Hi!
https://github.com/Whonix/onion-grater/commit/70e735dae1c15920c356b07fc6aaf4b9589b465a
Please review and merge.
The more I think about it, perhaps we could abolish DEFAULT_COOKIE_PATH
= '/run/tor/control.authcookie' altogether?
PROTOCOLINFO tells controllers (like stem) where the cookie
Hi,
could you please add this trivial fix?
https://github.com/Whonix/control-port-filter-python/commit/30c1de54f9feaa26464842241e217be6edf3b464
(fixes txtorcon compatibility)
Cheers,
Patrick
[1] https://github.com/meejah/txtorcon/issues/215#issuecomment-290277209
Hi!
Please reviewer and merge into onion-grater.
https://github.com/adrelanos/onion-grater-remote.git
branch:
sd-notify
https://github.com/adrelanos/onion-grater-remote/tree/sd-notify
Cheers,
Patrick
___
Tails-dev mailing list
Tails-dev@boum.org
anonym:
> irykoon:
>> Currently, the Tor Launcher is shipped with the Tor Browser Bundle
>> and heavily relies on the Tor Browser for its implementation. These
>> facts cause using Tor Launcher without having the Tor Browser
>> impossible. I agree with the wh
Happy to report, that tor-controlport-filter learned sd_notify, now got
support for systemd's watchdog feature. Using python3-sdnotify from
packages.debian.org.
To be found in git master. Git commits, test results can be found here.
https://phabricator.whonix.org/T274#12423
anonym:
> Patrick Schleizer:
>> Patch by Joy. Otherwise it does not work for us. Do you think you could
>> merge this patch?
>
> No; the "match-"-prefix was intentionally dropped, so please `s/match-//g` in
> all your scripts and filter files.
>
> Chee
Patch by Joy. Otherwise it does not work for us. Do you think you could
merge this patch?
https://github.com/joysn/control-port-filter-python/commit/6f488c14980e8b5c58a42374649c4d5725c8296e#diff-7414879ce81f5586d790820540d0ca05
Best regards,
Patrick
ke:
>>
>> - #!/usr/bin/python3 -u (makes eventual python exceptions and up in
>> journal) - Use yml.safe_load and Python exceptions in journalctl -
>> add --listen_interface option
>
> These were the commits I imported.
>
Great!
anonym:
> Patrick Schleizer:
&g
Hello anonym!
anonym:
> Feel free to send a PR with your other
> changes applied to tor-controlport-filter in Tails Git!
> Otherwise
> I'll do it myself later this week.
Joy rebased Whonix's changes on top of your new version.
base:
>> Noticed one incompatibility.>>
>> https://github.com/HelloZeroNet/ZeroNet/issues/756
>>
>>
https://github.com/Whonix/control-port-filter-python/blob/master/usr/share/tor-controlport-filter/examples/40_zeronet.yml
anonym sorted that out by fixing a bug in ZeroNet.
anonym:
> Patrick Schleizer:
>> [override] will probably work for Whonix. Joy and me drafted a
>> plan.
>>
>> In one sentence: We at Whonix invent a new a separate config
>> folder, parse it with a yml merger python script, and generate
>> another yml f
Hi!
[override] will probably work for Whonix. Joy and me drafted a plan.
In one sentence: We at Whonix invent a new a separate config folder,
parse it with a yml merger python script, and generate another yml file
that gets passed to tor-controlport-filter by Tails.
In more detail:
- We'll at
anonym:
> Yay! Let's try to make this fork short-lived!
Yes! :)
> Note that Tails' version has changed quite a lot since you forked --
please try to keep your fork delta minimal (i.e. only do what *must* be
done)!
Our diff of the filter is quite mergable, I guess. In summary:
- filters =
Noticed one incompatibility.
ZeroNet uses custom code rather than python-stem to talk to Tor control
protocol. It's line handling works with original Tor, but not with the
filter.
https://github.com/HelloZeroNet/ZeroNet/issues/756
Whonix has forked tor-controlport-filter by Tails.
https://github.com/Whonix/control-port-filter-python
Whonix is using a different configuration parser.
