrc file simply contains the following (which doesn't seem to be working as expected): HttpProxy myproxy.com:port HttpProxyAuthenticator myusername:password 2) Do both the HttpProxy AND HttpsProxy commands need be set in order to get the proxy to work (along with the authenticator information if applicable), or do I choose only one depending on the address of my proxy? Yes, you need to set both. HttpProxy only proxies directory traffic. HttpsProxy proxies Tor node traffic. Also, if your proxy only allows connections to limited ports, you must specify FascistFirewall and FirewallPorts for those ports, or the more recent (and slightly more complicated) ReachableAddresses config. When I put the HttpProxy/HttpProxyAuthenticator commands in my torrc file, and took a look at the traffic through a network analyzer, it doesn't show the behaviour that I expected: That is, it shows that all traffic is still going from my local computer to the Tor nodes directly, rather then via the proxy. Regretably the proxy behavior with Tor is not all that good. For example, if for some reason the proxy is unreachable, it fails silently and reverts to non-proxied connections. If the proxy refuses to allow you to connect to a particular IP/port (for example, if you do not specify FascistFirewall), it prints out a warn, and then reconnects without using the proxy. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Using a Proxy with Tor
Thus spake Roger Dingledine ([EMAIL PROTECTED]): On Fri, Apr 20, 2007 at 06:41:43PM -0700, Mike Perry wrote: Regretably the proxy behavior with Tor is not all that good. For example, if for some reason the proxy is unreachable, it fails silently and reverts to non-proxied connections. If the proxy refuses to allow you to connect to a particular IP/port (for example, if you do not specify FascistFirewall), it prints out a warn, and then reconnects without using the proxy. Can you clarify this bug report? I was under the impression that Tor's proxy behavior was perfect, at least in 0.1.1.10-alpha and later. The above was what I noticed while briefly testing SETCONF HttpsProxy via the control port for different proxies, some unreachable, some that gave me 403 errors. It seemed that after the proxy failed once, it was ignored. Sometimes it failed silently and then was ignored. I suppose I could have been doing something strange accidentally. Or maybe the control port setting wasn't properly being propagated. I can retest sometime next week if you need me to. -- Mike Perry Mad Computer Scientist fscked.org evil labs pgpqBx0adybeH.pgp Description: PGP signature
Re: Sampled Traffic Analysis by Internet-Exchange-Level Adversaries
Thus spake Paul Syverson ([EMAIL PROTECTED]): Anyway, the main reason I'm writing is that my objection was not just that the GPA was too strong but that it was too weak. Thinking you could have an adversary powerful enough to monitor all the links necessary to watch your whole large network but not able to do any active traffic shaping at all anywhere seems obviously nuts. This is one reason why padding on an open low-latency (lossless) network is problematic: an adversary with any active capability at all can induce a timing channel easily. Actually, I'm going to disagree slightly because I don't feel like sleeping yet :). It would take far less resources to passively tap the traffic and filter out say Tor IPs and do analysis on just that data offline. Trying to actively do that filter in-path PLUS arbitrarily delay (ie queue in memory) that traffic in real time, all without signficantly affecting pass-through traffic seems like it would be a lot more expensive. Also, not to mention there is a limited number of bits that can be reliably encoded in this manner, and the purturbations of padding that shares the same TLS connection will lower this effectiveness. The adversary needs enough bits to get through to be able to track all the parties it is interested in. If padding is in place, it will have to spend considerable effort in redundancy to make sure that the timestamp remains present in the exit stream.. Which again means more queueing and more expense. Of course, it also means more expense on the part of the anonymity network in wasted bandwidth.. If padding slows down the network to the point where users start to leave, other, more dangerous effects take over. Finally, going on what has been disclosed so far in the EFF v ATT case, it would seem that global adversary-style mass surveilance is in fact ocurring passively, out of path. At least the illegal domestic stuff, anyways. I suppose it's anyone's guess what they do when it's less blatantly illegal.. Maybe Echelon is the reason my bbc is so slow! :) -- Mike Perry Mad Computer Scientist fscked.org evil labs pgp0Pyj2XtyR3.pgp Description: PGP signature
Re: What will happen to Tor after the new German data retention law takes effect?
Thus spake Freemor ([EMAIL PROTECTED]): anyways just thoughts in the wind.. I'm sure the Tor Devs are probably gnashing teeth and pulling hair as a hundred reasons why it's a bad idea stream through their minds. Code moves faster than law. No need to panic, or speculate on technical solutions before a law is even passed. If the powers that be are this intent on exemplifying their stupidity and pointlessly wasting their resources on excuses to justify flawed totalitarianism instead of addressing real problems, we should let them. We will have plenty of time to adapt once the law is passed. Right now, the proper avenue is well-articulated political opposition. On a technical perspective we should be lazy with this one. It will work to our advantage. Plus, I can't believe such measures don't run against basic human rights and constitutional protections revolving around search seizure and presumed innocence. But I am constantly surprised by the williness of my own country to shred the spirit if not the letter of its own constitution as soon as technology comes into consideration.. and even before that point. -- Mike Perry Mad Computer Scientist fscked.org evil labs pgplFs24cdlad.pgp Description: PGP signature
Re: Cisco firewall filtering Tor?
