Re: [tor-relays] [tor-talk] TOR problems - seriously PLEASE HELP ME!

2017-04-25 Thread Duncan Guthrie 

On 24.04.2017 12:30, Jonathan Marquardt wrote:

On Mon, Apr 24, 2017 at 12:16:23PM +0200, unpublished wrote:
3. How to change the end node of the country (eg country from which I 
am

POLAND)?


Here's a simple guide on how to do that:
http://www.wikihow.com/Set-a-Specific-Country-in-a-Tor-Browser


You should attach a sever warning with this advice - this is in general 
quite a bad idea. Setting Tor to exit from only one IP address, or a 
specific set of IP addresses - in this case, by geographical location 
(assuming that GeoIP is always accurate, which is not the case) - will 
single you out. This makes it easier to combine with other information, 
and fingerprint you. In the worst case scenario, this might result in 
removal of anonymity.


-D
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

[tor-relays] Atlas - location of relay changed

2016-12-10 Thread Duncan Guthrie 

Hi folks,

My Tor exit, ecntor, recently changed from being listed in the UK to 
being listed in Canada, without any input on our part.


On the IRC channel, I was reassured that this was not a bad thing, that 
GeoIP is inaccurate, for example.


However, I am interested in what might have caused the relay to change 
location listing like this?


Thanks,

Duncan

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] All I want for Chrismas is a bloody t-shirt

2016-12-08 Thread Duncan Guthrie 

Indeed.

In every Tor user there is a seething anarcho-capitalist.


On 09/12/16 01:58, niftybunny wrote:

Are there any “special” t-shirts for the 1%?

markus




Hi,

Jon is distributing t-shirts and Christmas cheer this year.

Have you been naughty or nice?

And by the way, it's SanTor, not SanTOR (or SANTOR).
(And our trademark lawyers prefer onion jokes.)

:-)

T

--
Tim Wilson-Brown (teor)

teor2345 at gmail dot com
PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
ricochet:ekmygaiu4rzgsk6n
xmpp: teor at torproject dot org




___
tor-relays mailing list
tor-relays@lists.torproject.org 
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays




___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays


___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Exit Node Geographical Location

2016-12-08 Thread Duncan Guthrie 
Hi folks,

I think it would be interesting to run relays in Africa and Asia. Especially 
Africa, as this area has growing internet usage, and censorship of the internet 
in some countries is not widespread, e.g. Liberia.

Another argument is that even if there is censorship, having more relays in 
these countries is still important to help protect people in other countries. 
For example, you are going to want your traffic to exit in somewhere like 
Russia if you are in the US or UK since Russia is unlikely to hand over data it 
is collecting to the US or UK governments.

Thus, running relays in Africa and Asia should be a priority right now.

Duncan

On 8 December 2016 9:53:11 am GMT+00:00, Chris Adams  
wrote:
>Hello,
>
>I want to start up another exit node. I have a few choices for which
>country it's in. I currently live in a country with quite a high exit
>node/population density.
>
>Are there any advantages to distributing nodes around the globe in
>terms of
>performance/privacy?
>
>Are there some countries where you definitely shouldn't run exit nodes?
>(Censored internet is an obvious example)
>
>C
>
>
>
>
>___
>tor-relays mailing list
>tor-relays@lists.torproject.org
>https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Is there a reason for all exit nodes being public?

2016-12-08 Thread Duncan Guthrie 
Well, apart from using Facebook...