This is now documented in details here:
https://www.whonix.org/wiki/Dev/Control_Port_Filter_Proxy/tor-controlport-filter/config
Best
Happy to report, that a few profiles have been successfully written.
That are using Whonix forked config parsing code.
They are now living here:
-
https://github.com/Whonix/control-port-filter-python/tree/master/usr/share/tor-controlport-filter/examples
There is one for onionshare, one for
Hi,
XPCOM / XUL based add-ons will be deprecated in Firefox. [1]
I've searched trac, mailing list, irc logs... I know you are aware of
that, but haven't found your plan forward. Is there already one?
What are your plans regarding tor-launcher? Will tor-launcher be ported
over as Firefox
Patrick Schleizer:
> anonym:
>> Patrick Schleizer:
>>> anonym:
>>> About the packaging. If you like the genmkfile way to package things, I
>>> could also do the packaging. Only disadvantage would be an extra
>>> dependency on genmkfile.
>>>
&g
Hi,
it's now packaged and lintian pedantic clean. The package should be
generic (work in Whonix and Tails at the same time) for the most part.
The missing part is Tails' config files. Since I don't know if you want
to actually use that package, I skipped Tails' config files and just
dropped
Forwarded Message
Subject: [tbb-dev] Tor Browser and Targeted RAM Bit-Flips
Date: Fri, 18 Nov 2016 10:16:47 +1100
From: teor
Reply-To: discussion regarding Tor Browser Bundle development
To: tbb-...@lists.torproject.org
Hi Mike
anonym:
> Patrick Schleizer:
>> anonym:
>>> Patrick Schleizer:
>>>> Where I need to correct myself. The injected IP is probably difficult to
>>>> add to a config file since IPs in Qubes will remain dynamic for some
>>>> qui
anonym:
> Patrick Schleizer:
>> Where I need to correct myself. The injected IP is probably difficult to
>> add to a config file since IPs in Qubes will remain dynamic for some
>> quite some time until Qubes 4.0. We'd need something like this.
>>
>> ADD_ONI
anonym:
> Patrick Schleizer:
>> That crashes the filter for me.
>
> Argh, I meant:
>
> GETINFO:
> - pattern: 'net/listeners/socks'
> response:
> - pattern: '250-net/listeners/socks=".*"'
> replacemen
anonym:
> Patrick Schleizer:
>>>> - https://phabricator.whonix.org/T564
>>>
>>> I'd need more details of what the idea is here.
>>
>> Prevent (in case of some bug or compromise) that more than X hidden
>> services are created. The number of
anonym:
> Patrick Schleizer:
>> Hi there,
>>
>> sorry for the delay, I got side tracked with other stuff.
>>
>> My first and summary impression is, that this is looking excellent!
>
> \o/
>
>> ./tor-controlport-filter --listen-address 9052
>&
anonym:
> Patrick Schleizer:
>>>>>> - https://phabricator.whonix.org/T564
>>>>
>>>> Protecting cpfpy from DDOS from client applications. Not sure that
>>>> matters for Tails?
>>>
>>> We do not do much specific here. Wha
anonym:
> https://tails.boum.org/news/report_2016_09/#index2h1
>
> and look at the documentation at the top of the script, and the filter
> rules we ship to get an idea of what it can do.
> As you can see, in Tails we use match-exe-paths and match-users a lot,
> but since you won't have
> [...]
>> In conclusion, I think the truth is that Whonix switching to our filter
>> will require some work to reach feature-parity with you current filter,
>> and you will not really gain anything by doing so except code sharing.
>> YMMV. That said, I'd happily implement match-hosts and the two
Hi there,
sorry for the delay, I got side tracked with other stuff.
My first and summary impression is, that this is looking excellent!
./tor-controlport-filter --listen-address 9052
Tor control port filter started, listening on 9052:9051
Do you see any reason in Whonix not to use the
> https://git.tails.boum.org/tails/tree/config/chroot_local-includes/usr/local/lib/tor-controlport-filter?h=feature/7870-include_onionshare
When I visit that link, I cannot proceed.
> Your connection is not secure
>
> The owner of git.tails.boum.org has configured their website improperly. To
Hi,
as discussed elsewhere, yes, it would be great if we could share code bases!