Hey Jay! Thus spake Jay Goodman Tamboli ([EMAIL PROTECTED]): I'm stuck behind a FascistFirewall part of the day, and I've been trying to get Tor to work as a client. I've added a line to my torrc: ReachableAddresses *:443 Oddly, I can see that Skype is using TCP connections on port 443. I can't tell if they're working, but Skype is keeping them up (and Skype as a whole seems to be working). Tor, on the other hand, is not working. netstat shows established connections on port 443, but Tor doesn't seem to be accepting them as usable. I have debug logging on, but I'm not sure what to look for, since it seems to be trying to create circuits in parallel. Is there a message printed when a OR connection fails, giving a reason? If you are running Tor 0.1.2.x or later, you can add ControlPort 9051 to your .torrc, and telnet localhost 9051. You can then do AUTHENTICATE SETEVENTS EXTENDED CIRC ORCONN to get some info that is sometimes not reported in logs, in a well-formed format. You can also try jacking up your log to debug level. It then should dump a bunch of info about TLS connections there, but that is harder to sift through. Might also be a good idea to kill tor, fire up wireshark (www.wireshark.org), start a network capture, start tor, and let it try to make some circuits for a bit. Then save the capture, and post it and the control port info and possibly logs somewhere so we can look at the results. Is it possible the firewall is looking at the :443 connections and somehow telling that it's Tor rather than HTTPS? I believe at some point, tor changed its TLS certificate format to be less-torlike.. But maybe this is only in SVN and not widely deployed at the tor nodes. Roger or Nick will need to answer this question most likely. If they are doing content-based filtering like this, it is likely they are also blocking directory connections too.. -- Mike Perry Mad Computer Scientist fscked.org evil labs pgpuoQ4kvTzcr.pgp Description: PGP signature
New Torbutton (1.1.4-alpha)
As some of you know, I've been working on a security-enhanced version of Torbutton to handle all sorts of anonymity vulnerabilities present in a standard Firefox configuration (see the big fat warning on http://tor.eff.org/download.html.en - the goal is to make all that text irrelevant). I will be presenting this plugin as a part of my talk Securing the Tor Network for Black Hat and Defcon. The goal of the extension is to make it possible to use modern websites via Tor without the risk of something reducing your anonymity set or bypassing proxy settings. The major features are: * Disabling plugins while Tor is enabled * Isolating dynamic content to the Tor state at document load * Cookie jars/cookie clearing * Cache management * History Management * User agent spoofing * Timezone spoofing The extension itself, and more information on the individual features/options are available at the horrifyingly stoic homepage: http://torbutton.torproject.org/dev/ Currently, only FireFox 2.0 is supported. Kind-hearted souls are sought to help port to Seamonkey and Thunderbird. Feedback, suggestions, and comments are welcome. Especially if someone could point out what I'm doing wrong with the OpenSearch Google search plugin installations (which are somewhat unrelated, but I figured were worth putting up there, since a major usability complaint is Why do I get the damn German/Chinese/etc Google with Tor?). -- Mike Perry Mad Computer Scientist fscked.org evil labs pgpYM5smmIWrt.pgp Description: PGP signature
Re: New Torbutton (1.1.4-alpha)
Thus spake [EMAIL PROTECTED] ([EMAIL PROTECTED]): Hi, Looks like great progress. One question though My question: How does the new Torbutton interferes with other extensions for the same or similar purposes: - Adblock Plus - CookieCuller I run these two. No conflicts so far. - User Agent Switcher I briefly tested this. It seems to play nice. I would advise against setting a different user agent during Tor usage though, because of anonymity set reduction. Torbutton already masks your user agent to a popular recent windows firefox build (and does a better job of it too). - SafeCache - SafeHistory These two are superceded/assimilated by Torbutton in one form or another. - Flashblock Might be useful for Non-Tor usage, but Tor usage will have all plugins disabled. Would be interesting to know if flashblock can somehow re-enable it, but I doubt it. - NoScript No idea. I don't really like this thing. Also note that Tor nodes can inject script from the default whitelist, so it doesn't really protect you there. - RefControl Hopefully this functionality will be assimilated into Torbutton. Actually, are you aware of sites that their Forge functionality still breaks? That is what I was considering implementing for all sites with Torbutton. - JavaScript Options Looks relatively benign. - CookieSafe - CustomizeGoogle - Layerblock Dunno about these guys. Please report any issues. -- Mike Perry Mad Computer Scientist fscked.org evil labs pgpU7UcSZghu7.pgp Description: PGP signature