On 8 December 2016 7:51:09 am GMT+00:00, Dave Warren <da...@hireahit.com> wrote:
>I agree 100%. And yet, it's still useful for those who don't have
>anything to fear from using Tor, but still want the privacy and
>security
>from the last mile.
>
>
>On Wed, Dec 7, 2016, at 23:45, Duncan Guthrie wrote:
>
>> The problem with Facebook is that their policies on real names
>> somewhat goes against hiding from a repressive regime. Their terms
>and
>> conditions mandate that they kick people who use pseudonyms, and make
>> fellow Facebook users rat on each other.
>>  If I was an activist I would be wary of using it on or off Tor at
>>  all. If I am going to be harassed for using Facebook, it's probably
>>  unsafe to use Tor altogether. It isn't worth the risk, except in a
>>  very limited manner.
>>  I think the hidden service in this case is just gesture politics.
>>  It's not really for citizens in repressive regimes, but people who
>>  have little to fear from using Tor.
>> 
>
>>  Duncan
>
>> 
>
>> On 7 December 2016 3:20:05 pm GMT+00:00, Rana
>> <ranaventu...@gmail.com> wrote:
>>> 
>>> 
>
>>> 
>>> 
>
>>> -Original Message-
>>> 
>
>>>>  From: tor-relays [mailto:tor-relays-boun...@lists.torproject.org]
>>>>  On Behalf Of heartsucker
>>>>
>>>>  Sent: Wednesday, December 07, 2016 5:11 PM
>>>> 
>
>>>>  : tor-relays@lists.torproject.org
>>>> 
>
>>>>  Subject: Re: [tor-relays] Is there a reason for all exit nodes
>>>>  being public?
>>>>
>>>>  
>>>> 
>
>>>>  As one of the Tor users who connects to services where I have to
>>>>  use my real name (e.g., my banks), I think it's not helpful to
>make
>>>>  assumptions about everyone's use case. Part of why I use Tor is to
>>>>
>>>>  keep my ISPs from snooping on what I'm doing, and it's possible
>>>>  some of these millions of facebook users are doing the same.
>>>>
>>> 
>>> 
>
>>> We will never know the breakdown of the Facebook users by the reason
>>> why they use Tor. However, surely many of them are under repressive
>>> regimes and do not want their ass kicked for what they write on
>>> Facebook. Protecting them is fine purpose and anyhow, Tor has no
>>> control over how people use the network and certainly not over why
>>> they use it.
>>>
>>> 
>>> 
>
>>> Rana
>>> 
>
>>> 
>>> 
>
>>> 
>>> 
>
>>> 
>>> 
>
>>> 
>>> 
>
>>> 
>>> 
>
>>> tor-relays mailing list
>>> 
>
>>> tor-relays@lists.torproject.org
>>> 
>
>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>>
>> _
>
>> tor-relays mailing list
>
>> tor-relays@lists.torproject.org
>
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
>
>
>
>
>
>___
>tor-relays mailing list
>tor-relays@lists.torproject.org
>https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Is there a reason for all exit nodes being public?

2016-12-07 Thread Duncan Guthrie 
The problem with Facebook is that their policies on real names somewhat goes 
against hiding from a repressive regime. Their terms and conditions mandate 
that they kick people who use pseudonyms, and make fellow Facebook users rat on 
each other.
If I was an activist I would be wary of using it on or off Tor at all. If I am 
going to be harassed for using Facebook, it's probably unsafe to use Tor 
altogether. It isn't worth the risk, except in a very limited manner.
I think the hidden service in this case is just gesture politics. It's not 
really for citizens in repressive regimes, but people who have little to fear 
from using Tor.

Duncan

On 7 December 2016 3:20:05 pm GMT+00:00, Rana  wrote:
>
>
>-Original Message-
>> From: tor-relays [mailto:tor-relays-boun...@lists.torproject.org] On
>Behalf Of heartsucker
>> Sent: Wednesday, December 07, 2016 5:11 PM
>> : tor-relays@lists.torproject.org
>> Subject: Re: [tor-relays] Is there a reason for all exit nodes being
>public?
>> 
>> As one of the Tor users who connects to services where I have to use
>my real name (e.g., my banks), I think it's not helpful to make
>assumptions about everyone's use case. Part of why I use Tor is to
>> keep my ISPs from snooping on what I'm doing, and it's possible some
>of these millions of facebook users are doing the same.
>
>We will never know the breakdown of the Facebook users by the reason
>why they use Tor. However, surely many of them are under repressive
>regimes and do not want their ass kicked for what they write on
>Facebook. Protecting them is fine purpose and anyhow, Tor has no
>control over how people use the network and certainly not over why they
>use it.
>
>Rana
>
>
>
>
>___
>tor-relays mailing list
>tor-relays@lists.torproject.org
>https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Exploiting firmware

2016-12-07 Thread Duncan Guthrie 
What I was originally getting at was that the parts of the Raspberry Pi 
that are completely proprietary - while there is a free software 
implementation of the GPU blob, most people don't use that, as they are 
on stock Rasbian, which includes all the nasty "other parts" - are a 
great possibility for hijacking, perhaps through malicious code running 
on the GPU, which controls the CPU in several ways. The problem with 
this isn't that this is unique (Intel computers having so much more 
attack surface) but that a flaw in lots of these small computers that 
power a portion of the network means that an exploit in them due to lack 
of diversity would be much more serious.