Does it support simultaneous connections? (Such as two applications
using ephemeral Tor hidden services plus Tor Browser at once.)
Does Tails control port filter proxy support events? I mean, can a
client
sajolida:
> I just wanted to let you know that people from Qubes started a ticket
> about having a Tails template for Qubes. I never used Qubes myself and
> barely understand what this means but I'll follow the ticket and maybe
> others interested in Qubes should do to: DrWhax, anonym?
>
>
intrigeri:
> Hi,
>
> I've just stumbled upon an issue [1] open by Jake on Subgraph OS bug
> tracker, about this topic, so I thought I would close this thread
> that's still lying in my inbox, and sum up the process that lead us to
> a (not implemented) conclusion.
>
> Last time we discussed it
Network Manager etc.
3) Now, Tails would remember FreeWifi358235892435 and assign entry guard B.
intrigeri:
> Hi,
>
> Patrick Schleizer wrote (09 Feb 2016 23:42:22 GMT) :
>> intrigeri:
>>> [can you please decide what mailing-list this discussion should happen
>>>
Patrick Schleizer:
> intrigeri wrote:
>>> I can't think of another area in which asking a hostile for advice is a
>>> good idea. Maybe "if friend and foe both agree, you can be confident
>>> that they're right; if they disagree, look further" - but th
[quoting you in full since this mail was eaten by the whonix-devel list
for some reason even though I manually allowed it]
intrigeri:
> Hi,
>
> [can you please decide what mailing-list this discussion should happen
> on, and then we can stop cross-posting over 4 mailing-list?]
sajolida:
> https://tails.boum.org/blueprint/persistent_Tor_state/
Persistent Tor state would be a good improvement. Could be the first
iteration. It would make Tails less fingerprintable and more secure for
people staying in the same location and/or not carding about
AdvGoalTracking.
But
Tails does verify, that randomly chosen MAC does not equal the real MAC
by chance.
>From tails-spoof-mac [1] (code: [A])
> # There is a 1/2^24 chance macchanger will randomly pick the real MAC
> # address. We try to making it really unlikely repeating it up to
> # three times. Theoretically
Tails' current implementation...
only spoof the NIC part: yes [1]
OUI part unchanged: yes [2]
quu9ohch [1]:
> [...] It is not possible to "blend into the crowd" with a
"typical-looking" mac address when so many users allow themselves to be
uniquely fingerprinted and tracked. The tradeoff of
Active probe fingerprinting
https://tails.boum.org/contribute/design/MAC_address/#index6h1
says, No - "No protection against this is implemented yet".
but https://labs.riseup.net/code/issues/6453 says "yes", 100 % done.
Please confirm, which one it is.
What happened to
intrigeri:
> If you really tried Tails 1.6, then I suggest you retry with
> a Jessie-based experimental build:
>
> http://nightly.tails.boum.org/build_Tails_ISO_feature-jessie/lastSuccessful/archive/
Tried.
- It's not affected by the X issue. Boots up without `vga=`.
- Mouse does not work in
intrigeri:
> It would be good to know what version of Tails you tried, because the
> bug report is self-contradicting ("I've downloaded Tails 1.6.
> Stored in my iso-download (debian-8 based) AppVM").
Really was Tails 1.6.
Austin English:
> I don't think it's self contradicting. debian-8 based
u:
> Hi Patrick,
>
> Patrick Schleizer:
>> When I go to https://labs.riseup.net/code/issues/5606 and press 'watch',
>> it redirects to
>> https://labs.riseup.net/code/watchers/watch?object_id=5606_type=issue
>> and I am getting the following erro
Hi!
When I go to https://labs.riseup.net/code/issues/5606 and press 'watch',
it redirects to
https://labs.riseup.net/code/watchers/watch?object_id=5606_type=issue
and I am getting the following error message.
> Page not found
>
> The page you were trying to access doesn't exist or has been
Hi!
For some reason I cannot answer to any Tails redmine tickets. So here is
my test report of Tails inside Qubes OS.
I've downloaded Tails 1.6. Stored in my iso-download (debian-8 based)
AppVM. Then followed the https://www.qubes-os.org/en/doc/hvm-create/
instructions.
Initially Tails boots.