Re: New Torbutton (1.1.4-alpha)
Thus spake Ryan Wagner ([EMAIL PROTECTED]): -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm very pleased with the new Torbutton version so far. The only thing that's bothering me is automatically disabling 'Remember passwords for sites' when tor is toggled on. I'd prefer a way to disable this feature. Even if logging into sites over tor can be dangerous for anonymity and the security of the account itself, it's still nice to prevent one's ISP from retaining a record of goings on. It's possible to manually re-enable remembering passwords after tor has been toggled on, so it's a minor inconvenience, really. This is tied in with the history writing setting. The idea was that if you are OK with tor writing out these things, then you are ok with it saving your history and vice-versa. However, this idea may be slightly flawed since you could be concerned about history disclosure attacks from regular websites you visit.. So maybe it should be a seperate option.. -- Mike Perry Mad Computer Scientist fscked.org evil labs pgpqVoEFsxUcP.pgp Description: PGP signature
Re: New Torbutton (1.1.4-alpha)
Thus spake Robert Hogan ([EMAIL PROTECTED]): On Monday 09 July 2007 10:16:55 Mike Perry wrote: Feedback, suggestions, and comments are welcome. Especially if someone could point out what I'm doing wrong with the OpenSearch Google search plugin installations (which are somewhat unrelated, but I figured were worth putting up there, since a major usability complaint is Why do I get the damn German/Chinese/etc Google with Tor?). Stop me if this has been suggested before, but would it be worth introducing an unofficial URI for hidden services that would make them recognisable to the likes of torbutton? The idea being that the user could 'enable tor' simply by clicking on a hidden service link rather than the usual jig of click-servernotfound-back-scratchhead-enabletor-clickagain. Is this possible with a firefox plugin or would it be necessary to get the firefox developers on board? Actually, this is possible a few different ways.. You can create your own protocol handlers, but it might not be necessary. Torbutton already listens to the LocationChange event.. It may be possible just to look to see if the new location has a .onion/ in it, and enable tor if so. But this probably should be pondered for a while.. Changing tor state automatically makes me a little nervous, even if it is only in the Tor Enabled direction.. And creating a new protocol prefix for onion sites seems a little sketchy also.. All sorts of compatibility issues are probably hiding in there (not just the obvious problem of adoption). -- Mike Perry Mad Computer Scientist fscked.org evil labs pgpnrJWGU6k9f.pgp Description: PGP signature
Re: New Torbutton (1.1.4-alpha)
Thus spake Jens Kubieziel ([EMAIL PROTECTED]): * Mike Perry schrieb am 2007-07-11 um 10:55 Uhr: Thus spake Jens Kubieziel ([EMAIL PROTECTED]): * Mike Perry schrieb am 2007-07-09 um 11:16 Uhr: * Cache management IMHO there should be check box for managing the cache by yourself. Like it is at privacy and cookie settings. Is there a good reason behind this wish? The cache can store unique It's about choice. Assume that I want to manage FF's cache by myself. Then I'll have no option to do it unless I stop using Torbutton. But why? I can actually create a lot more options if you just want choices. There are a couple things torbutton just does automatically (like making sure you never query google's safesearch for every url on the fly), and some actions (like the web history+form history+login history option) come bundled together as a single option. Torbutton is already bordering on an obscene number of nobs.. There is room for this one, I guess.. But if I do this, and split the history options out into seperate settings, we're talking about at least 10 more options (6 more history, 1 more cache.. plus at least 3-4 more others if you want *everything* to be an option). That is getting a little ridiculous, and I'm running out of space for nobs. Is all this really needed? -- Mike Perry Mad Computer Scientist fscked.org evil labs pgphyMq0wG4t5.pgp Description: PGP signature
Torbutton 1.1.5-alpha
Torbutton 1.1.5 has been released at http://torbutton.torproject.org/dev/ The changes are small, but significant: * bugfix: Reset shutdown option if user wants to manually manage cookies * misc: Add code to detect date hooking failures to zero in on Bug #460 * new: Pref to disable DOM Storage during Tor usage Bug #460 is a potentially nasty issue where in some cases the Date/timezone hooks aren't properly applied. The 1.1.5 code should pop up an alert now when this is the case. The alert will say either False [win/doc] hooking. Please report bug+website! or Error, double js-hook. Please report either of these ocurrances plus the website plus what else you may have been doing either here or in the bug: http://bugs.noreply.org/flyspray/index.php?do=detailsid=460 In the meantime, you should be safe from timezone disclosure so long as those alerts are not present, but please be vigilant. There also is an uncomfirmed bug that in some cases cookies may not be cleared during Tor toggle (and probably only when you are using certain options also). Please keep an eye out for this one. http://bugs.noreply.org/flyspray/index.php?do=detailsid=457 P.S. Thanks go to Steve Topletz of Xerobank for the DOM Storage tip. -- Mike Perry Mad Computer Scientist fscked.org evil labs pgpbuQNlQHuYL.pgp Description: PGP signature