The management engine blob is also very serious. One possible mitigation 
might be to run the relays in VMs with good isolation, e.g. Xen on 
recent hardware which has good IOMMU. This makes it much harder to 
exploit the actual software that runs on the ME since the VMs would, in 
theory, have no access to hardware.


It should be of concern on any hardware that is being used for related 
purposes, I think. However, whether it works out in practice as a 
backdoor that is worth exploiting vs other methods is debatable.


Regardless, diversity is good.

On 07/12/16 20:35, Gumby wrote:

  Subject seems to have changed a bit, so not hijacking it.
When thinking of any exploitation of firmware - should there be 
concerns of Intel's Management Engine in the CPU of any relays

 running on "home hardware" in any common unused pc or laptop?
Should that be a concern on ANY newer Intel hardware?

Gumby

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Unwarranted discrimination of relays with dynamic IP

2016-12-07 Thread Duncan Guthrie 

On 07/12/16 05:32, Rana wrote:

I can just imagine someone panting while dragging a sub-$35 old desktop 
computer up the stairs after physically searching for it in a nearby junkyard. 
A considerable level of destitution and a commendable commitment to the cause 
of Tor  would be required.
This is hardly the case. Computers are so widespread that an old desktop 
system with even twice the power of the Pi can be had for buttons.
There is no need to be rude about the suggestions that people on this 
list make.


Duncan
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Unwarranted discrimination of relays with dynamic IP

2016-12-06 Thread Duncan Guthrie 

On 06/12/16 21:10, SuperSluether wrote:
I don't know the actual numbers for the Raspberry Pi 1, I was just 
quoting from Duncan: 
https://lists.torproject.org/pipermail/tor-relays/2016-December/011182.html


I was told this figure by a friend who tried networking "stuff" on a Pi. 
From personal experience also, I have found they are just a bit rubbish, 
other than for using a probe for OONI, and for a short time using it to 
try out NetBSD and various other operating systems.


My original figure may have been... somewhat off. With different models 
they may have updated the network hardware. Certainly on the new ones 
they are better, but there are deeper flaws with the Raspberry Pi's 
hardware, e.g. the omnipotent GPU blob and various other proprietary 
parts that make supporting it non-trivial compared to say, the 
BeagleBone Black.


A more general point is that old desktop computers still offer better 
performance than a Raspberry Pi. You can easily get one for considerably 
less than the cost of a Pi, and there are also issues of network 
diversity with the Raspberry Pi - if some flaw was exploited in the 
various nasty proprietary bits that make up the Pi, much of the network 
might be compromised - due to large similarities across the different 
models, this would affect considerable numbers of devices. So using many 
different computer models with a large variety of operating systems is 
ideal for the network as a whole.


Duncan
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Unwarranted discrimination of relays with dynamic IP

2016-12-05 Thread Duncan Guthrie 

On 04.12.2016 22:35, Tristan wrote:

Perhaps this IS in fact normal. I ran a Tor relay on a Raspberry Pi
for a while. My speed was about 1Mbps max, similar to your 1.5Mbps. I
saw minimal traffic, and the consensus weight never went above 20.

I'm not running a relay at home anymore because of the slow speeds.
The configuration guide mentions having at least 250KBytes or 2Mbps,
and even relays that have 2Mbps probably won't see much traffic since
there's plenty of faster middle relays.

Keep in mind also that the Raspberry Pi (at least the first one anyway) 
can only push around 1MB/s tops. The ethernet port is basically held on 
by the equivalent of a piece of string! They're suitable for a small 
mail or web server, or some sort of network probe, but not really for 
any large application.


Duncan
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] 33C3 Ticket

2016-11-22 Thread Duncan Guthrie 
All the information is on that page. 
You will get the quickest and most relevant support from the IRC channel.