Hi!
Is it possible to derive and/or estimate the system clock by observing
TCP sequence numbers?
Jacob Appelbaum [1]:
In the Linux kernel, TCP Sequence numbers embed the system clock and
then hash it. Yet another way to leak the system clock to the network.
As I understand the paper 'An
Hi David!
Could you follow up intrigeri's questions on this ticket please?
https://labs.riseup.net/code/issues/5650
Cheers,
Patrick
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this
Dear Tails developers,
I would like to inform you about the existence of
control-port-filter-python, a fork of tor-controlport-filter by Tails.
Improvements:
* Supports parallel connections.
* Configurable by dropping .d-style configuration snippets into
/etc/cpfpy.d. I.e. whitelist can be
Hi!
intrigeri wrote:
Hi,
Patrick Schleizer wrote (21 Nov 2014 15:17:08 GMT) :
intrigeri wrote:
Patrick Schleizer wrote (15 Nov 2014 15:38:09 GMT) :
Unless I'm mistaken, the server-side of these PTs needs to be in
Debian anyway, so that people running Debian-based distros can
actually
Hi!
intrigeri wrote:
Hi,
Patrick Schleizer wrote (15 Nov 2014 15:38:09 GMT) :
Idea:
- Come with a recent release of original TBB from TPO installed by
default with every new release of Tails/Whonix.
- Use the TBB, tor-launcher add-on and pluggable transports from TBB as
the new
intrigeri wrote:
I can't think of another area in which asking a hostile for advice is a
good idea. Maybe if friend and foe both agree, you can be confident
that they're right; if they disagree, look further - but that's not
what Tails htpdate is doing.
Indeed, it should probably discard
Hi!
intrigeri wrote:
[...]
Still, the landscape of pluggable transports is quickly evolving, and
indeed we have a hard time staying on top of things in this area.
[...]
I think it will be simply impossible to keep up with pluggable
transports. We at Whonix are facing the same issue.
Idea:
boyska wrote: On Sat, Nov 01, 2014 at 08:07:04AM +, Patrick
Schleizer wrote:
By chance I found https://github.com/boyska/git-verify repo.
hey, that's me :P
That's why I explicitly added you to cc. :)
At Whonix we're currently discussing various aspects of git security.
Especially since
Hi!
By chance I found https://github.com/boyska/git-verify repo.
At Whonix we're currently discussing various aspects of git security.
Especially since git still uses SHA-1 and if git (submodule)
verification is safe against adversaries, that can produce SHA-1 collisions.
I was wondering, if
Hi,
you might be interested in this:
https://twitter.com/ioerror/status/509159304323416064
Why could it be relevant?
Tor Browser (and other applications?) leak the system clock in default
settings [1]. At the same time, the system clock leaks to ISP level
observers through TCP sequence numbers.
I2P-browser
===
I got a bit of work done for the separate browser for use with I2P,
based upon the unsafe-browser script. I haven't pushed it anywhere yet,
but will do once I do a bit more testing with it. (ticket #7725)
Great! Note that this code probably depends on what browser
Hi,
as you may already know, meek [1] is a pluggable transport. Quite a
convenient one for TBB users. They don't even have to obtain bridges and
it just works out of the box.
I've recently posted a feature request for packaging it for Debian. [2]
Unfortunately it won't be that simple because it
Hi!
intrigeri:
[sorry for the late reply. any reason to drop most addresses from the
Cc list?]
Sorry, mistake.
Patrick Schleizer wrote (03 Jul 2014 14:55:57 GMT) :
I am currently working on splitting Whonix into multiple packages.
Having ability to be used by other privacy distributions
Hi!
u:
I'd be glad to help with some packaging.
Cool! Please also look through the one or two lines package summaries.
Then we may discuss packages that are of interest to you. :)
Some of the stuff i see in that list could probably be integrated into
existing packages (AppArmor profiles)
Hi!
I've got a question for Tails' design regarding to HTP source pools [1].