Re: On the performance scalability of Tor
Thus spake Roger Dingledine ([EMAIL PROTECTED]): On Wed, Jul 18, 2007 at 07:52:14PM -0700, Mike Perry wrote: Thus spake Mike Perry ([EMAIL PROTECTED]): RELAY_EXTEND is the way this is done. I believe clients can and do send multiple RELAY_EXTENDs in a row, so it's not like its a Sorry, I'm a moron. I meant to say RELAY_BEGIN. Also, Roger/Nick, please correct me if these can't be issued concurrently. They can be issued concurrently. Tor doesn't care. Also, with HTTP/1.1 pipelining to the actual website, we just need to open a single TCP stream (one RELAY_BEGIN) and we can then fetch many pages in a row. I'm not sure if this is better or worse than fetching them in parallel. I suspect Juliusz (the polipo developer) has opinions :), and I'll defer to him. Yeah, cause it's not like optimizing high latency networks and chatty protocols for speed is my day job or anything. Probably should wait for the expert to weigh in to really be sure ;) -- Mike Perry Mad Computer Scientist fscked.org evil labs pgphk8XMyUpdv.pgp Description: PGP signature
Re: Tor takes too much RAM
Thus spake Roger Dingledine ([EMAIL PROTECTED]): On Sun, Jul 22, 2007 at 10:35:56AM +0200, Olaf Selke wrote: Yes, my directory authorities are using way too much ram too. It appears that we introduced something bad in 0.1.2.x that wasn't present in 0.1.1.x. today I noticed that according the FAQ tor needs 768 MB ram each 10 Mbps bandwidth :-) No, this is not true. At least, it wasn't true for 0.1.1.x. Some kind soul appears to have modified the FAQ to report the current situation, rather than bugging anybody about the problems. :) A few months ago we had plenty of people running at 30Mbps+ using 200M or 300M of memory, back when 0.1.1.x was the recommended stable. You might try downgrading to 0.1.1.26 briefly, and see how it compares to the current situation. I have done this, and have been running 0.1.1.26 for about a couple weeks weeks. It appears to be leaking at about the same rate as 0.1.2.14 did. Since this problem suddenly showed up, yet 0.1.1.26 has been out for ages, perhaps it is a client problem? There is that issue where clients can send too many SENDMEs and fill up server buffers.. Maybe there is a SENDME leak? -- Mike Perry Mad Computer Scientist fscked.org evil labs pgprjIBR8lfyx.pgp Description: PGP signature
Re: Torbutton 1.1.6-alpha
Thus spake Kees Vonk ([EMAIL PROTECTED]): I just installed torbutton 1.1.6, restarted firefox (2.0.0.5 on Kubuntu). Clicked on 'Tor Disabled', which changed to 'Tor Enabled'. Then went to janusvm.peertech.org (which told me I was not using Tor), then hit the back button and got a dialogue box with said: False doc hooking. Please report bug+website! (my initial page was: file:///usr/share/ubuntu-artwork/home/index.html). After that I seem to get that error on every page, even when just switching tabs (just opened the above URL in a second tab). Just closed firefox and clicked on the above URL to restart firefox, it restarts with 'Tor Enabled', but no error. Then opened an new empty tab, and then switch back to the initial one and straight away get the error again. (Toggling Tor to disabled stops this behaviour, enabling it again starts it again.) Is this bug reproducible? Does it happen every time for this website even after successive restarts of the browser? I am having difficulties reproducing this... Also when I look at my extensions they don't seem to be disabled. I am using the following extensions: Adblock Filterset.G Updater - 0.3.1.0 Adblock Plus - 0.7.5.1 CookieSafe - 2.0.6 Fasterfox - 2.0.0 Forecastfox - 0.9.5.2 FoxyProxy - 2.5.3 Konquefox - 1.3 NoScript - 1.1.5 Tab Mix Plus - 0.3.6 Torbutton - 1.1.6-alpha View Cookies CS - 1.0.7 At a glance, I would suspect NoScript may be the culprit. If you disable that thing, does the issue persist? -- Mike Perry Mad Computer Scientist fscked.org evil labs pgpqk7rWHODfS.pgp Description: PGP signature
Linux Tor node prioritization script
So I've posted this script before, but that was over a year ago, probably should re-announce it. I've created a Linux 'tc'-based tor prioritization script, ideal for running Tor nodes on Linux machines that have multiple IPs with non-Tor traffic on them that you would like to take priority over Tor traffic. Using this script, it is possible to set a minimum guaranteed bandwidth for your Tor node, and to allow it to take up all unused bandwidth up to another maximum value you specify. I use it on a few different types of links, and it is very nice. You can allow Tor to take up essentially an entire link, but still have that link usable for ssh, web, etc. I don't even feel the impact of Tor traffic on nodes that use this script. It is in svn at http://tor.eff.org/svn/trunk/contrib/linux-tor-prio.sh and soon to be in the various source tarballs. -- Mike Perry Mad Computer Scientist fscked.org evil labs pgpr0eXr94beP.pgp Description: PGP signature
Want a faster Tor? Upgrade, inform others
For those of you who are not subscribed to or-announce and/or have friends who use Tor, the latest Tor stable should provide significant performance/capacity increase once most clients upgrade. According to my measurements with TorFlow, there should be roughly four times as much capacity once the network rebalances. In addition, many users should experience noticable improvement in performance just based on the fact that we are choosing guards in proportion to their bandwidth and expiring guards that were selected with the buggy uniform algorithm. Also, once the network is balanced, we can begin to investigate both reliability scanning options and Johannes Renner can finish his Master's Thesis on performance enhanced path selection. :) http://archives.seul.org/or/announce/Aug-2007/msg1.html -- Mike Perry Mad Computer Scientist fscked.org evil labs pgp0tjUbSSbJY.pgp Description: PGP signature
Torbutton 1.1.7 Released
The 1.1.7 alpha release of the security-enhanced Tor Firefox extension is out. http://torbutton.torproject.org/dev Changes in this version: * bugfix: bug 495: couple of memory leaks found and fixed by arno * bugfix: bug 497: uninstall exception found and fixed by arno * bugfix: bug 460: No more alerts should happen. But does that mean its fixed? Outlook not so good... * bugfix: bugs 461+489: verbosity+macos logging issues resolved * bugfix: if javascript is disabled, the hooking code no longer complains * misc: Update spoofed Firefox version to 2.0.0.6 * new: Restore Defaults button added to the preferences window Please report bugs at http://bugs.noreply.org/flyspray/index.php?tasks=allproject=5 Enjoy! -- Mike Perry Mad Computer Scientist fscked.org evil labs pgpJURwJPeh78.pgp Description: PGP signature
Re: Warning TorButton 1.1.7-alfa
Thus spake [EMAIL PROTECTED] ([EMAIL PROTECTED]): I upgraded to 1.1.7-alfa yesterday and saw that it is really a crap :( Thanks for the bug report. Even though it is a bit immaturely delivered with lots of whining instead of actual helpful content, I will do my best to fix the issues you have encountered. I used to manage my cookies, javacsript and history, MYSELF. Now trobutton wants to do all by itself, and the result is that: 1- My history isn't cleared when I close Firefox, even when this option is selected in the Firefox options. This is a bug. It will be fixed in 1.1.8. Thanks for reporting! In the meantime, the workaround is to go into the Torbutton preferences, go to the Shutdown tab, and click Allow me to manage my own Private Data Settings. 2- Some websites that use javascript do not work with Tor. It is possible that I TRUST the CONTENT of a website, including scripts, BUT I want to use TOR to hide my IP. With torbutton this is a real hassle now. Is it possible for you to give me a list of websites torbutton breaks? or describe how it breaks then? It works for me and I have recieved no reports of breakage so far from others. Will try to go back to an older version if it is still available online :( Torbutton is a GREAT extension but WHY hell does the author want to care of all together??? Maybe he should also include Firefox in the extension, and why not, Windows or a unix distribution??? really BAD now : You can hate on me all day long, but the fact of the matter is that every other Firefox extension combo (including self management up to the point of a Tor-only firewall) leaves you vulnerable to numerous attacks to reveal your IP address and other location infromation. So people can either help me fix Torbutton so it is usable for them, or they can choose to remain vulnerable. You may want to read over http://torbutton.torproject.org/dev/ to see what sort of things you are vulnerable to without torbutton. If that documentation is unclear, again, please notify me. -- Mike Perry Mad Computer Scientist fscked.org evil labs pgpos06cJRbaG.pgp Description: PGP signature
Re: Warning TorButton 1.1.7-alfa