On 22 November 2016 00:25:24 GMT+00:00, Kevin Zvilt  
wrote:
>I apologize for hijacking the thread. I just  need to know how to
>contact
>the support team.
>
>On Tue, Nov 22, 2016 at 2:04 AM, D  wrote:
>
>> Hi Kevin,
>>
>> Please don't hijack the thread.
>>
>> I'd like to direct you to other lines of help, especially the IRC
>channel
>> - #tor on OFTC.
>>
>> See also https://www.torproject.org/about/contact.html.en#support
>>
>> With proxies, perhaps you need to set up a bridge. When you start
>TBB,
>> select "my ISP is refusing connections to Tor" (or something
>similar), and
>> then it will guide you through the process.
>>
>> You are encouraged to read the documentation and ask questions on the
>IRC
>> channel. Don't worry, we don't bite!
>>
>> D
>>
>> On 22.11.2016 00:28, Kevin Zvilt wrote:
>>
>>> Seems my proxy is refusing all connections.
>>>
>>> On Tue, Nov 22, 2016 at 1:35 AM, Mirimir  wrote:
>>>
>>> On 11/21/2016 04:21 PM, Kevin Zvilt wrote:

> Kevin from Cairo, still trying to set up Tor as a functioning
>
 browser.

 What's the problem?

 On Tue, Nov 22, 2016 at 1:19 AM,  wrote:
>
> I am in the same position.
>>
>>
>> 2016-11-21 23:17 GMT+01:00 pa011 :
>>
>> Looking to meet other Exits in Hamburg - just need a ticket :-)
>>>
>>> Paul
>>> ___
>>> tor-relays mailing list
>>> tor-relays@lists.torproject.org
>>>
>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>[1]

>
>>> ___
>> tor-relays mailing list
>> tor-relays@lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>
> [1]

>
>>
>
>
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
 [1]

>
> ___
 tor-relays mailing list
 tor-relays@lists.torproject.org
 https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
 [1]

>>>
>>>
>>>
>>> Links:
>>> --
>>> [1] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>>
>>> ___
>>> tor-relays mailing list
>>> tor-relays@lists.torproject.org
>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>>
>> ___
>> tor-relays mailing list
>> tor-relays@lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>
>
>
>
>
>___
>tor-relays mailing list
>tor-relays@lists.torproject.org
>https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Bug Log

2016-11-20 Thread Duncan Guthrie 
Hi Kevin,

If you need some support, there are lots of friendly and intelligent people on 
IRC - #tor on OFTC - who might be able to help you. You shouldn't have to wait 
too long for a response.