[...] The HTP pools used by Tails are based on stable and reliable
webservers that get great amounts of traffic. They are categorized into
three different pools according to their members' relationship to the
members
Hi!
sajol...@pimienta.org:
Note that in the case of Tails, we recommend our users against doing
this. Which is mix different identities in a same working session:
https://tails.boum.org/doc/about/warning/#index8h1
Whonix has a similar warning:
ban...@openmailbox.org:
Here is what Bernhard says about authentication:
https://www.whonix.org/w/index.php?title=OnionCatstable=0shownotice=1fromsection=Security#Security
Alternative links:
- https://www.whonix.org/wiki/OnionCat#Security
- http://www.webcitation.org/6Rv71smMB
Hi!
intrigeri:
I'm coming back on the shared username/hostname thing, that was
rediscussed a bit lately, with input from Freepto and pointers to
Subgraph OS code, on a Tails ticket:
https://labs.riseup.net/code/issues/5655
As you can see in my comment #6 there, it's unclear to me
intrigeri:
Patrick Schleizer wrote (05 Aug 2014 02:04:30 GMT) :
Mumble has a TCP mode. Why involve QnionCat?
Without involving Tor Hidden Services,
Well, with OnionCat you must involve Tor Hidden Services as well?
how do you initiate
a peer-to-peer conversation between two Tails users
coderman:
tls-tor-random to torproject
What do you mean by that?
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to
tails-dev-unsubscr...@boum.org.
Hi!
Quote https://tails.boum.org/blueprint/VoIP_support/ :
Preliminary testing showed OnionCat + Mumble to be a working and
relatively easy to setup Tor-enabled VoIP solution; the 1/2s - 1s delay
is only slightly annoying.
Why OnionCat + Mumble - why not just Mumble?
Mumble has a TCP mode.
intrigeri:
2. drop the publicly known value = urandom is seeded by date +%s.%N
only
If you are going that route, would it make sense to drop the dot in date
+%s%N as well to remove another publicly known value?
___
Tails-dev mailing list
Hi,
I haven't found the commit where you actually added
/etc/sysctl.d/tcp_timestamps.conf.
Does this implementation involve anything besides
/etc/sysctl.d/tcp_timestamps.conf?
http://www.tmltechnologies.com/html-2012/index.php/linux-rescue-kits/82-secret/91-disable-tcp-timestamps-on-linux
either way.
The feature Share username and hostname amongst all anonymity has been
implemented as a Debian package:
https://github.com/Whonix/anon-base-files
All the best,
Patrick Schleizer
(a maintainer of the Whonix privacy distribution)
___
Tails-dev
While you're at it, would it be a lot more effort to make it a generic
download extension? I certainly enjoyed to have this issue that many
software projects suffer from solved in a generic way.
Otherwise it might get forked some day to have a download extension for
gpg, TBB, Whonix, etc.? :)
intrigeri:
@Patrick: why is the build-dep on config-package-dev versionned to
0.5.1? Isn't Wheezy's 4.13 good enough for our needs? (Worst case, we
can fetch 0.5.1 from wheezy-backports, but still :)
Even it has been obsoleted by now, I like answering it maybe for the future.
wheezy:
Hi!
= news =
Did some work on this... Link:
https://github.com/adrelanos/wiperamFreepto
Package builds fine. ./build script produces deterministic
wiperam_0.1.orig.tar.gz, wiperam_0.1-1_all.deb and
wiperam_0.1-1.debian.tar.gz.
Package installation and actual functionality untested.
=
Hi!
Terrific! I also would like to see this getting packaged and ideally
even entering Debian. Maybe I can help a bit packaging it.
I advise against directly using dpkg-divert for config file diversions.
That may cause issues later when attempting to upgrade the package. In
my opinion
Hi!
Quick one..
Here:
https://tails.boum.org/contribute/design/#index42h3
Is:
https://git-tails.immerda.ch/tails/plain/config/chroot_local-includes/lib/live/config/201-pidgin
Should be:
https://git-tails.immerda.ch/tails/tree/config/chroot_local-includes/lib/live/config/2010-pidgin
Cheers,
Hi,
TCP timestamps are created using the systems clock, is that correct?
Would it make sense to,
- when Tails starts: save system clock
- before Tor starts: randomize system clock (+/- a random amount of
milliseconds [and seconds?])
- when Tails is shut down: undo system clock randomization
?
75 matches
Mail list logo