Thus spake Scott Bennett ([EMAIL PROTECTED]): On Sun, 23 Sep 2007 06:47:17 -0400 [EMAIL PROTECTED] wrote: I upgraded to 1.1.7-alfa yesterday and saw that it is really a crap :( I used to manage my cookies, javacsript and history, MYSELF. Now trobutton wants to do all by itself, and the result is that: 1- My history isn't cleared when I close Firefox, even when this option is selected in the Firefox options. 2- Some websites that use javascript do not work with Tor. It is possible that I TRUST the CONTENT of a website, including scripts, BUT I want to use TOR to hide my IP. With torbutton this is a real hassle now. That kind of thing is only one of the reasons I do not use TorButton and most likely never will. Can you give me a list of websites torbutton breaks for you? And how does it break them? Toggling torbutton will kill javascript in websites that are currently open, but you want that, unless you like random javascript timers going off and sending your real IP to website. Will try to go back to an older version if it is still available online :( Torbutton is a GREAT extension but WHY hell does the author want to care of all together??? Maybe he should also include Firefox in the extension, and why not, Windows or a unix distribution??? really BAD now : (You have a bad case of linewrap there, friend. :-) You could also try FoxyProxy, which I have used in the past, or SwitchProxy, which I prefer use now. (I used FoxyProxy for a while at a time when SwitchProxy stopped working. But then FoxyProxy came out with a version that didn't work, and I was afraid I might have to go with TorButton. But SwitchProxy returned to the rescue with a newer, working version.:-) These two are both more versatile than TorButton in the sense that they allow you to configure as many different proxies as you like and to switch between them at will. Each proxy can, of course, be configured with addresses that bypass proxies entirely, too. SwitchProxy should be usable with Torbutton. If you configure your Tor proxy settings as one of the proxies, Torbutton should detect when it is enabled and turn on its security features for you without your needing to actually hit the torbutton itself. If it does not, it is a bug. Please report it. Again, Torbutton protects against numerous web exploits that can reveal your IP address when you use vanilla proxy changers. Please read over http://torbutton.torproject.org/dev/ before you go recommending insecure solutions to people, or simply hate on Torbutton without providing any bug reports to the maintainer as to why. -- Mike Perry Mad Computer Scientist fscked.org evil labs pgpuXyEwrNzwc.pgp Description: PGP signature
Torbutton 1.1.8-alpha (Usability improvements)
This is the 1.1.8 alpha release of the Torbutton Firefox extension. It features significant usability and compatibility enhancements. However, it is still alpha software, so it may have some rough edges. If you notice issues or have usability complaints, now is the time to speak up while things are still easy to change. Please be specific. I have made a good effort to anticipate common usability complaints for this release from the feedback I have so far received, but I am not omniscient. Eventually, this Torbutton will be backported to the stable Tor release, so if you do not speak up soon, you will be perpetually suffering in silence and will be stuck uninstalling the extension every time you upgrade Tor (and leaving yourself vulnerable to numerous anonymity-compromising vulnerabilities in the process). See http://torbutton.torproject.org/dev for more information. Changes in 1.1.8 * bugfix: bug 510: Decouple cookie clearing from Clear Private Data settings * bugfix: bug 474: Decouple password+form saving from history writing * bugfix: bug 460: Rework handling of hooking based on global events+window lookup * bugfix: Hooking fixes for pages with nested frames/iframes * bugfix: Cookies are now properly synced before storing into a jar * misc: Tightened up the alerts a bit more for the javascript hooking * misc: Changed defaults to be less intrusive to non-tor usage * new: Added options to start in Tor and reload cookies after browser crash * new: Added ability to have both Tor and Non-Tor cookie jars http://torbutton.torproject.org/dev/releases/torbutton-1.1.8-alpha.xpi MD5: 39ce0dc3f6b20f79042aad2397baafb4 -- Mike Perry Mad Computer Scientist fscked.org evil labs pgpcodSU4YtZo.pgp Description: PGP signature
Re: Torbutton 1.1.8-alpha (Usability improvements)
Thus spake jeffery statin ([EMAIL PROTECTED]): I do not have issues or complaints but I do have a question and a possible feature request. a) Why is JavaScript not disabled by TorButton? Does hook dangerous javascript make using JavaScript safe with Tor? The combination of hook dangerous javascript and isolate dynamic content make javascript safe, modulo browser exploits. The main problems with javascript revolve around the ability to get timezone+OS info, and to install event handlers/timers to load content after you toggle Tor. These two issues are handled by those options respectively. For some Java plugin+OS combos, the Disable Plugins during Tor Usage is also required. http://ha.ckers.org/weird/tor.cgi claims that they are able to get Firefox 2.0 to call java functions from javascript. When I tested with the Sun JRE 5.0 on Windows, this was only possible up to and including Firefox 1.5, but not Firefox 2.0. However it appears that the new Sun JRE 6.0 has fixed this problem, and again allows you full access to Java from javascript. Brilliant work, impressive even for a company that has managed to give the same product 5 different version numbers at the same time. Note that allowing plugins is a lot more dangerous than just Java anyways, so you should not have this setting unchecked for normal usage unless you have some other type of upstream Tor-only firewall. b) Would it be possible to have TorButton automatically clear the cache, unprotected Tor cookies, etc when a NewNym signal is sent (for example by Vidalia)? This is logistically difficult. The easier route is to add a New Nym option to torbutton itself, and have it somehow communicate to either vidalia or the control port directly. Allegedly raw TCP is possible from privileged Firefox javascript, but it is likely less than pretty. I will look into it to see if it is technically possible before the 1.2 stable release. Usability complications also arise though. If the user says they want to keep their Tor cookies in a jar (or left alone entirely), should new nym still clear them? I think so, esp since cookies can be injected and stolen by exit nodes (even many https ones). But other people may disagree. Some people really like cookies. I wouldn't expect those people to also like Tor, but I'm sure they're out there. -- Mike Perry Mad Computer Scientist fscked.org evil labs pgpfPWjP3dO85.pgp Description: PGP signature
Re: Torbutton 1.1.8-alpha (Usability improvements)
Thus spake MB ([EMAIL PROTECTED]): Could you please also make it compatible with Thunderbird ? Torbutton 1.4 installs (and works) fine with Thunderbird after editing the config file in the xpi package to allow Thunderbird to install it. I suppose it should works as well with the new version ? Hrmm, unlikely. Most of the stuff the new Torbutton does is very tightly coupled to Firefox 2.0 behavior and recently created unfrozen interfaces and events. Even just supporting Mozilla/Seamonkey properly would probably require a lot of rewriting, and a lot of luck wrt specific behaviors being the same, or even being possible. However, the one good thing we have going for us is that I would think email clients would be much more careful about running random code/plugins that are sent to them. If the thunderbird folks are actually careful about what they allow html email to do, it should be fine to continue running the standard Torbutton, and we probably should create a seperate stripped down Thunderbutton extension or something like this specifically for thunderbird (ie something not too much different than torbutton 1.0.4). What sort of security does thunderbird employ for html mail by default? Does it allow html mail to run javascript, post forms to random websites, run java applets, and/or arbitrary plugins (flash, quicktime, etc)? If it allows any of these things, 1.0.4 may not be enough. -- Mike Perry Mad Computer Scientist fscked.org evil labs pgpRVDwMRplR9.pgp Description: PGP signature
Re: Advanced traffic shaping with iptables?
Thus spake Marco Bonetti ([EMAIL PROTECTED]): On Wed, September 26, 2007 02:41, [EMAIL PROTECTED] wrote: It looks like the script needs Tor to run on a virtual address. This could be done by adding another address to your default interface Yesterday night (CEST) I've modified the script to use only one ip, packet matching is done via uid. Unfortunately the uid/gid/pid/ matching is broken on smp machines (according to man iptables). I'll made it avalaible this evening, as soon as I get back home. Wow, nice work! I didn't see this option. Completely didn't expect it to exist either. Actually, my iptables manpage only says that pid, sid and command matching are broken on SMP. Perhaps UID is actually safe? -- Mike Perry Mad Computer Scientist fscked.org evil labs pgpFF8zHE79Ui.pgp Description: PGP signature
Re: Torbutton 1.1.8-alpha (Usability improvements)
Thus spake Michael_google gmail_Gersten ([EMAIL PROTECTED]): I think that's the real issue I have with cookies. The idea that a cookie can be permanent without my approval. I have no problem with login cookies. I have every problem with third party cookies being accepted at all (the only place where IE is better than firefox -- those can be disabled in IE). I hate visitor tracking cookies that seem to get stuffed out by every website hoster now-a-days. So what does this mean to you with respect to cookie clearing? Should a newnym signal always clear cookies? Should it sometimes clear cookies? Should its behavior be tied to an existing torbutton cookie preference? I'm still of the mind it's kind of silly to put it in torbutton if it doesn't clear cache+cookies... Now, how do httpS: streams get their cookies stolen or modified? http://seclists.org/bugtraq/2007/Aug/0070.html Gmail and many other sites are still vulnerable. -- Mike Perry Mad Computer Scientist fscked.org evil labs pgpJvHzhfomKk.pgp Description: PGP signature
Re: Firefox IPv6 Anonymity bypass