--
Duncan


On 18 November 2016 23:46:41 GMT+00:00, Kevin Zvilt  
wrote:
>Oh, sorry. i'm new to this whole ordeal. Ok, Tim. Have a good one.
>
>On Sat, Nov 19, 2016 at 1:35 AM, teor  wrote:
>
>>
>> > On 19 Nov. 2016, at 10:32, Kevin Zvilt 
>wrote:
>> >
>> > Hello! Thank you for replying, I had little hope to be answered.
>> > The proxy server is refusing connections. Tor quits every few
>seconds of
>> launching. I think it stays running but the connection gets lost.
>> > What I'm getting now is 'The proxy server is refusing connections'.
>Can
>> you please help me? And also, can you take me through setting up an
>onion
>> server? I'm trying to reach a .onion website.
>>
>> I'm sorry, this list is not for Tor client technical support.
>> Maybe try the Tor Browser user manual?
>>
>> https://blog.torproject.org/blog/announcing-tor-browser-user-manual
>>
>> To get started::
>> https://tb-manual.torproject.org/windows/en-US/first-time.html
>> https://tb-manual.torproject.org/windows/en-US/troubleshooting.html
>>
>> And for onion services:
>> https://tb-manual.torproject.org/windows/en-US/onion-services.html
>>
>> Tim
>>
>> >
>> > On Sat, Nov 19, 2016 at 1:21 AM, teor  wrote:
>> >
>> > > On 19 Nov. 2016, at 09:52, Kevin Zvilt 
>wrote:
>> > >
>> > > 11/18/2016 17:28:08 PM.600 [NOTICE] Bootstrapped 85%: Finishing
>> handshake with first hop
>> > > 11/18/2016 17:28:08 PM.900 [NOTICE] Bootstrapped 90%:
>Establishing a
>> Tor circuit
>> > > 11/18/2016 17:28:10 PM.300 [NOTICE] Tor has successfully opened a
>> circuit. Looks like client functionality is working.
>> > > 11/18/2016 17:28:10 PM.300 [NOTICE] Bootstrapped 100%: Done
>> > > 11/18/2016 17:28:11 PM.700 [NOTICE] New control connection opened
>from
>> 127.0.0.1.
>> > > 11/18/2016 17:28:11 PM.700 [NOTICE] New control connection opened
>from
>> 127.0.0.1.
>> > > 11/18/2016 17:32:25 PM.200 [NOTICE] Closing no-longer-configured
>Socks
>> listener on 127.0.0.1:9150
>> > > 11/18/2016 17:32:25 PM.200 [NOTICE] DisableNetwork is set. Tor
>will
>> not make or accept non-control network connections. Shutting down all
>> existing connections.
>> > > 11/18/2016 17:32:25 PM.200 [NOTICE] Closing old Socks listener on
>> 127.0.0.1:9150
>> > > 11/18/2016 17:32:25 PM.200 [NOTICE] Delaying directory fetches:
>> DisableNetwork is set.
>> > > 11/18/2016 22:38:05 PM.400 [NOTICE] Bootstrapped 85%: Finishing
>> handshake with first hop
>> > > 11/18/2016 22:38:06 PM.400 [NOTICE] Bootstrapped 90%:
>Establishing a
>> Tor circuit
>> > > 11/18/2016 22:38:06 PM.600 [NOTICE] Closing no-longer-configured
>Socks
>> listener on 127.0.0.1:9150
>> > > 11/18/2016 22:38:06 PM.600 [NOTICE] DisableNetwork is set. Tor
>will
>> not make or accept non-control network connections. Shutting down all
>> existing connections.
>> > > 11/18/2016 22:38:06 PM.600 [NOTICE] Closing old Socks listener on
>> 127.0.0.1:9150
>> > > 11/18/2016 22:38:07 PM.200 [NOTICE] Delaying directory fetches:
>> DisableNetwork is set.
>> >
>> > Hi,
>> >
>> > Can you help us understand what the problem is?
>> >
>> > You might need to use "Log info file info.log" or
>> > "Log debug file debug.log" to get enough detail for us to help you.
>> >
>> > T
>> >
>> > --
>> > Tim Wilson-Brown (teor)
>> >
>> > teor2345 at gmail dot com
>> > PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
>> > ricochet:ekmygaiu4rzgsk6n
>> > xmpp: teor at torproject dot org
>> >
>
>> >
>> >
>> >
>> > ___
>> > tor-relays mailing list
>> > tor-relays@lists.torproject.org
>> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>> >
>> > ___
>> > tor-relays mailing list
>> > tor-relays@lists.torproject.org
>> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>
>> T
>>
>> --
>> Tim Wilson-Brown (teor)
>>
>> teor2345 at gmail dot com
>> PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
>> ricochet:ekmygaiu4rzgsk6n
>> xmpp: teor at torproject dot org
>>
>
>>
>>
>>
>> ___
>> tor-relays mailing list
>> tor-relays@lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>
>
>
>
>
>___
>tor-relays mailing list
>tor-relays@lists.torproject.org
>https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
___
tor-relays mailing list
tor-relays@lists.torproject.org

Re: [tor-relays] cryptsetup some folders

2016-10-25 Thread Duncan Guthrie 
Hi folks, 

I am not sure it is more secure. What are we trying to protect here? As long as 
the relay is running,it is unencrypted. Disk encryption only prevents physical 
access - are you at risk of this? At any rate, the relay shouldn't be storing 
personal data. 

Having it encrypted also makes remote management an absolute pain.
 
Can someone clarify this?
-- D

On 24 October 2016 08:53:14 BST, Petrusko  wrote:
>Hey all,
>
>I'm planning to customise a RPi with Raspbian already running, and
>using
>cryptsetup (LUKS) to have a partition more secure for some reasons...
>So the goal is to move some existing sensitive folders to this new
>encrypted partition.
>Some sym-links will be used for those directories.
>
>About Tor, if I'm not wrong, those directories can be moved to this
>encrypted partition :
>/var/lib/tor : so I'm planning to move /var...
>
>So at final, planning to move :
>/home
>/var
>/tmp
>(why not swap file ?)
>
>Any suggestions and master's thoughts are welcome :)
>
>-- 
>Petrusko
>EBE23AE5
>
>
>
>
>
>
>___
>tor-relays mailing list
>tor-relays@lists.torproject.org
>https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Research project - comparing abuse complaints on Tor exits to those of regular ISPs

2016-10-24 Thread Duncan Guthrie 
Um, did you mean to reply to this thread?