Thus spake Nick 'Zaf' Clifford ([EMAIL PROTECTED]): Hey ya, Just noticed one small problem with Tor + Firefox + IPv6. I'm aware that Tor doesn't yet support IPv6, but I found an interesting development with respect to a system that has IPv6 configured and working. If you are using Tor (and have Firefox configured to use the HTTP proxy), Firefox will not use the proxy for IPv6 traffic. This means that if you visit a website using Tor, and it has a img, href, etc to a ipv6 hostname, Firefox will happily connect with your native IPv6 connection (bypassing Tor). The work around for this is to disable Ipv6 (about:config, network.dns.disableIPv6 = true) Nice. Thanks for reporting this, I will add it to the next reelease of the dev torbutton. One thing concerns me though: Since this setting is under network.dns, does this mean it disables using IPv6 only for DNS replies? Did you verify this actually works to block numerical IPv6 links as well? -- Mike Perry Mad Computer Scientist fscked.org evil labs pgp07wuZ1YukV.pgp Description: PGP signature
Re: Firefox IPv6 Anonymity bypass
Thus spake Arrakis ([EMAIL PROTECTED]): Greetings and welcome to 2006! Excerpt from How To Create Torpark Heh, what's happened in 2007 then? Does this document still exist? A couple of google searches fail to turn it up. Step 31. set as follows: noscript.notify.hideDelay = 30 noscript.statusIcon = false network.dns.disableIPv6 = true ; ipv6 addresses fail through tor. Does this in fact block ipv6 if no DNS is involved and image links are numerical only? I am living in the dark ages of ipv4. Can someone who has ipv6 verify this for us? From reading: http://kb.mozillazine.org/Network.dns.disableIPv6 it looks like this setting is not enough by itself. network.proxy.socks_remote_dns = true browser.sessionstore.enabled = false browser.sessionhistory.max_entries = 1 network.cookie.lifetime.days = 0 dom.storage.enabled = false dom.max_script_run_time = 60 ;script running time dom.max_chrome_script_run_time = 60; network.proxy.failover_timeout = 0 ;always retry the proxy, never revert. plugin.scan.plid.all = false ;Do not allow plugin scanning. security.xpconnect.plugin.unrestricted = false; do not allow unlimited access to XPConnect Do we know exactly what this does? It seems somewhat vague and undocumented. Do we know any extensions it breaks? -- Mike Perry Mad Computer Scientist fscked.org evil labs pgpyo9q6JlXTK.pgp Description: PGP signature
Re: 20090101
Thus spake Smuggler ([EMAIL PROTECTED]): Olaf Selke wrote: Eugen Leitl wrote: On Sat, Nov 10, 2007 at 08:14:34PM +0100, Olaf Selke wrote: nothing will change for German tor operators due to this law. It defines how to store and how to hand over stored data to the authorities. Data not collected at all can't be stored, right?. But this law does not enforce tor operators to collect any data. Oh, really? So ISPs, VoIP and mobile phone providers have nothing to fear, right? right! Wrong. I read the law. My lawyers read the law. It doesnt say: Store the data you have. It says: Store these specific datasets, no matter if you have them or not. The comments in the Regierungsentwurf are very telling. So, I am sorry. Tor nodes will have to log. ISPs will have to log. Everyone doing public telco services will have to log. Actually, out of curiosity do your lawyers believe that upstream/backbone/IX ISPs will also be required to log (and to log the same type of data)? That would seem to be a lot of data.. Not to mention that upstream ISPs will not have customer information for IP addresses. It would seem to me that Tor nodes are much more similar to backbone routers than consumer ISPs. -- Mike Perry Mad Computer Scientist fscked.org evil labs pgpTZL1QyFh0R.pgp Description: PGP signature
Re: 20090101
Thus spake Smuggler ([EMAIL PROTECTED]): Olaf Selke wrote: Eugen Leitl wrote: On Sat, Nov 10, 2007 at 08:14:34PM +0100, Olaf Selke wrote: nothing will change for German tor operators due to this law. It defines how to store and how to hand over stored data to the authorities. Data not collected at all can't be stored, right?. But this law does not enforce tor operators to collect any data. Oh, really? So ISPs, VoIP and mobile phone providers have nothing to fear, right? right! Wrong. I read the law. My lawyers read the law. It doesnt say: Store the data you have. It says: Store these specific datasets, no matter if you have them or not. The comments in the Regierungsentwurf are very telling. So, I am sorry. Tor nodes will have to log. ISPs will have to log. Everyone doing public telco services will have to log. Oh, and I'm also wondering about redundancy. If I run a Tor node in Germany is it the case that I have to log, AND my ISP has to log, AND their colo provider has to log, AND the upstream ISP has to log, AND the IX has to log all the same data? Is there any division of responsibility? Or will there be like 5-10 copies of the same connection data floating around everywhere? -- Mike Perry Mad Computer Scientist fscked.org evil labs pgp3BKQrUQ75W.pgp Description: PGP signature