On 24 October 2016 15:32:08 BST, tor admin  wrote:
>On Mon, Oct 24, 2016 at 02:20:06PM +0200, Volker Mink wrote:
>>Mine is running for close to two years now and i got 2 regular
>complaints
>>with specific accusation (torrent...) from known german lawyers.
>>And one really common from my ISP - "we detected illegal
>activities.
>>please perform a virus scan on your computers...".
>> 
>>Thats all :)
>
>cool, I'm about to move a relay to exit node, I'm a bit scared do.
>Do you run the "standard" [1] restricted exit policy? do you run an
>even more
>reduced exit policy? could you shared it?
>
>thanks!
>
>[1] https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy
>
>--
>1AE0 322E B8F7 4717 BDEA BF1D 44BB 1BA7 9F6C 6333
>
>___
>tor-relays mailing list
>tor-relays@lists.torproject.org
>https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Linux kernel vulnerability

2016-10-23 Thread Duncan Guthrie 
Hi folks,

I think this is a very extreme and unnecessary solution. While it is good to 
keep relays up, this may be unreliable. It is good to perform maintenance 
regularly, and reboots are often best.
Also, it appears to be proprietary technology. I would not advise proprietary 
technology on a Tor relay as it opens up a whole other can of worms, who 
controls the software etc.
Can people really not afford to reboot once a month or similar? Uptime is good 
but the only reliable way to apply kernel updates has always been reboots. 
Restarting also can apply updates to certain system services as well, if I am 
correct.

-- D

On 23 October 2016 09:42:38 BST, Jonathan Baker-Bates  
wrote:
>I know some people using this for applying kernel updates without
>rebooting, but don't know how good it is:
>
>https://www.cloudlinux.com/all-products/product-overview/kernelcare
>
>
>
>On 23 October 2016 at 09:16, nusenu  wrote:
>
>> > Second, you will reduce the uptime and stability of
>> > your relay, thus it will lose consensus weight if you reboot the
>machine
>> > once a day.
>>
>>
>> Unattended-Upgrade::Automatic-Reboot "true";
>>
>> Does not reboot your machine "once a day", it reboots when a new
>kernel
>> requires a reboot. Which on Debian stable / Ubuntu LTS is far from
>being
>> a daily event.
>> And the frequency of reboots actually should not differ compared to
>> manual reboots.
>>
>>
>> ___
>> tor-relays mailing list
>> tor-relays@lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>
>>
>
>
>
>
>___
>tor-relays mailing list
>tor-relays@lists.torproject.org
>https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Recommendation for DUMB COMPUTING devices for Tor Relays

2016-10-21 Thread Duncan Guthrie 
Hi there,

More likely, they just compromise your relay in runtime. 

Reflashing the boot firmware is theoretical, but due to the huge variation in 
the hardware running Tor, I am not convinced using such an exploit on vast 
numbers of computers is entirely practical. Since relays are up for months at a 
time in some cases, just a more subtle exploit is probably more successful, if 
I understand the capabilities of known attacks. This also reduces the 
likelihood of security researchers (who are naturally more accustomed to 
running and analysing Tor relays) discovering that an exploit has occurred and 
reverse engineering it to see how it works.

Besides, the Raspberry Pi runs various proprietary firmwares, with drivers 
naturally running in kernel space (the highest privilege level of the operating 
system). These are a backdoor. If we work from the various assumptions that you 
are making, it is probably better to run a VM of Debian without the nonfree 
repos, removing ssh access and closing as many ports as possible. 

If you want a stateless computer, currently a good option might be a laptop 
supported in Coreboot (*without the management engine blob etc*), write 
protecting the flash chip, and running Tails or Tor ramdisk from a CD. I own an 
old Lenovo X200 and it works well.

A better way to increase diversity is to run VMs that have different operating 
systems on them. More BSD relays are good. OpenBSD is a good choice since they 
have reasonably up-to-date packages, if I remember correctly.

Long story short, moving everyone to vulnerable embedded systems (which are 
even more proprietary than Intel systems) is not the answer. I am not convinced 
it would benefit the Tor network. It may indeed reduce diversity, not to 
mention performance. Of course, more relays are good, but only in addition to 
the current network.

Hope this helps,
D

On 21 October 2016 13:08:24 BST, Dan Michaels  wrote:
>The Tor Project website recommends various security setups for people
>running Tor relays.
>
>Such as, don't run a web browser on the same machine as your Tor relay,
>otherwise the browser could get hacked, and then if Tor relays are
>hacked,
>it compromises the entire concept of Tor.
>
>In the age of FBI mass hacking, the FBI will attempt to hack all Tor
>relays, and thus, they can trace traffic throughout the entire proxy
>chain.
>
>According to NSA documents, all it takes is "one page load" to infect a
>browser, because they re-direct you to a fake website that hosts
>browser
>exploits, known as QUANTUM INSERT. The FBI will use this to take over
>all
>Tor relays that are running web browsers.
>
>So, I have a suggestion that I would like Tor Project to recommend.
>
>Tor Project needs to tell people.. use DUMB COMPUTING devices for
>running
>Tor relays.
>
>If your computer gets hacked, it can be deeply exploited in the
>firmware,
>such as BIOS, GPU, WiFi chip, etc.
>
>There are devices on the market, such as Raspberry Pi, or similar,
>which
>have NO WRITABLE FIRMWARE.
>
>This is known as being "stateless".
>
>It does not "hold state" across reboots.
>
>All firmware/drivers are stored on the SD card on the Raspberry Pi, and
>only loaded in on boot time. No component on the entire Pi holds state.
>NONE. There will likely be other similar devices.
>
>Therefore, it is truly possible to wipe a dumb computing device
>completely
>clean.
>
>If you try to wipe a regular laptop or desktop, you may have all this
>deeply infected firmware, such as BIOS, so you keep getting re-infected
>upon startup.
>
>Some people say, once deeply infected, it's near-impossible to clean it
>out, and you should just throw away your entire laptop and start again.
>
>Everyone running a Tor relay should be told to use a DUMB COMPUTING
>DEVICE.
>
>Another advantage is that these devices are often very cheap. Raspberry
>Pi
>is very cheap to buy. Other devices may be even cheaper.
>
>The instructions should be as follows...
>
>(1) Wipe your device clean, i.e. wipe clean the SD card which holds the
>OS
>+ all firmware/drivers.
>
>(2) Then, re-install the OS clean, install Tor, and set up the relay.
>
>(3) Tor should be installed from the command line or from a
>previously-downloaded version on USB stick. Do not install Tor using
>the
>web browser, otherwise you could get infected.
>
>(4) Do not run anything else on the machine, other than the Tor relay.
>Using other programs, especially the web browser, could compromise the
>entire machine.
>
>And that's it.
>
>Tor Project should send out a message telling all people running Tor
>relays
>to follow these instructions.
>
>Let me know what you think.
>
>
>
>
>___
>tor-relays mailing list
>tor-relays@lists.torproject.org
>https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
___
tor-relays mailing

Re: [tor-relays] Tor and Diplomatic Immunity

2016-09-06 Thread Duncan Guthrie 
Couldn't they run a regular relay node instead? This would help them blend in 
their traffic so to speak while also not having to put themselves at risk of 
being cut off.

On 6 September 2016 04:47:41 BST, Dave Warren  wrote:
>On Mon, Sep 5, 2016, at 11:24, Kenneth Freeman wrote:
>> 
>> 
>> On 09/04/2016 07:31 PM, Mirimir wrote:
>> > On 09/04/2016 09:11 AM, Kenneth Freeman wrote:
>> >> Do embassies and consulates run Tor nodes? AFAIK no studies have
>been
>> >> done on this, but diplomatic immunity and Tor would seem to be a
>match
>> >> made in Heaven.
>> > 
>> > Well, they need uplinks, right? I doubt that diplomatic immunity
>forces
>> > ISPs to serve them. Private routing is possible, of course, but is
>> > probably too expensive for most.
>> 
>> Whatever their budgetary considerations, embassies and consulates
>afford
>> diplomatic safe spaces for Tor nodes.
>
>At best, they provide a *legal* safe space, but it would only take an
>embassy having their local internet access terminated once or twice
>before they'd re-consider, absent any agreements which block service
>providers from doing such. I'd be surprise if such exist, although,
>it's
>certainly possible.
>
>Assuming we're talking exit nodes, anyway.
>
> 
>
>___
>tor-relays mailing list
>tor-relays@lists.torproject.org
>https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays