Re: [tor-talk] Addon toolbar icons missing after TBB 9.0.2 update [was: Question for Roger (or someone): what is going on with TBB and NoScript?]

[Joe]

I just updated to TBB 9.0.2 Linux & saw what I guess mimble9 saw -
missing toolbar icons for NoScript.
I'm not sure I can recall the exact way I got the icon back.

Note: after TBB 9.0.2 update, the icons for HTTPS Everywhere & NoScript
were missing in addons manager screen.

Starting TBB in safe mode (w/o addons);
also disabling any addons, then restart normally, then enable addons &
another normal restart.

I believe those were the steps that made addon toolbar icon reappear,
but I'm not positive of the order.

Just disabling addon, restarting TBB & re-enabling addons didn't work
for me.

I assume this is a bug in TBB 9.0.2 installer, as I've not had this
issue in a long time, if ever.

On 12/1/19 1:49 AM, Joe wrote:

On 11/29/19 8:50 AM, mimb...@danwin1210.me wrote:

I am using the latest version of TBB and for a while now I've noticed that
NoScript no longer appears on the TBB interface. I've got two icons for
"security level" and "new identity" but that's it. No NoScript.

Sometimes NoScript toolbar / navbar icon is on the far left end - you
can move it in "customize mode."
Sometimes it's in the extra icons - shown when you open customize mode.
It could be under the "hidden icons" (the 2 chevrons, pointing right).
If those don't work, try removing the addon & reinstalling.

When I check in Add-Ons I see NoScript (and HTTPS-Everywhere). Checking
the "Preferences" for NoScript reveals that, in "Default" mode, everything
- script, object, media, webgl, etc - is ticked under "allow" (i.e. is
on). I remember one used to have to allow these for all new sites.

Why the change? Why are the NoScript defaults allowing scripts and media
as standard?

Scripts were always allowed.  Maybe not WebGl.  The official reason, way
back (I believe) was many sites wouldn't work & new users or less
concerned users might stop using TBB.  Another statement was the more
users alter anything in TBB, the more different they look.

It is true that other changes have been made in Firefox esr / TBB
version that counter act other settings.
You might want to read The Design and Implementation of the Tor Browser
[DRAFT] <https://www.torproject.org/projects/torbrowser/design/#privacy>


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Question for Roger (or someone): what is going on with TBB and NoScript?

[Joe]

On 11/29/19 8:50 AM, mimb...@danwin1210.me wrote:

I am using the latest version of TBB and for a while now I've noticed that
NoScript no longer appears on the TBB interface. I've got two icons for
"security level" and "new identity" but that's it. No NoScript.

Sometimes NoScript toolbar / navbar icon is on the far left end - you
can move it in "customize mode."
Sometimes it's in the extra icons - shown when you open customize mode.
It could be under the "hidden icons" (the 2 chevrons, pointing right).
If those don't work, try removing the addon & reinstalling.


When I check in Add-Ons I see NoScript (and HTTPS-Everywhere). Checking
the "Preferences" for NoScript reveals that, in "Default" mode, everything
- script, object, media, webgl, etc - is ticked under "allow" (i.e. is
on). I remember one used to have to allow these for all new sites.

Why the change? Why are the NoScript defaults allowing scripts and media
as standard?

Scripts were always allowed.  Maybe not WebGl.  The official reason, way
back (I believe) was many sites wouldn't work & new users or less
concerned users might stop using TBB.  Another statement was the more
users alter anything in TBB, the more different they look.

It is true that other changes have been made in Firefox esr / TBB
version that counter act other settings.
You might want to read The Design and Implementation of the Tor Browser
[DRAFT] 
--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] loading some content changes Tor Browser 9.0 to full screen

[Joe]

On 11/19/19 2:53 PM, Matthew Finkel wrote:

Hi!

Sorry for the delay, thanks for your questions.

On Tue, Nov 5, 2019 at 9:16 AM Joe  wrote:

In TBB 9.0, should about:config "full-screen-api.enabled" be "true?"
It is =true by default, in my auto-updated TBB 9.0, in Linux Mint.

Yes.

No problem.  Thanks for the info.

I haven't yet tried to see checked what screen size is reported, e.g.,
to EFF or browserspy.dk, etc., when a site (or content on it) requests
full screen.  Of course, I had to force full screen, then reload the
sites.  I'm not sure that gives same result as a site / content causing
full screen?

**What all prefs need changing to prevent ever going full screen?

Info Matthew pasted:

"Note that requests for fullscreen inside a web app's origin are exempt
  from this restriction", and "Only grant fullscreen requests if this is called 
from inside a trusted
  event handler (i.e. inside an event handler for a *user initiated* event)"

In this context, what does "inside a web app's origin" mean?

Instances of going full screen weren't common - but were random.
As far as "grant fullscreen...for a user initiated event," yes, I
clicked on links, but not 3rd party links or showed in status bar it was
from a different domain.  That's a strange way of putting it - "user
initiated."

Without examining the page source in detail (most won't understand it)
users don't know or expect that clicking a random object on a site they
trust, might go full screen.  If I knew that ahead of time, I wouldn't
click such objects.  "User initiated" - when you ring a doorbell, you
don't expect it to spray toxic gas, though you initiated contact. I'm
not knowingly "giving consent" to anything to force full screen - it's
not the norm.

Testing TBB 9.0.1, when I force full screen (F11), then reverse it, TBB
goes back to the initial "screen size" - at least on Browserspy.dk.  It
displays blank white space / bands around the screen (NOT the same width
on L, R & bottom).  It also uses UP some of the available screen size -
with black bars on L & R of the screen.

The overall screen width detected, INCLUDING wide black bands is a
multiple of 200px, but I'm guessing an interested site could detect the
size that will display content.
After exiting full screen, the width that actually displays content is
an odd w=909 x h=900px, where 2 seconds before going full screen, the
detected size displaying content was 1000px W x 900px H.

So it's not just a matter of detecting real screen size.  It gives them
an odd value in a specific case.

If they can back calculate the vertical scrollbar width by using given
sized images, I don't see why they couldn't calculate the "usable"
screen width (screen width minus black bands).


Disabling fullscreen is not a good solution.

It might be if users were simply asked / warned *before* screen size change.
It is if you don't want random sites or content - unexpectedly - causing
full screen & on exiting full screen, the usable display area is no
longer even multiples of 200 x 100.

They warn on accidentally changing the screen by 2px, but don't prevent
or warn BEFORE a change happens.  The warning process needs to prevent
size change, until users confirm the change.
My screen size changes are all accidental or from not being warned that
some content is asking for full screen mode.



We have another ticket, where the user is prompted before fullscreen is 
allowed, for that:
https://trac.torproject.org/projects/tor/ticket/12979

That ticket's 5+ yrs old.  It's not helping.  Maybe there are much more
important issues (who runs entry / exit nodes).  I will probably disable
"full-screen-api.enabled" and others.

For now, why not add a button / setting in preferences or in... so users
can disable all screen changes (allowed by prefs), until progress is
made on ticket #12979? Users not that worried about fingerprinting can
use default settings.


"full-screen-api.allow-trusted-requests-only" - there are no generally
"trusted requests" to go full screen, if you don't want to give up more
browser info.  Maybe OK for checking function of your own website or such.

--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Node Selection Parameters [re: YouTube Censored Tor]

[Joe]

On 11/8/19 1:24 AM, grarpamp wrote:

On 11/7/19, Joe  wrote:

Often the new exit circuits countries are the same as the one they
complained about
getting a lot of requests from certain exits

Well tor tends to focus weight on some exits,
so NEWNYM circuit not always work to avoid
"Too Many Requests" type of braindead censoring.

Exit country restriction still subject to weighting
within that, so might not often help.

Users can search and MAPADDRESS to an exit,
but they are then parked the service to that one exit.

So tor needs MAPADDRESS function to handle across
multiple specified exits, in order to maintain tor's
auto hopping around exits every so often.

Tor doesn't make it easy for users to manage their exits.
Tor doesn't know best for all.

There are no configurable parameters to make general
algorithm choices, such as true random, optional recycling,
subscriptions API, etc as needed.

Pentesters cannot even mapaddress their own CIDR blocks yet.
And nobody has even made Sybil hunting and or
whitelist node projects yet.


lot of requests at a given time

Anyway, YouTube downloaders exist, and they have options
to reduce the downloads to useful and exit friendly sizes :)

@grarpamp, as I, you've been using Tor before there was a "bundle."
I'm sure it's a moving target trying to figure out what some sites are
doing wrt Tor.
Google changes its yt coding constantly so "youtube browsers /
downloaders" don't work.

I assume they get most of the content free, then try to serve ads or
grab as much data about users' browsers.
It's nice when a company gets its raw materials or wholesale products
for free.
That way, they have more money left to continually develop tracking
methods & personal data accumulation. :)
Of course now, more & more people are using VPNs; even some non-tech
people I know that really surprised me.

I wonder what the average person signing up for Google acct & giving
their real phone #, just because "they asked for it?"  Unless they're
using burner phones.  I'm fairly certain people have no idea how far or
fast their phone #  can travel & all the personal data that will be tied
to it, when they the phone # to (many) companies like Google.

Like Radio Shack used to ask for your phone # when buying a $1.50 pack
of batteries - may still.  I just give the nosy businesses the same
number (like for warranty purposes) w/ an area code that doesn't exist. 
They're as happy as little clams.

--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] YouTube Censored Tor

[Joe]

On 11/6/19 11:48 PM, grarpamp wrote:

WARNING: unable to download video info webpage: HTTP Error 429: Too
Many Requests
"Sorry for the interruption. We have been receiving a large volume of
requests from your network.
To continue with your YouTube experience, please fill out...

I've actually seen that for a while.  Fortunately, it usually only takes
me 1 or 2 new circuits to get going.
Often the new exit circuits countries are the same as the one they
complained about (but obviously not same IPa).
So maybe they are getting a lot of requests from certain exits, at a
given time.

Some days recently, I've stayed on YT for quite a while & they never
complained, so it's certainly not the Tor network.  But I excluded some
countries in torrc that have a worse than avg reputation as bad actors -
in general, not just using TBB.
--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] loading some content changes Tor Browser 9.0 to full screen

[Joe]

In TBB 9.0, should about:config "full-screen-api.enabled" be "true?"
It is =true by default, in my auto-updated TBB 9.0, in Linux Mint.

I also see similar (default value) prefs, that may / may not be involved
here:
full-screen-api.allow-trusted-requests-only = true
(does that refer to "trusted requests" from sites, or something else?)

full-screen-api.transition-duration.enter = 0 0 (zeros separated by a
space)
full-screen-api.unprefix.enabled = true

TBB 9.0 is the first version I remember that loading anything caused TBB
to go full screen - links, images, videos [non-flash, but played using
TBB HTML5 player].  Though apparently some things caused problems years
ago - see old bug.

 Found a several year old trac.torproject bug where some things caused
window resizing.
https://trac.torproject.org/projects/tor/ticket/9881


So what is your proposed patch for this bug then just doing a
|browser.link.open_newwindow.restriction = 0|?



Yes.

Plus |full-screen-api.enabled = false| to fix #12609
[note:
#12609 is closed]


Is that pref's default value now back to true?

My security level is Safer and java script in NS is disabled.
But even to load text on some sites, at least the first party scripts
must be allowed.

Maybe js being enabled plus changes in Firefox allow scripts for some
content to force the (real) detected full screen size, when js is enabled?

But, I've not seen this problem (since TBB screen size was spoofed)
until upgrading to TBB 9.0.

For several reasons, like accidentally hitting the maximize window
button vs. close browser button, seems like there should be a pref ? or
setting that disables the maximize window icon.  That won't fix the
issue of some content making TBB go full screen.


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] ExcludeExitNodes not working consistently?

[Joe]

TBB 8.5 Linux.
In torrc I have: ExcludeExitNodes {xx},{xx},{xx},{xx},{us}  ...[in
actual file, {xx}  are valid codes]

I also have a long list of countries under: ExitNodes {xx},... to choose
from / use.
I doubt it's having a problem creating a circuit with 33 other ExitNodes
to use (but maybe that's wrong).
But {us} is used quite often as ExitNode.

Q1: what type file should torrc be designated?  none, config or...?

Q2: Does there need to be a BLANK line between the default line in torrc:
GeoIPv6File
/home/chuck/.torbrowser/torbrowser-8.5/tor-browser_en-US/Browser/TorBrowser/Data/Tor/geoip6
and the next "ExitNodes" line?

Q3: AFAIK, there doesn't need to be a blank line between ExitNodes
line(s) and ExcludeExitNodes line.
Having a blank line between them doesn't affect {us} being used as an exit.

The only spaces used are between: ExcludeExitNodes and the 1st country:
ExcludeExitNodes {aa},{us}  [i.e., only commas - no spaces - separating
each country code]

I'm pretty sure this worked to exclude the US as exitnode in TBB
versions before 8.5.  Any time I looked, anyway.

--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] ExcludeExitNodes not working consistently?

[Joe]

TBB 8.5 Linux.
In torrc I have: ExcludeExitNodes {xx},{xx},{xx},{xx},{us}  ...[xx are
examples - in actual file they are valid codes]

I also have a long list of countries under: ExitNodes {xx},... to choose
from / use.
I doubt it's having a problem creating a circuit with 33 other ExitNodes
to use (but maybe that's wrong).
But {us} is used quite often as ExitNode.

Q1: what type file should torrc be designated?  none, config or...?

Q2: Does there need to be a BLANK line between the default line in torrc:
GeoIPv6File
/home/chuck/.torbrowser/torbrowser-8.5/tor-browser_en-US/Browser/TorBrowser/Data/Tor/geoip6
and the next "ExitNodes" line?

Q3: AFAIK, there doesn't need to be a blank line between ExitNodes
line(s) and ExcludeExitNodes line.
Having a blank line or not between them doesn't seem to affect {us}
being used for ExitNode.

The only spaces used are between: ExcludeExitNodes {aa},{us}  [i.e.,
only commas - no spaces - separating each country code]

I'm pretty sure this worked to exclude the US as exitnode in TBB
versions before 8.5.  Any time I looked, US wasn't used.


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Information known by a cellular network provider while using and not using internet

[Joe]

On 5/10/19 12:46 AM, npdflr wrote:

I am using the term static content for details that don't change often and 
dynamic content for details that change often.

The content in bold is which I am not sure whether it is known by the network 
provider.

Bold or other formatting may not show up if tor-talk server only sends
plain text copies of messages to subscribers; or if subscribers choose
to get plain text messages.

Thunderbird & Mozilla apps interpret special characters to add simple
formatting in plain text messages.  *bold*, _underline_, /italics/. I
don't know if non-Mozilla apps recognize these tags. They may not see
any formatting.


1) While I am not using the internet:

AFAIK, regardless of internet connection, your personal mobile provider
knows much of your phone's device ID data, your geo location (if GPS
"geo-location" is enabled in settings), who you call / text (or who
calls you), probably content of texts (at least scan / log them) - like
most email providers do.  Three letter agency(ies) could also get a lot
of the same data.

You gave the provider all that identifying data anyway - or they get it
- when their sim card is in your phone, if it's turned on.  If emailing,
the only way to avoid snooping - by someone or agency or nation state,
is if both parties using strong, end to end encryption.  Starting &
ending on each party's device - if they haven't been infected.

--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] REGULAR Firefox_temporary fix for disabled browser extensions

[Joe]

Thanks.
If anyone's interested - for REGULAR Firefox, changing the
"xpinstall.signatures.required" to True, didn't work for me.

But there's an updated blog post about a Mozilla workaround (for regular
Fx).
https://blog.mozilla.org/addons/2019/05/04/update-regarding-add-ons-in-firefox/

It involves enabling in Privacy & Security: "Allow Firefox to send
technical and interaction data to Mozilla."
They list full (simple) steps.
Which they call enabling "Studies."  Note: they say you can disable
"send technical & interaction data," once addons are re-enabled.

It said it could take hours for the "studies" to be applied to Fx &
addons to be re-enabled, but it happened in a few minutes for me.  Note:
I'm using Fx 63 _Linux, from Mozilla's site, not a Linux distro version.


On 5/3/19 11:02 PM, Mirimir wrote:

| All extensions disabled due to expiration of intermediate signing cert

https://bugzilla.mozilla.org/show_bug.cgi?id=1548973

See https://news.ycombinator.com/item?id=19823928 for workarounds in
MacOS and Linux.


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Browser disabled NoScript, but can't update

[Joe]

Thanks to all & for the link.

A slight change this morning.  - that I didn't see last night (Fri
5/3/2019).
Last night I changed the about:config pref,
"xpinstall.signatures.required" to false - before I saw the post on Tor
Project's blog
https://blog.torproject.org/noscript-temporarily-disabled-tor-browser#comment-form.

Last night, the pref change & restarting TBB made no difference in NS
being disabled or in the addons manager message that the unverified
addon was disabled.

This morning - on TBB's 1st start, the addons manager allowed *NS to
load* normally & the message now says: "NoScript could not be verified
for use in Tor Browser.  Proceed with caution."

Guessing Mozilla made a change so when Firefox contacts their addons
server, it doesn't disable addons - just shows a different warning?

The newest "Proceed with Caution" warning will likely confuse or concern
many.
If it's a hard coded message, there may be no alternative. Otherwise,
"better" wording could be used.

Would it be possible when TBB automatically or manually checks for a
newer TBB version, to temporarily show a short explanation & a link to a
Tor Project page for some explanation?

Is HTTPS Everywhere (in TBB) not signed by Mozilla - rather by Tor
Project, thus no warning about it in the addons manager?

On 5/4/19 8:30 AM, Georg Koppen wrote:

Mirimir:

On 05/04/2019 12:21 AM, Joe wrote:

I've used the latest stable TBB 8.0.8 (Linux) since released with the
latest NoScript (at that time).
Today is the 1st day I saw that NoScript was disabled by TBB.

I see now that it's not a TBB only issue, but also Firefox.
A comment on Reddit said, "They [Mozilla] let their add-on signing
certificate expire and it invalidated a shitload of add-ons."

I assume it expired today?  When TBB & Fx checked for addon versions, it
saw the expired signing certificate.
There is a script listed on Reddit that supposedly will re-enable the
addons, but until Mozilla fixes the signing certificate bug, they said
the script would need running every 24 hrs.

See https://trac.torproject.org/projects/tor/ticket/30388 for temporary fix.

In addition to that: We plan to ship an updated Tor Browser as soon as
Mozilla has fixed the bug on their side. I expect Mozilla to be ready
later today so that we might be able to get a new Tor Browser out
tomorrow, or latest, Monday morning EU time. Sorry for the inconvenience.

Georg




--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Tor Browser disabled NoScript, but can't update

[Joe]

I've used the latest stable TBB 8.0.8 (Linux) since released with the
latest NoScript (at that time).
Today is the 1st day I saw that NoScript was disabled by TBB.

I see now that it's not a TBB only issue, but also Firefox.
A comment on Reddit said, "They [Mozilla] let their add-on signing
certificate expire and it invalidated a shitload of add-ons."

I assume it expired today?  When TBB & Fx checked for addon versions, it
saw the expired signing certificate.
There is a script listed on Reddit that supposedly will re-enable the
addons, but until Mozilla fixes the signing certificate bug, they said
the script would need running every 24 hrs.

There is a new NoScript version 10.6.1, but it wouldn't be tweaked for
TBB - downloading it from AMO or NoScript's site, even if it would install.

HTTPS Everywhere isn't tagged as a legacy addon for me, but it can't
update to the new version, either.





--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor browser and remembering settings

[Joe]

On 2/4/19 2:04 PM, Robin Lee wrote:

Hi

There was a regression some time ago in Tor browser that it would no longer 
remember that java scripts had been allowed for specific sites. Now every time 
you start Tor browser it has forgotten all your previous settings. I thought it 
was just some temporary regression but now it has been a while and it has 
started to bug me so I thought I would ask if it is going to fixed at some 
point?
I didn't read it closely, but I thought there was something in the 
changelog for TBB 8.0.5, that would allow users to save settings.
If it was supposed to be fixed, it's not working for me.  I still can't 
export settings.


I've played w/ copying the settings from NS Advanced tab - when "Debug" 
is checked under the Advanced tab.  Make the changes to NS you want, 
then select all in the window showing settings for the 3 levels.  Name 
it, date it - add enough info to file name so you'll know when it was 
taken, from which TBB version.  The NS settings look to be identical to 
NS in Firefox, if using the same settings.


The settings file "should" be able to export from *Firefox* & import 
into TBB, but that needs some testing.

--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] does tor-browser not use some country exits with some guards?

[Joe]

I hope I didn't already submit this question & forgot.

I'd been using TBB 8.0.3 a while - now in 8.0.4 (Linux).
A retail site said it couldn't deal with anyone outside the US.
It assumed from my exit node, I wasn't in the US.

So, modified the torrc file - which had a fairly long list of countries 
for ExitNodes {xx},{yy} (examples) specified to use.
Another 5 or 6 countries were under ExcludeExitNodes {aa},{bb} 
(examples), but not US.


I commented out all lines of the existing ExitNodes (and moved them near 
end of the file).

Then, added: ExitNodes {us}

The country {us} wasn't in any other active, non-commented lines.
But after re-reading what I already knew about specifying exit nodes, 
TBB refused to use exits in the US.

This was the edited torrc file:

DataDirectory ~/.torbrowser/tor-browser_en-US/Browser/TorBrowser/Data/Tor
GeoIPFile 
~/.torbrowser/tor-browser_en-US/Browser/TorBrowser/Data/Tor/geoip
GeoIPv6File 
~/.torbrowser/tor-browser_en-US/Browser/TorBrowser/Data/Tor/geoip6

ExitNodes {us}

ExcludeExitNodes {ca},{nz},{gb},{fr},{uk}
#ExitNodes {au},{at},{be} [and many others]
It never would use any US exits - not by restarting or get-new-circuit 
or get-new-identity.

I'm positive the torrc syntax & spacing was correct.

Maybe because of the current Entry Guard's country location (Germany)?
Possibly a problem using an entry & exit - both in the "5 eyes" group? :)

When I reinstalled TBB to a new directory, started TBB once, then 
closed; added ExitNodes {us} in torrc again - same as before, but didn't 
have the commented out lines from the previous TBB installation, *then 
it used US exits.*  But, the guard's country was now different, due to a 
new TBB installation (no longer Germany).


I'm not sure if the problem was due to some Entry Guard + ExitNode 
combination, or something in the old torrc file it just didn't like?

This is the new torrc:
# This file was generated by Tor; if you edit it, comments will not be 
preserved
# The old torrc file was renamed to torrc.orig.1 or similar, and Tor 
will ignore it


DataDirectory 
~/.torbrowser/torbrowser-test/tor-browser_en-US/Browser/TorBrowser/Data/Tor
GeoIPFile 
~/.torbrowser/torbrowser-test/tor-browser_en-US/Browser/TorBrowser/Data/Tor/geoip
GeoIPv6File 
~/.torbrowser/torbrowser-test/tor-browser_en-US/Browser/TorBrowser/Data/Tor/geoip6


ExitNodes {us}



--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] TBB Firefox 60.4 missing custom color widget?

[Joe]

In TBB 8.0.4 / Fx 60.4.0esr (Linux), There's
no "custom colors" button to open a custom color widget.
I checked the latest *ESR* Firefox 60.4 & it ALSO doesn't have a "select 
/ create a CUSTOM color" widget or tool.  Haven't researched if leaving 
it out of ESR versions is intentional.  In regular Fx, this tool is 
still found under Preferences / General / Fonts & Colors / "Colors" 
button.  Click any of the 4 color samples (boxes) on the Fx Colors page, 
to popup the "custom color wheel."


It no longer has spaces to store custom colors in the same UI for 
creating custom colors.


If you need to save many custom colors for browser themes, web design, 
etc., AND save a color sample, it could be done in many word processors 
by adding a table, or in a spreadsheet.


In LibreOffice & OpenOffice, insert a table in a new document with at 
least 2 columns.
Create the custom color in regular Fx or apps / websites with custom 
color generators & copy the hex or RGB color code into the table.
For the color sample of each value, use the word processor or 
spreadsheet's *background color* option, for the cell beside the color 
code.


There should be a "select custom background color" option (tool), where 
a custom color value is entered & shows a small sample. Apply the custom 
BG color to the selected cell in the table or spreadsheet.


Here's an interesting "colors comparison site," that gives all sorts of 
data for using 2 colors, as in text on background. 
https://snook.ca/technical/colour_contrast/colour.html



On 12/30/18 5:55 PM, Joe wrote:

In TBB 8.0.4 / Fx 60.4.0_Linux, under Prefs / fonts & colors / colors,
there's only the pre-set 7 x 10  grid of colors to select from.  There's
no "custom colors" button to open a custom color widget.



--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] TBB Firefox 60.4 missing custom color widget?

[Joe]

In TBB 8.0.4 / Fx 60.4.0_Linux, under Prefs / fonts & colors / colors, 
there's only the pre-set 7 x 10  grid of colors to select from.  There's 
no "custom colors" button to open a custom color widget.
I couldn't determine in TBB Web Developer - Browser Toolbox if it has 
been disabled in Tor Browser, or missing in this Fx ESR version?


Regular Fx 64.x (in Linux) now uses a create custom color "ring with 
triangle inside" type of custom color selector.  In regular Fx. it pops 
up as soon as I click on the existing color sample boxes, for Text and 
Background - that are default black text & white background.


Older versions (both TBB & regular Fx) had a button at the bottom of the 
prefs / Colors popup box, to open a custom colors tool.

--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] noscript 10.2 default mandatory sites, trusted sites

[Joe]

Thanks Georg.  Thanks for pointing out the noscript-control.js file.  
The path in TBB would be easier.  I'm not sure about no worries.

No worries, Tor Browser does not trust those sites. I think your
confusion above stems for a misunderstanding: we use NoScript for a very
specific purpose, which is for helping us with our Security Slider,
So with NoScript quantum (10.x) in TBB, users that don't want basically 
everything allowed, will have to put Torbutton slider on Safest, then 
pick & choose which 1st or 3rd parties they'll allow, and whether it 
will be temporary or permanent (Trusted).


The NoScript UI is deceiving.  If only the torbutton slider is moved to 
Standard or Safest, after pages load, the NS UI looks exactly the same,  
That is, it shows nothing, either mode.


If TBB / NS is allowing all domains and trackers to load in Torbutton 
Standard (or however many and which), it should show which 1st or 3rd 
parties have been allowed in the NS menu.


Now, there's no indication that every domain has been allowed.  If 
they've been allowed (manually *or automatically*), they should show a 
check mark.
If they've been blocked, it should show that as well.  As is, the 
NoScript UI isn't that useful.




On 12/20/18 2:40 AM, Georg Koppen wrote:

Joe:

Many of these settings aren't brand new (some are fairly new), but I'm
not sure how some of these settings are actually used in NoScript.
If they are used "as is," or if settings in one file (say, defaults.js)
interacts w/ or is overridden by other NS files.  Has anyone seen
official explanations how these sites shown as default or trusted
actually work in TBB?

All of these are from TBB 8.4, noscript 10.2.
To see the files / settings, you have to copy or extract the noscript
.xpi file to a different location (has an alpha-numeric name:
{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi, from
profile.default/browser-extension-data.

These are from the NS /legacy/defaults.js file:

"mandatory": "[System+Principal] about:about:addons  about:blocked
about:certerror  about:config  about:crashes  about:feeds  about:home
about:memory  about:neterror  about:plugins  about:preferences
about:privatebrowsing  about:sessionrestore  about:srcdoc  about:support
about:tabcrashed  blob: chrome: mediasource: moz-extension:
moz-safe-about: resource:",
   "default":"about:blank about:pocket-saved about:pocket-signup 
addons.mozilla.org afx.ms ajax.aspnetcdn.com ajax.googleapis.com 
bootstrapcdn.com code.jquery.com firstdata.com firstdata.lv gfx.ms 
google.com googlevideo.com gstatic.com hotmail.com live.com live.net 
maps.googleapis.com mozilla.net netflix.com nflxext.com nflximg.com 
nflxvideo.net noscript.net outlook.com passport.com passport.net 
passportimages.com paypal.com paypalobjects.com securecode.com 
securesuite.net sfx.ms tinymce.cachefly.net wlxrs.com yahoo.com 
yahooapis.com yimg.com youtube.com ytimg.com",


Note sites like google.com, googlevideo.com, hotmail.com,
maps.googleapis.com, paypal, yahoo & yahooapis.com and many others.
Are the legacy/default.js sites applied "as is" in TBB?  Where is that
explained?

If they're allowed as shown, for example, I wouldn't want anything for
yahoo & their horrible security record, always enabled by default.

The following are from the noscript /common/Policy.js file. I only
scratched the surface:

  function defaultOptions() {
     return {
   sites:{
     trusted: `addons.mozilla.org
   afx.ms ajax.aspnetcdn.com
   ajax.googleapis.com bootstrapcdn.com
   code.jquery.com firstdata.com firstdata.lv gfx.ms
   google.com googlevideo.com gstatic.com
   hotmail.com live.com live.net
   maps.googleapis.com mozilla.net
   netflix.com nflxext.com nflximg.com nflxvideo.net
   noscript.net
   outlook.com passport.com passport.net passportimages.com
   paypal.com paypalobjects.com
   securecode.com securesuite.net sfx.ms tinymce.cachefly.net
   wlxrs.com
   yahoo.com yahooapis.com
   yimg.com youtube.com
ytimg.com`.split(/\s+/).map(Sites.secureDomainKey),
     untrusted: [],
     custom: {},
   },
   DEFAULT: new Permissions(["frame", "fetch", "other"]),
   TRUSTED: new Permissions(Permissions.ALL),
   UNTRUSTED: new Permissions(),
   enforced: true,
   autoAllowTop: false,
     };
   }
Again, are these used "as is," or is there a reason they're shown here
as (always) trusted?
Many users wouldn't want some of them Trusted by default - maybe never.

No worries, Tor Browser does not trust those sites. I think your
confusion above stems for a misunderstanding: we use NoScript for a very
specific purpose, which is for helping us with our Security Slider,
while its default use in any other browser, say Firefox, is a quite
different one (giving you protections against script

[tor-talk] noscript 10.2 default mandatory sites, trusted sites

[Joe]

Many of these settings aren't brand new (some are fairly new), but I'm 
not sure how some of these settings are actually used in NoScript.
If they are used "as is," or if settings in one file (say, defaults.js) 
interacts w/ or is overridden by other NS files.  Has anyone seen 
official explanations how these sites shown as default or trusted 
actually work in TBB?


All of these are from TBB 8.4, noscript 10.2.
To see the files / settings, you have to copy or extract the noscript 
.xpi file to a different location (has an alpha-numeric name: 
{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi, from 
profile.default/browser-extension-data.


These are from the NS /legacy/defaults.js file:

"mandatory": "[System+Principal] about: about:addons about:blocked 
about:certerror about:config about:crashes about:feeds about:home 
about:memory about:neterror about:plugins about:preferences 
about:privatebrowsing about:sessionrestore about:srcdoc about:support 
about:tabcrashed blob: chrome: mediasource: moz-extension: 
moz-safe-about: resource:",
  "default": "about:blank about:pocket-saved about:pocket-signup 
addons.mozilla.org afx.ms ajax.aspnetcdn.com ajax.googleapis.com 
bootstrapcdn.com code.jquery.com firstdata.com firstdata.lv gfx.ms 
google.com googlevideo.com gstatic.com hotmail.com live.com live.net 
maps.googleapis.com mozilla.net netflix.com nflxext.com nflximg.com 
nflxvideo.net noscript.net outlook.com passport.com passport.net 
passportimages.com paypal.com paypalobjects.com securecode.com 
securesuite.net sfx.ms tinymce.cachefly.net wlxrs.com yahoo.com 
yahooapis.com yimg.com youtube.com ytimg.com",


Note sites like google.com, googlevideo.com, hotmail.com, 
maps.googleapis.com, paypal, yahoo & yahooapis.com and many others.
Are the legacy/default.js sites applied "as is" in TBB?  Where is that 
explained?


If they're allowed as shown, for example, I wouldn't want anything for 
yahoo & their horrible security record, always enabled by default.


The following are from the noscript /common/Policy.js file. I only 
scratched the surface:


 function defaultOptions() {
    return {
  sites:{
    trusted: `addons.mozilla.org
  afx.ms ajax.aspnetcdn.com
  ajax.googleapis.com bootstrapcdn.com
  code.jquery.com firstdata.com firstdata.lv gfx.ms
  google.com googlevideo.com gstatic.com
  hotmail.com live.com live.net
  maps.googleapis.com mozilla.net
  netflix.com nflxext.com nflximg.com nflxvideo.net
  noscript.net
  outlook.com passport.com passport.net passportimages.com
  paypal.com paypalobjects.com
  securecode.com securesuite.net sfx.ms tinymce.cachefly.net
  wlxrs.com
  yahoo.com yahooapis.com
  yimg.com youtube.com 
ytimg.com`.split(/\s+/).map(Sites.secureDomainKey),

    untrusted: [],
    custom: {},
  },
  DEFAULT: new Permissions(["frame", "fetch", "other"]),
  TRUSTED: new Permissions(Permissions.ALL),
  UNTRUSTED: new Permissions(),
  enforced: true,
  autoAllowTop: false,
    };
  }
Again, are these used "as is," or is there a reason they're shown here 
as (always) trusted?

Many users wouldn't want some of them Trusted by default - maybe never.

Note also - Policy.js shows the Default tab permissions are only 
supposed to be: "frame, fetch & other."
Everytime I start TBB, *ALL permissions* are enabled again under Default 
tab, not just the 3 shown.  NoScript 10 in Firefox saves custom settings 
& only has the 3 permissions enabled under Default tab.


This was reported right after NS 10 landed in TBB & still not fixed.  
Like users aren't supposed to touch them. NoScript saving settings 
between sessions - if users choose - should be fairly simple.  Most apps 
outside of TBB allow it.
In TBB 8.0 - 8.4, backing up NS settings after changes still doesn't 
work, but works OK in Firefox.


It's one thing if all permissions are enabled by default so non-tech 
users can browse most sites with no interaction.  It's quite another if 
NS won't save changed settings or export them.

--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] if browser remembers URLs visited before shutdown even during Never Remember History

[Joe]

In general, Tor Browser doesn't write any history to disk - by design.  
If you look in about:config at settings whether to use disk cache, it 
should be set to false.

browser.cache.disk.enable;false
If you have enough RAM, you can do the same in regular Firefox. Allow 
enough memory to handle browsing. 
browser.cache.memory.max_entry_size;512000  or 100.


RAM's a whole lot faster than a disk - even SSDs.

There have been many problems through the yrs on not deleting cache, 
cookies, history - you name it - the way it was supposed to.
I set the clear history UI to clear everything but site preferences 
(cookie exceptions).


Mozilla has changed the Privacy & Security area even more in v63, so I 
wouldn't be surprised if there are more bugs.


I used to use addons to clear cache, history, because Fx didn't do it 
completely.  Maybe 3 letter agencies are demanding (or paying) that 
history not be cleared as advertised. There have always been privacy (& 
security) issues w/ all browsers that dragged on forever.  As far as we 
know, it's still no where near as bad as IE of old, where they hid at 
least one history file, as a system, hidden file(s).  But you couldn't 
search & find it - no matter what.  You had to KNOW the exact, long path 
to the file & enter that before you could delete it.


Ol' Bill's a big philanthropist now. n!m





On 9/25/18 8:33 PM, Nick Levinson wrote:
On Tuesday, September 25, 2018, 2:01:04 AM EDT, Joe 
 wrote:

> * * * * *
> Is the claim that Firefox (vs. TorBrowser, based on Firefox esr 
version) stores visited URLs in places.sqlite regardless of settings 
under > Privacy & Security?
> The subject of this message is confusing.  Is it asking the 
question, "does browser remember URLs..."?

> Or telling us, "browser does remember URLs..."?
>
> You said it's years old.  I doubt that would've slipped by Tor 
Project & all users for years.

> Where is the data claimed to be stored?
>
> The title sound like, "if Firefox remembers URLs visited before 
shutdown, then they won't be deleted, even if that's checked under 
Clear > History.
> If I understand you & the subject, the claim is that even when 
"Never Remember History" is checked, it is remembering visited URLs 
*during* that session, but deletes them when the browser is closed, or 
if "Clear History" is used during the session?

>
> However, if "remember browsing and download history" is checked AND 
you DON'T have "Always Use Private Browsing Mode", TBB will > remember 
history during the session, but not after shutdown.

>
> As far as I've ever seen, TBB deletes any history of any type, 
whether you have "clear history" settings checked, or not.  That's by 
design.

>
> How is it a security leak?  During a session, are sites supposedly 
able to tell which sites you visited, directly or indirectly?

>
> There was a bug in Fx many, many yrs ago - where sites could make a 
query of some type & determine if sites had been visited.  AFAIK, that 
was fixed long ago.

> During that period, users couldn't have visited links change colors.

It's about Tor, but I'll explain as if Tor is based on Firefox by 
describing the Firefox problem. Suppose it's set to Remember History. 
I visit example.com. Firefox remembers the URL. So far, no problem. 
Then I change Remember History to Never Remember History. I have no 
idea that it's still remembering example.com. Someone inspecting my 
computer can see that I visited example.com when I think they can't 
see any history. That's a security leak.


One could argue why I'd let anyone inspect my computer. However, Never 
Remember History is offered for a reason, probably as protection 
against anyone inspecting my computer.


The URLs are definitely stored somewhere. I proved that. Which file 
it's in, I don't know. It's stored somewhere available after powering 
down and powering up, i.e., through a cold boot. I tried identifying 
the exact location but failed. But it's somewhere there. I tested 
without networking or a removable (flash) drive 
(https://bugzilla.mozilla.org/show_bug.cgi?id=1476152#c10). Therefore, 
it had to have been stored on my local hard drive.


The complaint for Firefox is years old. It still has not been solved 
for Firefox. Thus, unless Tor people monitor most unpatched Firefox 
complaints (and there are many and most of them are unimportant), Tor 
people could have missed this one. A wontfix or invalid for Firefox 
might not be a decision appropriate for Tor.


Users could easily miss it for years. The user interface says Never 
Remember History. The meaning is unambiguous. The problem is that the 
UI's meaning does not reflect the programming inside Firefox. Most 
users would never test the truth of any UI. They would trust the UI. 
Therefore, in this case, most users would be misled.


The t

[tor-talk] possible to lock TBB borders_prevent accidental resizing?

[Joe]

Does anyone know of a way to lock the TBB borders, so they can't 
accidentally be grabbed & dragged once it's opened at the assigned size, 
based on physical screen size?

Maybe an about:config pref - possibly a hidden one?

The scrollbars & slider / thumb are so narrow in recent TBB  or Firefox 
versions, on desktop versions there's a fraction of an inch between 
grabbing the slider or grabbing the window border & moving it, unless 
you're very careful.


It seems like the screen borders should be locked - to maintain the 
assigned size, the same as the borders of any app in full screen mode 
can't be dragged accidentally.

--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] if browser remembers URLs visited before shutdown even during Never Remember History

[Joe]

Sorry for this (one) top post - just wanted you & any others new to the 
Tor Browser & the whole family of software from Tor Project, not to be 
misinformed.


You cited a cookie or history issue in Firefox.  You expected Firefox 
history - accumulated during NON-private browsing, to be automatically 
cleared when (I assume) the private browsing session was ended or 
Firefox was closed.  That may or may not have anything to do with Tor 
Browser.


Firefox in Private Browsing, probably shouldn't pull data from earlier 
non-private browsing, but you can just uncheck the options under 
Preferences > Privacy & Security to stop any history from popping up in 
the address bar.  And you can check desired options to delete when 
clearing history.  TBB deletes all data in that list (if any exists), if 
the "clear history" items are checked or not, but the time frame may 
need to be "everything."  In Firefox, time span needs to be = 
Everything, or it may not clear all history.


Unless an equivalent bug was filed in Tor Project's bug system and 
accepted, https://trac.torproject.org, and that bug is still "unfixed," 
it's highly unlikely such a Tor Browser bug exists.  By design, Tor 
Browser doesn't save data to disk across sessions.  You can 
*intentionally* protect some cookies.


I've used TBB many times NOT in Private Browsing; entered a few cookie 
exceptions for sites that I knew required them.  The specific sites set 
session cookies.  In TBB "Clear History" settings, when time frame is = 
"Everything," TBB still cleared cookies whether cookies were checked or 
unchecked to clear after shutdown. Intentionally protecting individual 
cookies, under Tor Button is an entirely different matter.


Most important: in Tor Browser Bundle *(TBB)* - the "browser" part of 
the bundle IS absolutely THE Mozilla Firefox browser (TBB uses Firefox 
"esr" versions).  The Firefox version has been *EXTENSIVELY modified* to 
increase anonymity, hide real IP addresses, NOT to give up a lot of data 
(like typical browsers often do) that may / can allow web sites / 
hackers / and adversaries against privacy, to identify internet users by 
several different methods. Tor itself, isn't a web browser.  It helps 
the browser connect to the  Tor network (that's very over simplified).


2) Your comments still sounds like you're trying to use another browser 
besides Tor Browser with Tor, to access the Tor Network!

Or just asking if TBB behaves the same as Firefox?
TBB does not behave the same as the standard Firefox, in many ways.
Some links to explain TBB design: Torproject.org_FAQ - Noreply Wiki 
<https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ> ; The Design 
and Implementation of the Tor Browser [DRAFT] 
<https://www.torproject.org/projects/torbrowser/design/>


* Using any other browser than Tor Browser with Tor, hoping to gain the 
same anonymity, privacy, reduced fingerprinting as "Tor Browser Bundle" 
isn't a good idea, nor recommended.  Don't use another browser with Tor, 
unless for experimenting or testing, when anonymity isn't a concern.  
Countless modifications are made to the "base Firefox" to make "Tor 
Browser."  It's far easier, with better results to use TBB.




On 09/25/2018 08:33 PM, Nick Levinson wrote:
On Tuesday, September 25, 2018, 2:01:04 AM EDT, Joe 
 wrote:

> * * * * *
> Is the claim that Firefox (vs. TorBrowser, based on Firefox esr 
version) stores visited URLs in places.sqlite regardless of settings 
under > Privacy & Security?
> The subject of this message is confusing.  Is it asking the 
question, "does browser remember URLs..."?

> Or telling us, "browser does remember URLs..."?
>
> You said it's years old.  I doubt that would've slipped by Tor 
Project & all users for years.

> Where is the data claimed to be stored?
>
> The title sound like, "if Firefox remembers URLs visited before 
shutdown, then they won't be deleted, even if that's checked under 
Clear > History.
> If I understand you & the subject, the claim is that even when 
"Never Remember History" is checked, it is remembering visited URLs 
*during* that session, but deletes them when the browser is closed, or 
if "Clear History" is used during the session?

>
> However, if "remember browsing and download history" is checked AND 
you DON'T have "Always Use Private Browsing Mode", TBB will > remember 
history during the session, but not after shutdown.

>
> As far as I've ever seen, TBB deletes any history of any type, 
whether you have "clear history" settings checked, or not.  That's by 
design.

>
> How is it a security leak?  During a session, are sites supposedly 
able to tell which sites you visited, directly or indirectly?

>
> There was a bug in 

Re: [tor-talk] torbrowser login problems, no cookies set, other. trac.torproject

[Joe]

Hmm.  I'm a bit surprised no one's said either, "/works great for me/," 
or "/I have similar, or other problems" with TBB 8 and noscript 10./
I've seen a number of non tor-talk / torproject comments of similar 
problems.


Maybe it's just no one reading tor-talk ATM, has experience w/ my 
specific issues or (like me) has no "fixes" to suggest - which is OK.


On 09/19/2018 06:40 PM, Joe wrote:

If anyone can give insight, or several users each give a useful tip, I'd
appreciate it.  I'm burned out on NS v10 issues.

In Linux, TBB 8 with noscript 10.1.9.6 is giving problems, loading
content and/ or logging into sites.
There are several sites that haven't worked right since NS 10.x (latest
.1.9.6) & TBB v8.  No matter what settings, or if ALL NS settings are
allowed.

I installed SAME version NS in *Firefox 60.1 esr*.  Checked that the
"Trusted" mode in NS had same settings checked in TBB & Fx.

In TBB, I can log into trac, but loading another page (e.g. view
tickets), trac apparently sees no cookie & tells me I'm not logged in.
Trac displays messages, "Missing or invalid form token. Do you have
cookies enabled?"
"SEARCH_VIEW privileges are required to perform this operation. You
don't have the required permissions."

In TBB Prefs / Privacy settings, cookies are blocked, BUT exceptions are
set to allow session cookies on both https://torproject.org &
...trac.torproject..., and many other sites.
Disabling NS in TBB, restarting & reloading trac site - same problems.

So TBB SHOULD be allowing session cookies - it's not. This has always
worked , but we didn't have NS quantum.
Again, it's not JUST torproject site w/ a problem loading content or
logging in under TBB 8 & NS 10.xxx.

In Firefox 60.1 esr w/ NS 10.x, I have same NS settings as in TBB. The
same "cookies blocked" in preferences.
For sites w/ session cookie exceptions, I can NOT SEE cookies listed in
Fx Prefs / Manage Data - just a blank screen.
But in Fx 60, R click on any site's - "page info" - that has session
cookie exceptions stored in Fx, then I see the cookies names & content.

issue 1: Those cookies aren't visible in Fx 60 w/ NS 10.x, under Privacy
- "manage data", (formerly "show cookies").  But are visible viewing the
page info> Security tab.

issue 2: Even on some sites not requiring cookies to "work," TBB v8 & NS
v10 are having problems displaying some sites correctly, or at all.
Where the same sites will usually work in Fx 60 w/ NS v10 (same settings
as in TBB), whether cookies are needed or not for the site to work.

issue 3: In Fx 60 w/ NS 10, when restart in safe mode w/ (the only)
addon disabled, suddenly any set cookies NOW ARE visible in
Prefs>Privacy>Cookies> Manage Data.
At least in Fx 60, it appears NS 10 is what's preventing set cookies
from being visible under Privacy > Manage Data (but WERE visible under a
site's Page Info>Privacy tab - even w/ NS installed). Therefore, likely
the same NS issue in TBB.

issue 4: In TBB, I uninstalled (not just disabled) NS and restarted.  No
change.  Disabled HTTPS everywhere & restated - logged into trac.
Same message "Missing or invalid form token. Do you have cookies
enabled?" But there are NO errors or warnings (now) in web console.

So removing NS 10 in Firefox 60esr FIXED problems of not being able to
see cookies in Fx Privacy UI.
** I ALSO compared all cookie prefs in about:config for Fx 60 vs. TBB 8.
They were all identical.  I don't think any cookie prefs were present in
one browser but not the other.

I've read the several NS 10 tutorials that NoScript's site or AMO page
link. I think I understand it - especially if using same settings in
both browsers.
I don't think there's ANY NS v10 setting that should *prevent seeing
cookies* in both TBB & Firefox.
The most important is, sites that don't work at all in TBB (with or w/o
cookies), often do work in Fx 60 w/ SAME settings as TBB 8 and NS.

Personally, NS 10 may be "Not Ready For Prime Time" under TBB 8. TBB -
itself moving to Fx quantum may not be ready.




--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] torbrowser login problems, no cookies set, other. trac.torproject

[Joe]

If anyone can give insight, or several users each give a useful tip, I'd 
appreciate it.  I'm burned out on NS v10 issues.


In Linux, TBB 8 with noscript 10.1.9.6 is giving problems, loading 
content and/ or logging into sites.
There are several sites that haven't worked right since NS 10.x (latest 
.1.9.6) & TBB v8.  No matter what settings, or if ALL NS settings are 
allowed.


I installed SAME version NS in *Firefox 60.1 esr*.  Checked that the 
"Trusted" mode in NS had same settings checked in TBB & Fx.


In TBB, I can log into trac, but loading another page (e.g. view 
tickets), trac apparently sees no cookie & tells me I'm not logged in.
Trac displays messages, "Missing or invalid form token. Do you have 
cookies enabled?"
"SEARCH_VIEW privileges are required to perform this operation. You 
don't have the required permissions."


In TBB Prefs / Privacy settings, cookies are blocked, BUT exceptions are 
set to allow session cookies on both https://torproject.org & 
...trac.torproject..., and many other sites.

Disabling NS in TBB, restarting & reloading trac site - same problems.

So TBB SHOULD be allowing session cookies - it's not. This has always 
worked , but we didn't have NS quantum.
Again, it's not JUST torproject site w/ a problem loading content or 
logging in under TBB 8 & NS 10.xxx.


In Firefox 60.1 esr w/ NS 10.x, I have same NS settings as in TBB. The 
same "cookies blocked" in preferences.
For sites w/ session cookie exceptions, I can NOT SEE cookies listed in 
Fx Prefs / Manage Data - just a blank screen.
But in Fx 60, R click on any site's - "page info" - that has session 
cookie exceptions stored in Fx, then I see the cookies names & content.


issue 1: Those cookies aren't visible in Fx 60 w/ NS 10.x, under Privacy 
- "manage data", (formerly "show cookies").  But are visible viewing the 
page info> Security tab.


issue 2: Even on some sites not requiring cookies to "work," TBB v8 & NS 
v10 are having problems displaying some sites correctly, or at all.
Where the same sites will usually work in Fx 60 w/ NS v10 (same settings 
as in TBB), whether cookies are needed or not for the site to work.


issue 3: In Fx 60 w/ NS 10, when restart in safe mode w/ (the only) 
addon disabled, suddenly any set cookies NOW ARE visible in 
Prefs>Privacy>Cookies> Manage Data.
At least in Fx 60, it appears NS 10 is what's preventing set cookies 
from being visible under Privacy > Manage Data (but WERE visible under a 
site's Page Info>Privacy tab - even w/ NS installed). Therefore, likely 
the same NS issue in TBB.


issue 4: In TBB, I uninstalled (not just disabled) NS and restarted.  No 
change.  Disabled HTTPS everywhere & restated - logged into trac.
Same message "Missing or invalid form token. Do you have cookies 
enabled?" But there are NO errors or warnings (now) in web console.


So removing NS 10 in Firefox 60esr FIXED problems of not being able to 
see cookies in Fx Privacy UI.
** I ALSO compared all cookie prefs in about:config for Fx 60 vs. TBB 8. 
They were all identical.  I don't think any cookie prefs were present in 
one browser but not the other.


I've read the several NS 10 tutorials that NoScript's site or AMO page 
link. I think I understand it - especially if using same settings in 
both browsers.
I don't think there's ANY NS v10 setting that should *prevent seeing 
cookies* in both TBB & Firefox.
The most important is, sites that don't work at all in TBB (with or w/o 
cookies), often do work in Fx 60 w/ SAME settings as TBB 8 and NS.


Personally, NS 10 may be "Not Ready For Prime Time" under TBB 8. TBB - 
itself moving to Fx quantum may not be ready.



--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] TBB 8 GUI changes

[Joe]

Can anyone in Torland confirm whether any Linux TBB version - or latest 
v8, ever uses any UI colors from the active Linux theme, that usually 
affects all Linux apps?


On 09/08/2018 02:00 AM, Joe wrote:

In Tor Browser 8 - Linux, I guess Tor Browser never uses the selected
theme's colors (in Linux Preferences - Themes), modifying scrollbars and
sliders (or thumbs, in Windows)?



--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] TBB 8 GUI changes

[Joe]

In Tor Browser 8 - Linux, I guess Tor Browser never uses the selected 
theme's colors (in Linux Preferences - Themes), modifying scrollbars and 
sliders (or thumbs, in Windows)?


TBB appears to use 
"~/.torbrowser/tor-browser_en-US/Browser/gtk2/libmozgtk.so" for some of 
its GUI effects.

It isn't an editable file.

Will TBB recognize a custom gtk2/gtkrc GUI control file, if you place it 
in the gtk2 folder?

I assume TBB uses only gtk2 to control the GUI, not gtk3?

Or is a userChrome.css file in the chrome folder the only way to alter 
the GUI?


In Linux, TBB never has picked up the selected system theme's colors or 
modifications, which always have a gtk2/gtkrc file.

--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Browser Security Settings warning

[Joe]

On 04/08/2018 05:12 PM, Joe wrote:

On 04/05/2018 11:34 PM, Joe wrote:

On 04/05/2018 06:19 AM, Georg Koppen wrote:


A safe thing to do would be downloading a clean, new Tor Browser from
our website and start over again (mabye exporting the bookmarks from the
currently used Tor Browser and importing them in the newly downloaded one).

Georg

Georg (or anyone),
    I D/L TBB 7.5.6 Linux & verified w/ GPG.
Installed to new directory as you suggested.
After the clean install, Torbutton Security didn't show a msg about 
"unusual security settings."


As most know, TBB ships w/ NoScript set to allow all scripts globally 
(which NoScript warns as "Dangerous").
I changed NS to deny scripts globally, as many experienced users do (in 
TBB and other browsers).


Like many, I don't allow NS to "cascade top document's permissions to 
3rd party scripts," under Advanced > Trusted.  [for newer users, "top 
document's permissions" (the target web page's permissions) means what 
ever scripts or permissions you allowed for your target site, any & all 
3rd parties the have the same permissions].  Which could be very 
dangerous if a site is hacked with malicious scripts & NoScript says, 
"Come on in!"


Under NoScript Advanced > HTTPS, I UNcheck, "Allow HTTPS scripts 
globally on HTTPS documents," because there's generally no reason to 
allow *ALL* 3rd party trackers' or hackers' HTTPS scripts, but plenty of 
reasons not to.


Now Torbutton > Security Settings shows the "unusual security settings" 
message, "for security and privacy reasons," as if these settings are 
more dangerous than the defaults.


When I click Torbutton's Restore Default Settings, the only thing I find 
it resets is NoScript to allow scripts globally, under the whitelist 
tab.  AFAIK, it doesn't change any (other) NoScript settings, or 
about:config prefs & nothing under TBB Preferences > Privacy.


It appears that Torbutton thinks allowing scripts globally is a safer 
way to go.





Hey Georg,
What kinds of things in NoScript is the "restore default settings" 
changing?  I've never seen that restoring default changed anything 
there, and I've looked pretty deeply.
The only things I change in NS are things that improve anonymity & 
security, not hurt them.  Just like many experienced Tor users do.


Of course, anything is "possible."  Tor Project has already made the 
changes to Firefox that I'd be interested in changing, if they 
weren't already.

You said it's adjusting important settings.
If you or others can give me typical things to look at.  I'll capture 
before & after lists (TBB or NS prefs in about:config, or what ever) 
to find what it's objecting to.
I don't let NS allow scripts globally for any tracker & their brother 
track me.


I'll be honest - I've never seen resetting to default change 
anything, anywhere.  If I know where to look, it'll save me some time.


I don't allow setting cookies unless necessary AND I trust the site.
The only addon I have is uBlock Origin.  I'm pretty sure uBo isn't 
changing Tor browser settings - to be *less* secure or private.  
Maybe the reverse of that.


Still, I'd like to know what it is & maybe pursue a fix. Without some 
ad blocker (that isn't itself a tracker), quite a few sites load so 
slowly, it's almost not worth it.

News sites are crazy over run w/ ads that just keep coming.
No one replied (yet) on "these are the main things that clicking 
_Restore Default Settings_ under TorBrowser Security Settings will 
change."
I'm not sure if this data is a guarded secret or this list just has 
few knowledgeable users or project employees to discuss it.
So did some comparison of before / after in NoScript and TorBrowser 
settings in about:config prefs - looking at which user set prefs 
changed, if any.


So far, I found resetting to default security settings (when the 
security slider = Low), causes

* NoScript is reset to allow all scripts globally and
* NoScript - Advanced/HTTPS/Permissions -  re-enables "Allow HTTPS 
scripts globally on HTTPS documents" which is the about:config pref: 
noscript.globalHttpsWhitelist; (True if checked to allow in NS).


I found no other changes.  I repeated the process of disabling those 2 
options and looking at TBB security settings.
Each time I unchecked the 2 NS options, TBB warned of "unusual 
security settings."
"For your security and privacy reasons, we recommend you choose one of 
the default security levels."  Even the low security level?


I can install a clean TBB version & make the change to "remember my 
browsing & download history," but not allow 1st or 3rd party cookies 
and see if the same warning shows.


If TBB / Tor Button is actually coded to say that allowing 100% of all 
scripts leads to better security, the message's wording probably needs 
re

Re: [tor-talk] Tor check not working or recognize TBB?

[Joe]

Thanks Tortilla.
I don't see how your reply answers the question - maybe it wasn't 
intended to.
It appears if the general.useragent.override string isn't the same as 
what ever / where ever check.torproject.org stores as a valid 
useragent.override value, it reports that you're not using TBB at all, 
which is not true.


Torproject of course wants everyone to report the same 
general.useragent.override sting - that's fine.
To report that it doesn't look like TorBrowser (at all) is misleading to 
users and not helpful.
Since they must be able to see the useragent string, they probably 
should report something about the useragent being wrong or not set to 
default settings.


Downloading & extracting the same version to the same path isn't going 
to fix the problem of the useragent string being accidentally changed.  
AFAIK, it won't over write your prefs, unless you extract it to a 
different path.
There's nothing helpful in the message, "It does not appear to be Tor 
Browser."


If it's smart enough to throw an error for a non-default useragent 
string, it should be able to tell you why it thinks you're not using ANY 
TBB version and give a clue about what to do, instead of the current 
message that doesn't help at all.


On 07/02/2018 06:27 PM, Tortilla wrote:

You only replied to me, so I'm re-involving the list.

re: point (B) check.torproject.org doesn't look at your browser's
configuration settings - it can't inspect that kind of thing.  It's just
looking at the user agent string your browser sends *as a result of* how
that setting is set.  How it got that way is another question.


On Mon, July 2, 2018 11:13 pm, Joe wrote:

I just did check.torproject.org and as far as I can tell, the site is
working properly.
I'm using the same version as you are but Tor Browser for windows.

I tried in Linux after an auto-update:
8.0a9 (based on Mozilla Firefox 60.1.0esr) (64-bit)

I got the same warning on check.torproject.org that I'm not using Tor
Browser.  I would guess it might be an altered signature (user agent or
accept languages or other?)



Then there must be a specific setting(s) or pref or user agent or
something that check.torproject.org looks for, that isn't in my install.
*Does anyone know* exactly what check.torproject.org looks for to
determine if you're using TorBrowser?

Knowing that would shorten the search for why it's failing (never
until 7.5.6 update).
Every different assigned circuit - exit relay, check.torproject
verifies I'm using Tor network, but it doesn't appear to "be Tor
Browser."  All of the same exit IPa's entered into
https://exonerator.torproject.org show I am using a Tor address, but
that site doesn't comment whether or not you're using TBB.

In Help/About, it shows TorBrowser 7.5.6, (based on Mozilla Firefox
52.9.0)  (64 bit).
But the general.useragent.override shows: "Mozilla/5.0 (Windows NT
6.1; rv:52.0) Gecko/20100101 Firefox/52.8.1"
Does that match with everyone's useragent string for TBB 7.5.6?  I
didn't / don't touch that pref, but it shows "user set."  As I said, the
check site only started failing after last update.
I don't think I ever changed that in TBB, so there's no reason it should
show "user set." Seems like it should've changed to 52.9 after last
update, but maybe won't if it's marked as user set.

However, the ua.override doesn't mention Tor Browser, so I don't know
why that would be used as a check.
Everywhere else inAbout:config  that mentions browser name  or version,
it shows TorBrowser and 7.5.6.

APPARENT FIX: Resetting the general.useragent.override pref to default,
which changed the value to: "Mozilla/5.0 (Windows NT 6.1; rv:52.0)
Gecko/20100101 Firefox/52.0"
seems to have fixed the false message on check.torproject.org: "However,
it does not appear to be Tor Browser".  I'm fairly sure I never altered
the useragent string, as that would *extinguish* me from the bulk of TBB
users.

There must be a better way than current to detect if the latest TBB is
in use.  Now, it gives false positives, as several people testified
under risk of perjury, they were using TBB but saw the mentioned false
message.

So what did we learn from this, boys and girls? (pick the best answer,
even if it seems undefiably wrong):
A) Since Tor is an acronym for The Onion Router, and most acronyms are
capitalized, it really should be written "TOR Browser."

B) check.torproject.org looks at the general.useragent.override pref
value and likely compares it to another value, somewhere, to decide if
you're using TBB - at all, not just if the latest version is being used.

C)  D. Trump is consulting with E. Snowden, Lt. Gen P. Nakasone and Kim
Jong-un to make TOR Browser the default browser in all public schools
and libraries in the U.S. and respective countries. (unconfirmed:
someone may or may not be a terrierist; we just don't know if they like
medium sized dogs).






--
tor-talk mailing list

[tor-talk] Tor check not working or recognize TBB?

[Joe]

Yesterday, updated TBB (automatically) to 7.5.6 Linux x64.
Today, the default Tor check site (English language), 
https://check.torproject.org gave message:

"Congratulations. This browser is configured to use Tor.

Your IP address appears to be: *5.79.xxx.xxx*

However, it does not appear to be Tor Browser.
Click here to go to the download page"

From the message, I assume the Tor devs want users to download, verify 
& reinstall TBB because one check failed?


Question: what is the check process looking for (and where) to verify 
this is TBB?  Just a list of exit relays?

I got a new identity & tried again - same message.

According to several sources, it's quite possible the 
check.torproject.org site is down or malfunctioning.
Other sites, https://www.whatismybrowser.com/detect/am-i-using-tor, 
returned a "No" on the first exit relay entered, but verified "yes, 
you're using Tor" for a new Tor circuit.


The "go to the download page" is an odd, unhelpful message, especially 
if there's nothing wrong w/ the TBB install.
New or less technical users may not have a clue what to do based on that 
message.


*Instead* of an ambiguous answer if check.torproject has temporary 
problems, why not show a message with *specific alternative sites* to 
verify TBB & Tor connection, *before* doing the process of download / 
verify / reinstall TBB?  Surely that would often be faster and reduce 
usage of the download server?




--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] TBB 7.5.5 detached .asc file isn't encrypted or tar

[Joe]

The detached .asc signature file for linux-64 is 
"tor-browser-linux64-7.5.5_en-US.tar.xz.asc"

GPG complains it can't verify:

gpg: can't open `tor-browser-linux64-7.5.5_en-US.tar.xz.asc'
gpg: verify signatures failed: file open error

Was a different key used to sign TBB 7.5.5 (linux64) than used for 7.5.3?

Note: it says "can't open the .asc file," not that it's a bad signature.
The files are in the same directory in my ~/Downloads directory.
TBB D/L version 7.5.3 verifies OK with the .asc file on Tor Project's 
D/L page.  I checked it again today, using the same GPG version on my 
system.


I'm not sure if it has to do with the GnuPG version that Tor Project 
used to sign the file & create the detached signature and my gpg 
version, 1.4.20, or another key that I don't have was used to sign this 
time ?


The TBB 7.5.5 .asc file (nor v7.5.3) doesn't show the GnuPG version used 
, like often seen in other .asc files, e.g., "Version: GnuPG v2.0.14."


I verify signed files all the time (that used GnuPG 2.0.x to sign) & GPG 
never complained it "couldn't open a signature file" with the same 
naming convention as the v7.5.5 program file and its .asc file.






--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Tor Browser Security Settings warning

[Joe]

Probably around the time of recent changes in Tor Browser / TorButton, I 
started seeing a warning when I click on Security Settings in Tor Button.


Pop up title: Tor Browser Security Settings
Security Level
"Your custom browser preferences have resulted in unusual security 
settings.  For security and privacy reasons, we recommend you choose one 
of the default security levels."


After that, only a "Restore Defaults" button shows in the message - no 
options to choose from.  That's part of the problem.  If I try to check 
TBB's security level setting (low, medium, high) it always shows the 
message above.
I can click Restore Defaults, but next session - w/o me changing 
anything in between, it shows the same message if I try to check 
"Security Settings."


As far as I've ever been able to tell, clicking Restore Defaults doesn't 
change anything under the browser Preferences > Privacy tab or anything 
in NoScript.


In TBB - Preferences > Privacy, the only non-default setting I know is 
"Remember my browsing & download history" is checked.
But all data is set to be deleted when browser closes.  TBB does that 
anyway.

All other settings in Preferences/Privacy are default.

After several times (sessions), over the last few TBB versions, of 
clicking "Restore Defaults" (security settings) the next session it 
shows the same popup if I check security settings again.


Other than that, I don't know what "unusual settings" it means, or if 
Tor Button security is slightly broken?
The security slider is usually set on low; sometimes medium.  That 
doesn't affect seeing the popup.


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] company devised process to disable Intel Management Engine

[Joe]

Not sure if this info has been posted before
>"Purism disables intel's flawed management engine on linux-powered 
laptops LINUX PC MAKER Purism has devised a process to disable the 
flawed Intel Management Engine"

https://www.youtube.com/watch?v=TGE6pABF23s

It appears Purism is selling laptops with Intel Management Engine 
disabled by...? maybe a proprietary method.

I didn't catch in the video if they said how Purism is disabling Intel's ME.
--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] "recently-used.xbel" file in TBB directory, stores data on accessed, downloaded files

[Joe Btfsplk]

This involves *at least* Linux (Mint 18.1) Tor Browser 7.04 and 7.05, 
over at least a couple months.

This seems like a huge privacy / anonymity issue.

Why is there a *"recently-used.xbel"*, file in my Tor Browser 
installation directory - in path shown and  labeled as file TYPE: "XBEL 
bookmarks" recording ACTUAL local file names, dates, times - they were 
accessed AND some DOWNLOADED files (like *.pdf) with dates and times?
~/.torbrowser/torbrowser-7.0/tor-browser_en-US/Browser/.local/share/recently-used.xbel. 
*TBB is installed in home directory: ~/.torbrowser.*


For instance, Listed is a downloaded *pdf file, about health issues* and 
many others.
All dates shown in THIS instance of recently-used.xbel seem to be in 
July and Aug, 2017, but I used the same TBB installation before and 
after the dates shown in recently-used.xbel .


In Linux, there's also a ~/.local/share/recently-used.xbel file - by 
default, but it is set asimmutable, so nothing written to it.


The TBB recently-used.xbel file even shows date and time I downloaded 
TBB 7.0.4, and a random 6 digit string added after the "visited" time, 
with 'Z" at the end, such as (I removed actual times & 6 digit string:


href="~/Downloads/security/tor/tbb7.0.4/tor-browser-linux64-7.0.4_en-US.tar.xz" 
added="2017-08-ddThh:mm:ssZ" modified="2017-08-ddThh:mm:ssZ" 
visited="2017-08-ddThh:mm:ss.123456Z">


Each file record shown in "recently-used.xbel" show this:
modified="Z" visited="Z">

    
  http://freedesktop.org;>
    
    
  

    
  
    
  

Also, are files in the  path  below, with .bin or .toc extensions:
~/.torbrowser/torbrowser-7.0/tor-browser_en-US/Browser/.nv/GLCache//***1af.bin 
(very long, random strings, I removed)

 
~/.torbrowser/torbrowser-7.0/tor-browser_en-US/Browser/.nv/GLCache///***1af.toc

These .bin and .toc files seem ? related to my Nvidia GPU or drivers?  
Not sure what's in them.  The same type files are written to the ~/.nv 
folder, but I don't see why they're written to a Tor Browser folder.


I don't know the meaning of  "bookmark" in this context -  in the TBB 
recently-used.xbel file.
Tor Browser is supposed to delete / not store any data to disk after 
it's closed (or not write to disk at all).




--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] verify Thunderbird download .asc file?

[Joe Btfsplk]

Does Mozilla not provide signature .asc files for any of the Thunderbird 
downloads - full installer or partial.mar downloads?
They used to provide them on their ftp download site, but I think 
stopped around Tbird v20-something?


Why are they concerned enough to sign & provide signature files even for 
Firefox nightlies, but not Tbird?


All they list on Tbird downloads is their "KEY" public key file.

Does anyone know a way to actually verify Thunderbird downloads with gpg 
(not hash sums)?

--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] torproject package repository

[Joe Btfsplk]

Looking at https://www.torproject.org/docs/debian.html.en, it mentions 
the repository deb http://deb.torproject.org/torproject.org 
 main.

Where distribution is the code name of the distro.
Is the only package from this repo Tor itself and not Tor Browser? If it 
does host Tor Browser, would the package also work for Mint 18.1 Serena?


However, the Torproject repo is / was already entered under "additional 
repositories" in my software manager and the signing key.
It must have been added by the distro, as I didn't know this torproject 
repo existed.


But the only package that shows up in Mint's software manager is 
"torbrowser-launcher", maintained by Ubuntu Developers 
.
I was curious if anyone used this torbrowser-launcher, or if Torproject 
devs would highly frown on it?


Its description:  "helps download & install torbrowser." Doesn't mention 
anything about it verifying TBB signature, which I always do.


This is the description:

"When you first launch Tor Browser Launcher, it will download TBB from
https://www.torproject.org/ and extract it to ~/.local/share/torbrowser,
and then execute it.
Cache and configuration files will be stored in ~/.cache/torbrowser and
~/.config/torbrowser.
Each subsequent execution after installation will simply launch the most
recent TBB, which is updated using Tor Browser's own update feature. 
where TBB would be installed."




--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] should minimizing Tor Browser reset screen size?

[Joe Btfsplk]

In Linux, it's very easy to grab TBB's drag screen bar when reaching for 
scroll bar.  I've done it several times now.
If you only move it a few px, it's hard to tell if it changed, unless go 
to a browser check site.


Appears that minimizing TBB to the panel / task bar & restoring it 
doesn't reset it to the correct spoofed H x W.

Only a new identity or restarting TBB (both restart) reset the screen size.

Shouldn't minimizing it completely, then restoring cause a reset to the 
default spoofed size?  Maybe an option under Tor button to reset it?


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] "Some Tor Relays, you might want to avoid."

[Joe Btfsplk]

On 05/09/2017 07:02 AM, nusenu wrote:

I wrote a blog post about relay groups in end-to-end position:

https://medium.com/@nusenu/some-tor-relays-you-might-want-to-avoid-5901597ad821

Yes, you did.  Thank you.  I'm not sure it'll get much notice on this 
list.  Elvis has left the building.
There's very little robust discussion of relatively technical, or 
serious anonymity / security questions or topics on tor-talk, anymore.
Apparently, most of the advanced Tor users / devs or highly advanced 
computer users left.  Your post is about a highly technical aspect that 
probably needs input of users with a deeper understanding of Tor network 
& the software.


Often (not always) legitimate, important technical questions (that 
likely *have* answers) go unanswered on tor-talk or maybe 1 brief 
reply.  Nothing like in the past with thoughtful, *technical* input from 
several individuals on the majority of serious topics or questions.

Now, it's like the lights are on, but nobody's home. :)
--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] TBB uses orange Firefox icon in Linux panel

[Joe Btfsplk]

On 04/24/2017 08:47 PM, goody2shoes wrote:


On 04/24/2017 05:43 PM, Joe Btfsplk wrote:

In Mint 18.1, TBB 6.5.1 was installed to /home/user/torbrowser/. Now
updated to 6.5.2 - still same issue.
I only have one TBB launcher (icon) - on the desktop (nowhere else) &
it uses the correct green TBB globe icon.
When TBB is running, the app icon on  Mint's panel is the orange /
blue Fx icon.  Any other TBB window I open (bookmarks, NoScript
options) - also use the orange Fx icon in the panel.


In the start-tor-browser.desktop file, it shows the icon
"mozicon128.png" - which should be correct .

Any idea why this icon switch happened?


Debian Jessie 32 bit. I have torbrowser's folder in my home/opt
directory and my panel icon is linked to
/home/opt/tor-browser_en-US/Browser/browser/icons. That's where the
standard panel icon is located. Note the first iteration of "Browser" in
the path IS capitalized.

G2s
Thanks, G.  Yep, that is apparently the path the TBB desktop file 
(start-tor-browser.desktop) points for the icon.

/tor-browser_en-US/Browser/browser/icons/mozicon128.png.
As said, it worked, then it didn't.

I just edited the desktop launcher &  re-selected the same icon (was 
already using - the one you mentioned).  For now it's displaying OK in 
the panel.
Looks like that icon file was changed in the update to 6.5.2.  Maybe the 
previous file got damaged, so Linux pulled the standard Fx icon from 
another place.   I'm not sure the orange Fx icon is included in the 
Linux TBB package.


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] TBB uses orange Firefox icon in Linux panel

[Joe Btfsplk]

In Mint 18.1, TBB 6.5.1 was installed to /home/user/torbrowser/. Now 
updated to 6.5.2 - still same issue.
I only have one TBB launcher (icon) - on the desktop (nowhere else) & it 
uses the correct green TBB globe icon.
When TBB is running, the app icon on  Mint's panel is the orange / blue 
Fx icon.  Any other TBB window I open (bookmarks, NoScript options) - 
also use the orange Fx icon in the panel.


Confusing when TBB & Firefox are both running.

Not sure when it happened - when 1st installed TBB in Mint, it showed 
correct icon on the panel.

At some point - but before any TBB update, the  panel icon switched.

I can probably hack the right icon - to the location that  Linux pulls 
the icon for the panel (if  it's different location than 
start-tor-browser.desktop.

Anyone know where Linux gets the panel icon for TBB?

In the start-tor-browser.desktop file, it shows the icon 
"mozicon128.png" - which should be correct .
For installed programs, I believe Linux pulls program panel icons from 
the .desktop file, under "icon="


Any idea why this icon switch happened?


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] (Correction) Tor Browser crash

[Joe Btfsplk]

I don't think this is really related to this crash. I think it's not the 
problem of the Medium page, but it might be something wrong with NoScript's UI, 
but anyway it is shown in the recording.

Blocked Objects -
.(A) Temporarily allow FONT@https://medium.com
.- - - - - - - - - -
.(S) Temporarily allow *@https://medium.com
.(S) Temporarily allow *@https://medium.com (https://medium.com)
.(A) Temporarily allow FONT@https://medium.com (https://medium.com)
.(A) Temporarily allow FONT@https://medium.com
Temporarily allow all this page
Allow Scripts Globally (dangerous)
Options...
About NoScript 5.0.2...


Do you have a 3840x2160 screen? I have no idea if TBB handles this - may be 
fine?

Yes, I have a 3840x2160 screen. The shadow takes a while to draw on a big 
screen. (But it also crashes on the unfancy LXDE running on 640x480 resolution)


"Blocked objects," not "blocked scripts?" There's a difference.

"Blocked objects" menu appears. Both scripts and fonts were blocked.

Do you have a discrete GPU card, and are you using the mfg's proprietary 
drivers?  Some (like Nvidia - maybe others) have GPU problems, causing 
crashes, freezes, black screens - if use Linux open source video drivers.


But, it could be a bug - some graphic function in which ever desktop 
you're using (you mentioned shadows); possibly NoScript and / or TBB 
can't handle it.  Have you tried temporarily disabling NS to make sure 
nothing else can cause the same issue.  Though might take a while to 
rule out "everything" else.  Folks in NS forum / support may already 
know about it.  They're usually pretty good at looking into things.  
You'll have to give full details of your OS flavor, version, etc.

--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] (Correction) Tor Browser crash

[Joe Btfsplk]

On 04/16/2017 02:40 PM, m.aj...@tuta.io wrote:

Hello!


I couldn't reproduce the crash in a virtual machine with Ubuntu 16.04 64-bit 
installed.

I make a correction here: I just reproduced the crash in a virtual machine, but 
it took a few attempts to reproduce.

Virtual machine OS: Ubuntu server 16.04 64-bit with lxde desktop environment.
TBB version: 6.5.1 with default plugins.

Steps to reproduce:
Repeat the steps described in the screen recording.
After a few attempts, Tor Browser window was suddenly gone.
Click on the shortcut icon to start Tor Browser again. It does not say "Tor Browser 
is running."
I'm not an expert on meanings of all TBB debug logs.  Someone else may 
fully understand the following error:


149237***addons.productaddonsERRORRequest failed certificate checks: [Exception... "SSL 
is required and URI scheme is not https."  nsresult: "0x8000 (NS_ERROR_UNEXPECTED)"  
location: "JS frame ::resource://gre/modules/CertUtils.jsm  :: checkCert :: line 145"  data: no]

Right now, TBB won't let me into my security settings.  IIRC, for highest 
level, it says something like some pages may break or have problems.  IIRC, JS 
is blocked in highest level.  That alone will prevent many pages from loading - 
at all.

As for TBB closing - it may be a bug (or not) when you repeatedly click on the 
blocked object place holder.
In general, repeatedly clicking error popups & many other items can cause 
problems in any browser.  Clicking them 10x won't help.

Does it show you *which* objects were blocked?  Generally, when the blocked scripts 
or objects UI is displayed, you read it for info purposes & close it by 
clicking anywhere else on the page.

Most pages - or the browser - don't crash just because fonts aren't allowed to 
D/L.  Anything's possible.
Does this crashing happen when loading specific site(s), or just at TBB startup 
& home page (if showing TBB home page)?  If it's only a couple of sites, likely 
a problem w/ them.


HiDPI screen. Change the screen resolution to 3840x2160 (4k) resolution. Change "Scale 
for menu and title bars" to >2.5x

Do you have a 3840x2160 screen? I have no idea if TBB handles this - may be 
fine?


When I had to temporarily allow scripts for that page, I clicked on the NoScript (S) icon and immediately selected 
>the first menu item, but that page contains downloadable fonts, so the first menu item does not say 
"Temporarily >allow all this page" but says "Blocked objects." So by mistake I clicked on the 
"Block objects" menu item. Tor >Browser then crashed.

"Blocked objects," not "blocked scripts?"  There's a difference.

OK, so NoScript showed you what you requested (by clicking) - I guess?  Did it 
actually show a list of blocked objects or scripts, or did it hang producing 
that UI?If NS didn't show it, something's blocking - I assume.  If so, 
sounds like a question for NoScript support (forum).



"Later when I wanted to reproduce the crash, I had to click on the menu item [which] said 
"Blocked objects" many times in order to make Tor Browser crash."


Refer to last question.  But, why are you clicking NS menu popup item *so* many 
times?  I see no point, but maybe you've left something out.
 
Does blocked objects / scripts UI ever display correctly? (Y / N).

What happens if you wait (say 30 - 60 sec) for blocked objects UI to display?
If "blocked objects UI" isn't displaying or hangs or won't close, I'd post on 
NoScript forum.

Do you have checked in NS options, Notifications > blocked SCRIPTS to hide 
notices after x seconds?

--


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Browser crash

[Joe Btfsplk]

On 04/14/2017 10:03 PM, m.aj...@tuta.io wrote:

the 'blocked object' menu within NoScript didn't appear until the page fully 
loaded and clicking the menu items in it did not crash the browser.

Hello! The crash is not consistent, but when it happens, it appears to be a really strange crash. 
The same happened on some other webpages in which the "Blocked Objects" menu showed up. I 
just reproduced the crash again on Ubuntu 64bit. What I did is I repeatedly clicked on 
"Blocked Objects" right after a page was loaded. Tor browser window closed immediately. I 
cannot determine the reason of crash, and I did not see the crash reporter for segfault show up.


Could you give more info about which TBB version; which OS / version.
Any other addons / plugins besides TBB default ones?

What exactly do you mean, "I repeatedly clicked on "Blocked Objects" 
right after a page was loaded?"

What was blocked - if you know - and why do you repeatedly click on them?
--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Browser Linux_don't extract to root

[Joe Btfsplk]

On 04/14/2017 11:46 AM, Jonathan Marquardt wrote:

Look, if you have malicous software running on the system with normal user
priviliges, you are in big trouble anyway. There's so many things that
malicous software could do even if TBB was installed at a non-writable
location. Just as a simple example, malware could just change the location in
your TBB desktop and launcher links and still trick you into launching
malicous software. That's just a really silly example, but the point is that
once the malware is running, it is too late. Storing software in non-writable
locations is such a small useless mitigation technique in contrast to what
malware could do. I agree that putting TBB to /opt would give you a tiny bit
of extra security. But for the price of the user not being able to install
updates, that might just not be worth it. Having software being stored in
central directories is not much of a security feature.

BTW: The user profile of TBB would still be located in the home directory. It
would have to be. Malware could insert malicous stuff in there too like custom
Tor circuit settings, browser setting, NoScript rules, Add-Ons... You get the
idea.

You're correct - installing it to a "non-writable" location isn't 
necessarily the end of days.  The rest of your argument against 
improving security & anonymity contradicts some long standing practices 
of Tor Project and some basic concepts of Linux.  If there was / is no 
value of Linux installing most programs & libraries to root, they 
wouldn't do it.


100's of changes & methods that Tor Project makes w/ TBB, individually 
have small impact on overall anonymity or security. Collectively they 
make a huge difference.  If installing TBB  to root directories adds - 
some - protection, it seems as valid as 100's of changes & fixes made 
over the yrs.


  Many  trac feature changes & bug fixes to change minor TBB behaviors 
have no more impact than installing TBB to more protected Linux 
directories.  Some had zero impact on anonymity or security.


Tor Project could implement a script allowing auto-updating (or w/ a 
click or 2), or they could use a PPA to install & update it.


For yrs, there was such an Ubuntu PPA / repo & small script, to allow 
installing & auto-updating of Mozilla Fx releases, when installed to 
/usr or /opt, etc.  Seems like Tor Project could handle that.



--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Browser Linux_don't extract to root

[Joe Btfsplk]

On 04/11/2017 03:47 AM, Jonathan Marquardt wrote:

On Mon, Apr 10, 2017 at 07:11:48PM -0500, Joe Btfsplk wrote:

What is the reason(s) the TBB instructions say do not install (extract) TBB
to root?
Is it so the TBB files will be in a location where the user has write
permissions, so that TBB updates can automatically  D/L and install?

Yes, that's the biggest advantage, I think. We don’t want superold versions of
TBB to be used, do we?
  

Other than that, does installing TBB to a location where anyone / anything
has full r/w/x permissions (like in /home), weaken the security of Linux,
compared to packages installed via a distro's software manager?

If "anyone / anything has full r/w/x permissions" in /home on your system,
you're doing something very wrong. Only the individual users should have write
permissions in their own home directories. On a multi-user system it is also a
good idea to give "world" zero permissions in your user home directory so no
other users can read your files.

Thanks.  I may be missing something here.  Anyone feel free to correct 
me where I'm wrong.
I'm not "doing" anything with /home permissions - it's Linux defaults.  
AFAIK, once a user logs into their 'nix acct, anything that writes to 
(most) files in /home can do so - w/o any prompting.


For browsers - Firefox - that's full access to most things under 
.mozilla, but not Firefox program files - installed elsewhere.  In 
/home, the user is the owner & has full r/w/x permissions for most  
files there - no PW required to change files there (once logged in).  
There're some exceptions to that, like .local/keyrings.


For TBB extracted to a folder in /home, on files I checked (tor, 
cached-certs, torrc, etc.) - the user is owner & has r/w/(x) permissions 
by default.  No PW required - like any document in /home.  So anything 
that makes it past basic defenses of the browser, NoScript, etc. - would 
generally have r/w/x permissions on most TBB files in /home - yes?


Conversely, Firefox installed to /usr & other protected directories that 
most installed apps use, by default the user or anything making it onto 
the computer don't have w/x permissions for those "program files."  
Yes?  That's part of Linux overall security.


Maybe I'm missing something.  Tor Project goes to great lengths to 
provide uncompromised TBB copies & ways to verify them, but at least in 
Linux - advises putting it in the least secure area, so  it can update 
automatically with one click?  (because TBB wasn't installed via a Linux 
software manager & therefore automatic updates wouldn't be allowed).  
Seems like that's in opposition to all the other TBB security efforts.


When Linux users choose to D/L the latest release from mozilla & install 
to /opt or /usr/local, it won't update automatically or w/ a  click, 
AFAIK.  Unless you change ownership / permissions of those directories - 
which I've read is a bad idea, security wise.  (I'm not sure the D/L 
Linux Fx ver has "update now" available in about:firefox, anyway).


But, for Fx or Tbird in /opt you can install update files from Mozilla 
easily enough using sudo.  It takes typing a few characters vs. one click.

--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Tor Browser Linux_don't extract to root

[Joe Btfsplk]

What is the reason(s) the TBB instructions say do not install (extract) 
TBB to root?
Is it so the TBB files will be in a location where the user has write 
permissions, so that TBB updates can automatically  D/L and install?


Other than that, does installing TBB to a location where anyone / 
anything has full r/w/x permissions (like in /home), weaken the security 
of Linux, compared to packages installed via a distro's software manager?

--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] installing Tor browser to alternate path in Linux

[Joe Btfsplk]

Thanks.  Every once in a while, I catch a break.  I was overdue.

On 03/30/2017 04:29 PM, m.aj...@tuta.io wrote:

Hello, Joe!

I understand that some modified versions of Firefox (such as Canonical Firefox 
and firefox.com.cn Firefox) are annoying, suspicious and hard to tune, but Tor 
Browser Bundle requires NO installation. It is portable. Just extract and run! 
It can also automatically update!



--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] installing Tor browser to alternate path in Linux

[Joe Btfsplk]

Will TBB for Linux be able to D/L & install updates OK, it's installed 
(extracted) to a different directory -like /opt?


So far in Mint 18.1, for Firefox - downloaded version - installed to 
/opt, there's no automatic update possible - AFAIK.  Also been told the 
same - right or wrong.


When Fx tar package is D/L & installed, it doesn't even show a "check 
for updates" in the about:firefox UI - by default.


So I'm not sure if TBB - Linux will automatically install updates (as in 
Windows), or if you have to D/L the new package each release & extract it?

--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] TBB 6.5 screen resize not working

[Joe Btfsplk]

OK, thanks - I will.  Others can see if they also notice the following.
When TBB 6.5 (Win) opens, it doesn't align its top border w/ top of 
monitor / display (if it's supposed to).
It aligned to top of monitor in v6.08, allowed more room for resized 
screen height.


On 1/27/2017 2:12 AM, Georg Koppen wrote:

Joe Btfsplk:

With default settings, TBB 6.5 (Win) doesn't round screen sizes at all.
Browserspy.dk shows 993 x 695.  I see the pref
"extensions.torbutton.resize_windows" is still set false by default.
Toggling it to true gives different reported screen size, but not
increments of 100 or 200.

The pref "extensions.torbutton.resize_new_windows" = true (default), but
I don't find toggling both these prefs in any combo correctly rounds
screen size.

In TBB 6.08, when I tested setting "extensions.torbutton.resize_windows"
= true, it consistently rounded screens to 1000 x 800 on this monitor.
With that pref at default False in v6.08, reported screen height was odd
size - like 72x (x not 0).  But the width was *still 1000.*

In v6.5, neither width or height is rounded correctly, regardless of the
pref value.  What happened?  I thought 6.5 was supposed to fix screen
size rounding?

We fixed a bunch of issues with screen size rounding by moving our
Torbutton hack into a direct Firefox patch. If you look at our bug
tracker
(https://trac.torproject.org/projects/tor/query?status=accepted=assigned=merge_ready=needs_information=needs_review=needs_revision=new=reopened=~tbb-fingerprinting-resolution=priority)
you'll see that there are still issues open regarding our resizing
efforts, though. E.g. #14098 where you commented recently. If you think
your issue is not covered yet, please file a new bug with steps how to
reproduce it.

Georg






--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] TBB 6.5 screen resize not working

[Joe Btfsplk]

With default settings, TBB 6.5 (Win) doesn't round screen sizes at all.
Browserspy.dk shows 993 x 695.  I see the pref 
"extensions.torbutton.resize_windows" is still set false by default.
Toggling it to true gives different reported screen size, but not 
increments of 100 or 200.


The pref "extensions.torbutton.resize_new_windows" = true (default), but 
I don't find toggling both these prefs in any combo correctly rounds 
screen size.


In TBB 6.08, when I tested setting "extensions.torbutton.resize_windows" 
= true, it consistently rounded screens to 1000 x 800 on this monitor.
With that pref at default False in v6.08, reported screen height was odd 
size - like 72x (x not 0).  But the width was *still 1000.*


In v6.5, neither width or height is rounded correctly, regardless of the 
pref value.  What happened?  I thought 6.5 was supposed to fix screen 
size rounding?



--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Tor segregation

[Joe Btfsplk]

Went to a site (won't list the URL because it's health related) & the 
short notice appeared:

"Not Implemented Tor IP not allowed."  They BWT'd me - browsing with Tor.

However, got a new circuit & page loaded immediately. Obviously, the 
exit relay's IPa was blocked.
The message was technically correct, but seems like sites could do a 
little better job explaining that it's (usually) a select few black 
listed addresses.
This was a large, national organization that understands people actually 
needing privacy.  It's one of their main promises to everyone dealing 
with their organization.


I understand sites having to protect themselves, but there's a lot of 
mainstream public education to be done about legitimate uses for Tor.
The majority of Tor news coverage from sources that are more likely to 
reach the general public seems to be negative.
As long as that's true, Tor will continue to be harder to use - 
attracting fewer new users.  The average citizen or even average CEO 
doesn't read The Guardian or similar sites that might run positive 
stories about Tor.

--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Will enabling extensions.torbutton.resize_windows; true have a downside?

[Joe Btfsplk]

In TBB 6.08, there's a torbutton pref in about:config - 
"extensions.torbutton.resize_windows" = false, by default.

I understand it's enabled in TBB 6.5a (maybe not).

The resizing of my screen height in 6.08 is sketchy.  But if I enable 
the pref above, seems to make height resizing consistent to an even 
multiple of 100.
I wonder if there are undocumented issues with turning it on in v6.08?  
If there's good reason to leave it off in this version, even though it 
seems to improve resizing for me?


Question 2:  There's tons of discussion on sites detecting *installed 
fonts* in browsers & TBB's efforts to prevent it, or just present a 
fixed, short list of fonts.
Has anyone seen reputable data about sites detecting the named *serif 
font,* its size or the "minimum font size" in TBB?


Whether sites (that care) can detect if you changed the default Times 
New Roman font - size 16?  I've found almost nothing on that.
Secondly, the default setting in Content> Advanced, for "minimum font 
size - None" can wreak havoc on me if "Allow pages to choose their own 
fonts..." is also left checked (default).
I wonder if they can detect that you've changed minimum font size to 
something reasonable, like 13 - 14?


When pages use very small fonts & there's no lower limit in TBB,  it can 
be unreadable.   At some point, I may have to concede letting them 
detect I've made a font size change, or just not read some pages.  But, 
it's been 2 yrs for many that screen height resizing didn't work 
correctly & apparently that wasn't a giant concern.

Thanks.
--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Browserspy knows my computer time

[Joe Btfsplk]

On 1/10/2017 3:42 AM, Andreas Krey wrote:

It doesn't like tor much:

   Access denied. Your IP address is blacklisted. If you feel this is in
   error please contact your hosting provider's abuse department.
You're correct.  Browserspy.dk has a lot more Tor exits blacklisted than 
it used to.  A yr ago, I rarely saw a blacklisted address notice.  Not 
sure why - maybe hackers are trying to grab data about the site's visitors?


Usually, it only takes me getting 1 - 2 new circuits to connect; rarely 
4 - 5 attempts - goes pretty fast for me.


Browserspy.dk detects many more browser characteristics / fingerprinting 
data than several similar sites.

Panopticlick didn't show that my real computer time can now be accessed.

I have no affiliation  with Browserspy.dk in any way .
--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] TBB initial default UI size overlaps Win task bar

[Joe Btfsplk]

Key words are "initial default UI size."
Like many, I've had problems with TBB spoofing the correct screen sizes 
to sites like browserspy.dk & panopticlick.eff.org.
The https://trac.torproject.org/projects/tor/ticket/9268 - about TBB 
screen sizing (rounding, spoofing) says it's closed.


Mike P. commented in #9268, "This bug has drifted. I think we should 
open new bugs for remaining issues with the rounding code that aren't 
quite a mismash of ancient issues and dead code. Current related bugs 
that will remain open are #14098 
, #14429 
."  I don't know 
where to add my findings.


I read through the other 2 (a lot there).  Most details either don't 
seem to apply in my case, or described behavior isn't what I'm 
experiencing (exactly).


Today, D/L clean 6.0.8 (Win).  Installed clean in new folder.
Left all default settings - didn't even change NoScript settings, for 
screen size testing.


1st time started TBB, the *vertical* ht (total) exceeded my 22" WS 
monitor - went below Vista's taskbar, by about 27 - 30 px.
My taskbar is "stock" - never resized it - it's ~ 3/8" high.  The very 
top TBB's border was perfectly aligned w/ top of my monitor.
Browserspy reported screen size as 1000 px W x about 9xx px H (not an 
even number).


To see how far TBB went below the task bar, I unchecked "keep taskbar on 
top of applications."
Surprise, when I re-enabled that option, the TBB screen height suddenly 
"resized" its height to fit perfectly between top of monitor & top edge 
of task bar.  I restarted TBB - again it went below the task bar.  
Disabled / re-enabled the taskbar to stay on top & again TBB's height 
adjusted to fit between the taskbar & top of monitor.


Then... I restarted TBB again.  This time TBB's bottom border was ~ 
7/16" *above* the taskbar, with top border still aligned to top of 
monitor.  Then Browserspy reported 1000 px W by 729 "available height" 
(what ever that means).


1) Does anyone using Windows ever see TBB width AND height reported as 
even numbers - or multiples of 100?  If so, what site or tool is 
reporting that?


2) For those seeing even H & W multiples, is your TBB usable screen area 
*actually* square, or is that just what TBB reports to sites?
My TBB *actual* usable screen is 3" wider than tall.  That's between 
inside of L & R borders; btwn bottom of Nav bar & top of taskbar.


3) Except for amazing coincidence, I'm guessing TBB's total height would 
never perfectly fill the space between monitor's top & taskbar's top 
edge (and expect a multiple of 100).


4) What's TBB's spoofed screen W : H ratio *supposed to be* (now)? X by 
X, in multiples of 100?  So, square?  I can't keep up w/ all the changes.



--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Self-deleting scripts in http connections

[Joe Btfsplk]

On 12/8/2016 7:10 AM, Jonathan Marquardt wrote:


Such an attacker could insert some JS or cookies etc. to track a user around
the web or more dangerous attacks like stealing user data. The possibilities
of JS are far-reaching. In the worst case scenario, JS can be used to exploit
a user's device and gain priviliges within the OS. Such an attack has just
been discovered last month *on this mailing list right here.*


Details?  Missed that memo.
--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Intel ME / AMT + NSL vs Tor Nodes

[Joe Btfsplk]

On 12/19/2016 5:05 PM, Roman Mamedov wrote:

On Mon, 19 Dec 2016 18:20:41 -
"podmo"  wrote:


I could ...turn AMT off entirely.

Unfortunately that's only what it wants you to believe. With the capabilities
it has, and with its code being entirely closed source and unaudited, for a
truly secure system you can't rely on this "Okay I'm now turned off!"
make-believe.

Can't rely on "not using the on-board NIC" as suggested above either; it's
still a separate computer in your CPU, running proprietary code, and having
full read/write access to your RAM. It can mess with your apps, OS and
security in all sorts of interesting ways, and you can NOT be absolutely
certain that it doesn't.

You may be correct - or could be partly / totally wrong, as well. Do we 
have enough info to know who's right or wrong & what capabilities it 
absolutely has?

Unless there's official, credible papers that no one mentioned.

If it's as bad as some say, question is, what will smaller, poorer, less 
technical countries do?

Let all their secrets become an open book?
What will users do?  If half of the claims are true, this is beyond 1984 
- Big Brother.
Once inexpensive gov't technology is developed (not requiring $millions 
to abuse), it's often obtained by criminal element or insane dictators.

--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] NoScript problems after TBB 6.08 update

[Joe Btfsplk]

On 12/19/2016 12:41 PM, podmo wrote:

On December 18, 2016 10:07 PM, Joe Btfsplk wrote:

Never mind.  The last NoScript 2.9.5.2 update included in TBB 6.08 over
rode some of my settings.
It changed the option "Allow HTTPS scripts globally on https documents"
from unchecked to checked.


FWIW, mine (Linux) didn't do this. Am on 6.0.8 and 2.9.5.2 as well and
under Noscript Advanced/HTTPS/Permissions/Allow... it's set to unchecked.


I don't know if that one NS option was changed *by the addon* (NS) 
included IN the TBB update, or changed as part of the TBB update process.
Looking at the BU of NS settings just before the TBB 6.08 update, it's 
clear I had "Allow https scripts globally" disabled.


And I definitely didn't recently change that option manually- no reason to.
But right after updating TBB 6.08 & noticed no scripts blocked on https 
sites, I did a NS settings BU before uninstalling NS.  That settings BU 
showed the pref was enabled.


So I don't know how else it got changed, except by NS or TBB update process.
Since the default NS setting for this is disabled, not sure  how. The 
TBB "extension-overrides.js" file doesn't include this pref to override 
NS default.

--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] NoScript problems after TBB 6.08 update

[Joe Btfsplk]

Never mind.  The last NoScript 2.9.5.2 update included in TBB 6.08 over 
rode some of my settings.
It changed the option "Allow HTTPS scripts globally on https documents" 
from unchecked to checked.


Normally, updating addons in Firefox doesn't change previous users' 
custom settings.  Nor does updating Firefox change users' previous 
custom settings.


I had probably already updated NS to 2.9.5.2 before TBB 6.08 came out 
and that setting wasn't enabled.  A BU of NS settings before TBB 6.08 
confirmed this.
I suppose we have to export settings for all addons *included* in TBB, 
before upgrading TBB.  Then restore each addon's backed up settings - if 
they have that option.


Caveat to this - there may be new or modified options in TBB included 
addons, where restoring settings from previous addon versions may mess 
things up.
The other choice (like here) after every TBB update is, spend hrs going 
thru every option page of every included addon - verify every setting - 
until you find the change that's causing you issues.  I don't have time 
for that.


In this case, when it enables "Allow HTTPS scripts globally..." it 
allows every 3rd party script known to man.  Even ones with bad reps, if 
they're on an HTTPS site - with or w/o a site's permission or 
knowledge.  (sites never get hacked)



On 12/18/2016 1:54 PM, Joe Btfsplk wrote:

After 6.08 TBB (Win) update, anyone had problems w/ NoScript not showing
any detected domains in the status icon list ?
It doesn't show the current site's or *most* 3rd party domains in the
status list.

It does show the current site's domain under "Untrusted" selection in
the list (as "mark Example.com as untrusted").
It may show some 3rd party domains under Untrusted (but not MARKED as
untrusted), that don't show in the main list.
No, scripts aren't allowed globally & that about:config pref confirms
that setting.  Even if scripts were globally allowed, detected sites
would still show up as allowed in the status list.

I uninstalled / reinstalled NS - no change.  If no one's seen this
problem, I'll delete the TBB folder & do a fresh install.


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] NoScript problems after TBB 6.08 update

[Joe Btfsplk]

After 6.08 TBB (Win) update, anyone had problems w/ NoScript not showing 
any detected domains in the status icon list ?
It doesn't show the current site's or *most* 3rd party domains in the 
status list.


It does show the current site's domain under "Untrusted" selection in 
the list (as "mark Example.com as untrusted").
It may show some 3rd party domains under Untrusted (but not MARKED as 
untrusted), that don't show in the main list.
No, scripts aren't allowed globally & that about:config pref confirms 
that setting.  Even if scripts were globally allowed, detected sites 
would still show up as allowed in the status list.


I uninstalled / reinstalled NS - no change.  If no one's seen this 
problem, I'll delete the TBB folder & do a fresh install.

--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Intel ME / AMT + NSL vs Tor Nodes

[Joe Btfsplk]

On 12/17/2016 4:08 PM, Roman Mamedov wrote:

On Sat, 17 Dec 2016 21:48:51 -
"podmo"  wrote:


It cannot be used to access all your data remotely. That
only works if you have all AMT features enabled, and you have a special
device called a BMC card plugged into your computer and connected to the
network.

The whole point of Intel AMT is that you CAN manage your computer remotely
without it having a separate BMC plugged in (e.g. see [1]). AMT itself is in
effect an integrated BMC by its own. After that the entire "well-written,
rational response" falls apart, the author clearly has not even a single clue
of what he's trying to talk about.

[1]
http://support.radmin.com/index.php?/Knowledgebase/Article/View/9/9/How-to-set-up-Intel-AMT-features

I'm no expert on Intel ME capabilities (by any stretch), but from the 
little I read from more "professional" sources, it does provide ability 
to remotely access computers.
Assuming they have the expertise & required data access to it. Those 
professional sources could also have some things wrong, or partly 
wrong.  Confirmed technical details on this topic aren't exactly 
published on Intel's site.


If it gets to the point where it's common knowledge to every hacker how 
to even partially misuse the ME, then Intel will have made a grave 
business decision.  At that point, they'd have to discontinue it, 
perhaps give refunds for unusable computers or issue permanent fixes - 
to close the holes.  If it becomes common knowledge & they don't take 
drastic action, they'd suffer tremendously.  That's not to say they 
might not leave a better protected opening for government agencies.


What are all the countries - businesses, governments around the world 
going to do?  Buy computers that are open books to even 1 or 2 top level 
agencies of a few key "democratic" countries, much less hackers freely 
trading (Intel ME) "Both the keys and the toolchain, as well as the 
source code," as Podmo stated?

I doubt it.
--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Another issue "never remember history" at Tor browser setting didn't last for actualisation

[Joe Btfsplk]

On 11/29/2016 1:00 PM, tort...@arcor.de wrote:



It doesn't show "Clear history when TBB closes," because there is no history 
saved after a session in private browsing.

Yes, but sometimes you want to clear the cache and cookies during a session 
without closing the Tor Browser.
Just as if you don't trust the browser doing that automatically.
You can still do that - easily.  From browser Customize menu, drag the 
"history" icon to the navigation toolbar - where NoScript & any default 
addon icons may appear.  Not all show an icon by default.  Exit Customize.
To clear history, click the toolbar icon, then "clear recent history."  
Note:  shortcut Ctrl + Shift + Del also brings up same clear history UI.


A window should pop up - you can decide which items to clear by checking 
/ unchecking boxes.  The selections of what to clear may? be saved over 
sessions.
If you want all history cleared immediately, choose "Everything" for 
time period.  Or another time period.
Of course, TBB doesn't retain any history after sessions or getting new 
identities.


TBB & any program deleting history or files this way isn't the same as 
securely erasing or "wiping" them.  They can still be recovered, until 
the area that data occupied on a disk is over written.  By anyone w/ 
local access to a device, or possibly remotely by advanced adversaries 
that manage to get proper programs loaded on a device w/o owners' 
knowledge.  Not a common occurrence, but theoretically not impossible.


The only way I know to securely remove files, data that were just 
"deleted" from browsers, email clients is to wipe or over write "free 
space" on the partition where the deleted files were located. A few 
programs offer secure erasing of data that you're about to delete, but 
not many.

NoScript


The rest I had a hard time following.  Are you saying that NoScript - or
something - is preventing using searches - especially in private browsing?

That was my point. There was no search after the first possible; annoying 
NoScript-Cross-Scripting notices with every search after the first. After 
deleting the XSS-box content and pasting the ticket-mentioned lines into it the 
Tor Browser worked fine again with every search engine.
I didn't experience any search engine issues with NS, for some reason.  
Maybe it only occurred in NS v2.9.5.1, which I never updated.   Anyway, 
Trac ticket #20752 says the issue is fixed in NS 2.9.5.2.  
https://trac.torproject.org/projects/tor/ticket/20752


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Another issue "never remember history" at Tor browser setting didn't last for actualisation

[Joe Btfsplk]

On 11/27/2016 8:04 PM, tort...@arcor.de wrote:

You can check that from default "Use custom settings for history" to "Never remember 
history". But it is not saved.
Probably because when you switch to Never remember history, that's the 
same as Always use private browsing.  It switches to that wording.
Once you change to Private Browsing or Never remember history, it should 
be prompting to restart.  Is yours?

If not, you may think about a clean TBB reinstall.


You can click on "You may also want to clear all current history." in the mode "Never remember history". But 
you can't check "Clear history when Tor Browser closes" during the default setting "Use custom settings for 
history", it is greyed and does not turn blue while your mouse is over it nor "Space" key is doing to check it.
It doesn't show "Clear history when TBB closes," because there is no 
history saved after a session in private browsing.  It's either not 
saved at all or automatically deleted at session end, so no point in 
checking an option to do what it does automatically.
I wonder if it's offering the "You may *also* want to clear all current 
history" when switching FROM a normal session to Private Browsing, just 
so there's nothing left from the non-private session?

1. That NoScript issue appears not only when the "security slider is set to "Medium-High" or 
"High"" but also to Low. You have one search for free before NoScript prohibits any further 
search.
The rest I had a hard time following.  Are you saying that NoScript - or 
something - is preventing using searches - especially in private browsing?
1) sometimes google searches don't work at all, or present captchas in 
any mode of TBB.  Often depending on the IPa or country of exit relay.  
So it not working great isn't that unusual.
2) Other search engines work OK in private browsing for me (few times I 
tested it).
3) Once in a while, other search engines (besides Google) give captchas 
or "we're sorry" or just blank screen  - to deny access, no matter what 
browsing mode in TBB.
Often, if you change the exit relay, they'll let you right in - 2 
seconds later.

--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Research - Tor and the shaping of resistance technologies

[Joe Btfsplk]

On 11/8/2016 2:45 PM, COLLIER Ben wrote:

Hello all,

Greetings from (currently freezing cold) Scotland. I'm a researcher at the University of 
Edinburgh studying antisurveillance technologies, software development and how these are 
shaped at different levels by ideas about crime and surveillance. I'd describe my work as 
criminological but with a strong critical dimension - my research isn't about 
"fighting crime" or developing cybersecurity policy.



  I have a background in (statistical) programming and I'm particularly 
interested in finding out how people see these issues playing out in practice 
in their work.

While I'd like to carry out more in-depth research in the new year, at this 
stage I'm interested in making sure I'm asking the right questions. As such, 
I'd be very grateful if anyone involved in Tor development, either as a core 
developer or as a volunteer, would be interested in having a chat, or if 
possible a short interview. Any discussions would be anonymous and carried out 
in accordance with the ethics policy of the University of Edinburgh, and you 
would be able to withdraw consent for participation at any time for any reason 
- or none at all.

I'll be contactable at this email address (listed in my signature) and on the 
IRC channels as JHistone - if you're interested (or just want to say hi or have 
a chat) please feel free to get in touch.

Best wishes,

Ben Collier

Doctoral Researcher
The University of Edinburgh

SCCJR profile: http://www.sccjr.ac.uk/about-us/people/ben-collier/
Edinburgh University profile: 
http://www.law.ed.ac.uk/research/students/viewstudent?ref=339
Twitter: @JohnnyHistone
Email: s1263...@sms.ed.ac.uk


Hello Ben,
We've heard this tor-talk@lists.torproject.org is not frequented as much 
as it used to be by Tor developers & organizational members.
You might want to check these lists, depending on which area you want to 
ask questions in a specific area of Tor or Tor network.


https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-onions  and
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-project
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Don't know how many Tor organization members you'll find, but you may take a 
look at https://tor.stackexchange.com/.
Can't hurt to put out the word there.


I'm interested instead in exploring the power relationships, social and technological 
factors which determine how actions and communities are labelled criminal, and include 
harms caused by states and other powerful actors which may not traditionally be 
considered as "crimes".

>From this perspective, I would like to explore how the values and perspectives 
of people who develop software to resist surveillance and promote anonymity online 
shape the technologies they work on, and whether this expertise changes how they 
see these issues.

I assume you're going to interview people from both sides of the fence, or else 
you'll have fairly one sided research?
Law enforcement's / governments' views are much different than activists under 
a dictatorial regime.

Good luck.



--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] What is required in order to view YouTube HTML5 in TorBrowser?

[Joe Btfsplk]

On 11/3/2016 12:56 AM, maddonkeyk...@safe-mail.net wrote:

What is required in order to view YouTube HTML5 in TorBrowser?

You don't have to allow all scripts on YT's site.  To view in TBB - 
directly off youtube, you'll have to allow youtube.com, ytimg.com & 
googlevideo.com.  The latter sometimes only appears in NS menu *after* 
loading the 1st two.


(1) Yes, I know about youtube-dl and it works and is nice but it's a PITA to 
use when you want to browse quickly from video to video
It's one of the only ways if you don't want to allow any scripts in a 
browser.  The safest way is to d/l a file, then go offline  before viewing.


You can try forcing VLC or such thru Tor network by entering Tor's port 
#.  But, depending on the software & its version, there's always a risk 
of Torrified software leaking data or not strictly using the Tor 
network.  I'm not an expert on using VLC or any other for this.  There 
may be a way to configure it to generally stay inside Tor network, but 
there's always a chance a "special" file, or some updates in the program 
could cause problems.


Part depends on what type / level of anonymity you need here. Consider 
the site operator - possible adversary:  *Google*.
An independent site - Bob's Crazy Sloth videos.com - if it's legit & 
hasn't been hacked, may not be much worry.
If any non-government entity on the planet has the resources to exploit 
weaknesses to identify you, it'd be Google.


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor and forward email to Spam folder.

[Joe Btfsplk]

On 10/24/2016 7:46 AM, Jason Long wrote:

Thus google store my IP address? How can I see "X-Originating-Header"?



Google will store *any* data it can get its grubby paws on.
Often, if you add the email address to your contacts list (in the 
providers web mail settings), it won't mark messages as spam.
Some providers even have an option like, "Don't mark as spam if sender 
is in my contacts list."  Just like Tbird does.

--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] tor and BlackBerry

[Joe Btfsplk]

On 10/21/2016 2:01 AM, Petrusko wrote:

That's why a smartphone with Firefox OS (or Boot 2 Gecko now, by
community) was my 1st choice... But sadly no way to use TBrowser as I
wrote on another thread :(

Wait - TBB won't run on FxOS?  So a modified Firefox won't run under 
Firefox OS?

I've never checked into this, but assume there's a good reason?

Is it going to matter if TBB won't run on FxOS?

Mozilla's Firefox OS isn't strictly speaking dead, but it may as well 
be as far as smartphones 
 are concerned. 
The company announced via email that it would stop supporting the 
mobile OS after releasing Firefox OS 2.6 (currently slated for the end 
of May 
), 
- https://www.engadget.com/2016/02/04/mozilla-gives-up-on-firefox-os/


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] tor and BlackBerry

[Joe Btfsplk]

On 10/20/2016 1:24 PM, Jason Long wrote:

Hello.
Tor developed for android but why not BlackBerry? BlackBerry devices based on 
security and why tor not developed for them?

I don't know the answer.  Maybe they developed for Android because there 
are so many phones?  That reason alone doesn't mean it's a good idea.
But doesn't it seem like using Android and trying to make it anonymous / 
leakproof is starting with a huge disadvantage?


If users really want anonymity, why start with Android (Google)?
It seems like the same applies to using Gmail & complaining that it 
doesn't work well with Tor Browser.  Why not use another provider - that 
*isn't* the world's most notorious, commercial privacy invader?


Tor devs don't use Chrome in Tor Browser - for good reason.
--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor and Google error / CAPTCHAs.

[Joe Btfsplk]

On 10/5/2016 11:23 AM, Mirimir wrote:


Yes, it's partly that residential IPs are (or have been, anyway)
dynamic.
I guess that depends on the provider and exact type of service. AT 
"digital" (Uverse) residential internet hasn't had dynamic IPa's for 
several yrs.
In many places, they discontinued DSL  service, forced you into Uverse, 
then jacked up prices.  As did some other providers, in some areas.  
Some people  near me say they also have static IPa on other providers.


I don't know if static IPa are now easier / cheaper for them to 
provide.  Used to be the opposite - static cost more.
Or, if static IPa's make it easier for all concerned to track users long 
term?


I've tried to change IPa - to see if it's possible.  Didn't work. It may 
be possible (read quite a bit on it), but not easy.  AFAIK, not 
something that will happen in a few minutes or hours.
Some say they power down modem / router / computer for days.  When they 
restart, have the same IPa.


Apparently, the provider reserves that address, until maybe you 
discontinue service.  I'm sure the company provided (required) modem 
has, or gets a unique identifier when you register  for the 1st time.


I'm guessing, even if you found how to delete that, then you couldn't 
access their service, until you called & did the process again.




--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] problem reinstalling NoScript

[Joe Btfsplk]

On 10/4/2016 11:50 PM, krishna e bera wrote:

On 04/10/16 10:03 PM, Joe Btfsplk wrote:

In TBB 6.0.5 (Win), NoScript 2.9.0.14 it seemed to be misbehaving.
It wasn't showing many trackers in the icon drop list, on sites where
there would be plenty.
I UNchecked "Allow Scripts Globally."

I uninstalled it - closed TBB.  Removed  NoScript entries in pref.js &
restarted TBB, then reinstalled fresh NS copy - 2 separate times.
Didn't fix it.

Without seeing whatever was left in your TBB folder from previous
self-updates and from other add-ons or from data saved during sessions,
it is difficult to figure out what is going on.

I gave up trying to manage separate addons and settings in TBB long ago
because the interactions between parts is complex and more importantly
every bug that came up could be fixed by
removing the whole TBB directory and starting from scratch.
I see what it is now, that was allowing all 3rd party scripts, while 
scripts for the base domain were blocked.  It's a NoScript setting that 
Tor devs put in the \Tor 
Browser\Browser\TorBrowser\Data\Browser\profile.default\preference\extension-overrides.js 
file.


They enable the Pref "NoScript.CascadePermissions" - that corresponds to 
Options > Advanced > Trusted - *"Cascade top document's permissions to 
3rd party scripts."*

In NoScript, it's disabled by default.
Note:  The section title for these options is "Additional permissions 
for TRUSTED sites."


If you have scripts blocked globally, or just one base domain has 
scripts *blocked*, AND the option "Cascade...permissions..." is 
*checked*, scripts from the base domain are blocked but it allows ALL 
3rd party scripts, even though the base domain is still blocked.


I doubt this is how most users expect this to work.  I'm not sure Tor 
devs knew it works this way, when the base domain is blocked.

I hope they didn't know & didn't do this intentionally.

Even though the section says the settings are for "trusted" sites. I 
think this is a bug of sorts.  Off hand, I can't think of a reason to 
block base domain scripts but allow all 3rd party.  The main site 
probably won't work anyway.


If you *block* the base domain, then it's not trusted, in this context.
In that case, all 3rd party scripts below it should also be blocked.  
Seems logical that Cascading the permissions should be dependent on base 
domain being allowed (trusted).  Lots of prefs are dependent on other 
conditions being met, or else the pref is inactive.



--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] problem reinstalling NoScript

[Joe Btfsplk]

In TBB 6.0.5 (Win), NoScript 2.9.0.14 it seemed to be misbehaving.
It wasn't showing many trackers in the icon drop list, on sites where 
there would be plenty.

I UNchecked "Allow Scripts Globally."

I uninstalled it - closed TBB.  Removed  NoScript entries in pref.js & 
restarted TBB, then reinstalled fresh NS copy - 2 separate times.  
Didn't fix it.
TBB has an "extensions-overrides.js" file in Partition (X):\Program 
Files\Tor Browser 4.5.3\Tor 
Browser\Browser\TorBrowser\Data\Browser\profile.default\preferences, 
that replaces some of NS default settings.  It also removes default 
whitelisted sites that Giorgio added (lots of google sites & others - 
google.com, gstatic.com, etc.).


Removing the whitelisted sites via extensions-overrides.js shouldn't 
cause them not to show in the NS icon drop list  Besides, it wasn't only 
the removed NS whitelist trackers not displaying.


In TBB, NS  hardly showed any trackers (Allow Scripts Globally still 
unchecked).  But did show them under the Untrusted grouping, but none 
were marked untrusted (that's normal).

On the same pages in Firefox there were many trackers.
I compared TBB's reinstalled NS settings to Firefox - appear almost the 
same.  I doubt the 2 differences I found  caused the problem?


I got NS in TBB to display all trackers - no real clue.  In TBB, under 
Advanced>Trusted, the "Cascade Top Document's permissions to 3rd party 
scripts" was checked... but *none* of the pages I loaded had *base 
domain* scripts allowed - I checked (so that shouldn't have caused the 
problem).  I unchecked the "Cascade..." option, anyway.  Maybe there's a 
bug w/ those 2 settings in NS?


The only other NoScript diff  in Fx & TBB was Appearance tab > "Allow" 
was checked in one & not the other.  I made them the same.  I can't see 
that causing this issue either.

Tried some new sites & both browsers show the same trackers - for now.

Anyone seen a similar NoScript problem or any clues what caused trackers 
not to show up, based on what I found?



--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] How to (Was: Tor and Google error / CAPTCHAs.)

[Joe Btfsplk]

On 10/1/2016 12:36 AM, Alec Muffett wrote:


…which leads the the sort of posting that Joe posts above, essentially that 
some evil gods named Google and Cloudflare have, do and are, arranging for the 
websites of the internet to be hostile to people who need or want use Tor, by 
throwing lightning-bolts called CAPTCHAs at them.

If the intent is to say Google & other sites are trying to protect 
themselves & their users at all costs - point taken - in part.
If you're trying to sell that Tor isn't blocked because it's Tor, 
that'll be a hard sell.


If you're trying to defend Google and their colleagues' wonderful, law 
abiding, privacy respecting, above board track records and philanthropic 
endeavors, you're on the wrong list.

--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor and Google error / CAPTCHAs.

[Joe Btfsplk]

On 10/3/2016 2:09 AM, Alec Muffett wrote:

On 3 October 2016 at 01:40,  wrote:

While outreach and cooperation with some companies may work, do you not

consider that a sizable number of sites will always block anonymous traffic
simply because they can not monetize it with targeted ads?



Ah! That delightful old argument.

I've heard it a lot, and I am afraid that it is all of groundless,
incorrect and demonstrably silly.  :-)


In three bullets:

1) If less than 0.1% of the people who use your site do so "anonymously",
the amount of ad-revenue associated with them is negligible. There are
bigger leaks to plug.
Possibly partly true, but I consider other reasons that sites 
(essentially) block users, sometimes lumped with Tor users.
"You can't use our site unless you allow cookies"  WTH - Really? Why is 
that?  Could it be that certain tracking - not just on that domain - 
won't work unless cookies are allowed?
"You're using  ad blocking software.  Our site won't work correctly, if 
at all."  [see #3 below]
On many sites, Tor is lumped together with ad and script blocking 
browsers - unprofitable and often largely untrackable.  We're no longer 
talking about a tiny % of users.


2) In my experience the "blocking" that companies do to Tor (and similar)
is 100% grounded in the threats from spam, scraping, testing phished
credentials, and other forms of bad behaviour.
Are you saying that TBB is the only browser used for malicious purposes? 
:)  That other browsers can't be or aren't adapted by skilled users for 
similar malicious or unwanted behavior?
I don't really buy that.  For one thing, it's too slow.  Even using a 
plain browser with a proxy - which I rarely do - I'm seldom blocked.  
Disregarding financial sites.  But Tor is blocked all the time on these 
same sites.  They don't say you're blocked, you just can't get in or use 
the site - even with scripts allowed.  I can use many federal govt sites 
just fine with TBB, but I can't do a Google search?  Talk about scraping!


3) I would bet a substantial amount of beer that anonymous proxy networks
are negligible threats to advertising revenue in comparison to "People on
the Clearnet who use AdBlock+".
I can't speak for everyone, but if ads were - still - presented as just 
ads, and trackers weren't trying to record everything you do across the 
entire internet, sell that data, provide it to the govt - on request, 
for a fee, then I wouldn't mind allowing small ads.  WAY back in the 
day, I'd click on some ads of free sites that I wanted to support.  That 
was way before things got to present practices. Now, there's no way I'll 
let them record every move.  My medical issues, political interests, 
legal matters...



--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor and Google error / CAPTCHAs.

[Joe Btfsplk]

On 9/27/2016 9:02 PM, Mirimir wrote:

On 09/27/2016 06:50 PM, Joe Btfsplk wrote:




Sometimes, they start renewing pictures in the [CAPTCHA] array
that I've already checked, before I get to the end & submit.  I
tried doing it faster - they replaced them faster.
Obvious they didn't want Tor users on those types of sites.

That CAPTCHA type has become common. The instructions say to keep
selecting rivers/address numbers/storefronts until no more appear. There
can be many reoccurrences per changing box, even ten or more. But only
2-4 boxes change, and the ones that you don't select don't change. So
the whole process goes pretty quickly. It's _much_ easier than those old
distorted-character CAPTCHAs :)
Umm, I guess that depends on different things.  If you have less than 
perfect eyesight, it's not any easier.
Besides, I'm not sure I ever finished one using TBB.  If they're the 
rotating, add new pics / whack-a-mole type, they never stop adding 
pics.  Or I never cared to keep reaching for the banana long enough.
Even if they display a random string to copy & paste, it always asked to 
repeat the process.  I wasn't going to solve it 10 - 20 times, unless 
they were giving away $500 bills.


When the distorted characters were as legible as my writing, it always 
says there was an error - please repeat.  Especially Google & 
Cloudflare.  A few others may have been more Tor friendly.
But use Firefox on the same sites - if the right scripts are allowed & 
not too much blocked, and it's almost always success the 1st time.
I'm not sure if their reasoning is, if it's just impossible to solve, 
there's  less chance of someone trying crash their site, than if they 
say right off, "You're using Tor - go away."

--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] is it me or did tor talk get really quiet?

[Joe Btfsplk]

Thanks Moritz.  Most of that sounds good, but seems to leave the quality 
tech support issue in limbo (not your personal responsibility).
I'm not being rude & hope I'm not beating a dead horse - just asking, 
what's the hold up on such an obvious need, that (apparently) requires 
relatively little, or else one man operations would never be able to do it.


Upshot:  I don't know why major software project, communicating on a 
world wide network wouldn't have a company run support forum.

Manned by company employees or their appointees.

I may be stating what many users are thinking.  I think many potential 
Tor users fear or distrust what they don't fully understand.  Which 
would seem to slow the increase of users.  Tor Project says it needs to 
increase users, right?


If that forum is to be stackexchange, shouldn't there should be project  
reps / mods - sometimes, qualified to answer many questions, or have 
tools to find answers?
Many small projects provide excellent support (I use them all the time), 
on a fraction of Tor Project's resources.  They often give precise, 
detailed answers in < 24 hrs.
They usually don't answer, "Not sure.  Good luck."  Some years back, I 
contacted the Tor help desk, which told me to post on stack exchange.  
It got no helpful answers, when I was sure one existed. That was long 
ago, but typical users generally don't like that. Many walk away if they 
can't get help quickly.  Or lose their freedom if using Tor incorrectly 
in some countries.


Maybe Tor Project sees the value of a well run support forum, but never 
act.  Tor-talk or any mailing list may never provide the best support 
for Tor users.  Mailing lists aren't worthless, but lot's of users find 
long, technical discussions hard to follow on them - even w/ 
"conversation or thread view."


Partly, because users reply in different "formats."  Sometimes not 
quoting enough, for full context (then you have to find / read prior 
emails?);  sometimes forwarding far too many replies - repeatedly. 
Sometimes a true pain to find earlier details.  Sometimes they top / 
bottom post, or insert inline.  Some mail clients don't display other 
clients' formatting correctly.


Forum software puts everything in order & makes it easy(ier) to find & 
refer to full, previous comments - even link them.  You just scroll down 
the entire conversation.  Better search, easier to quote, insert images, 
code, etc.  Maybe a Tor operated forum would allow including a few, 
small, unintrusive ads - or not (not from Google, etc.).  For donations, 
sale of T-shirts - "I hacked the NSA & all I got was this lousy 
T-shirt," Alien hats, caps that look like aluminum foil??  Maybe most 
users wouldn't mind, so long as ads didn't come from trackers.


Kind of touchy subject - maybe conduct a survey.  Some might not mind 
small pay for click ads, when using TBB, if it generated enough revenue 
to matter - it may not.  I believe? some Tor leaders have said the 
current funding model needs to change?  There are only so many ways to 
do that.  It has to start somewhere, or nothing ever changes.  I'm not 
the 1st to say, a large % of potential users will never trust anonymity 
software largely funded by any government agency.  That's no secret to 
Tor Project.   Just a thought.



On 9/28/2016 11:46 PM, Moritz Bartl wrote:

Hi Joe,

I agree with what you wrote. The topic comes up at every dev meeting,
but we have not found a way to address that problem, or, phrased
differently, it is unclear what path to take.

On 09/28/2016 08:28 PM, Joe Btfsplk wrote:

For a *technical support list,* why not moderate tor-talk?  To keep
peace, but also provide qualified support?  There's nothing preventing
making changes.

Personally, I believe a mailinglist is a poor tool for support questions
(and answers). Some of the problems are: Archives are a pain to search,
older posts are a pain to reference, most people want a questions
answered and get freaked out if they get a flood of messages that are
not relevant to their current question, etc.

That's one of the reasons why Tor created https://tor.stackexchange.com/
. I'm not saying it is the perfect answer, far from it, but I think it's
a fine platform and it could use a way larger number of people answering
questions (a problem any other platform will have, too). Also, I've been
advocating for a "support portal" for years, and there seems to be some
traction now to finally get one online. I don't know what it will look
like, but at least from the "technical support" side of things, it will
help a lot more users than those who are comfortable using mailing lists
these days. I'm not saying I like that, I do embrace mailing lists, but
I accept that most of Tor's users hate them or at least don't understand
them well enough.

That being said, tor-talk is now moderated, sort of. A few annoying
fellows were asked to find some other forum for 

Re: [tor-talk] is it me or did tor talk get really quiet?

[Joe Btfsplk]

Thanks Moritz.  Yes, the reply was helpful.  Comments / follow-up 
inserted below.


On 9/28/2016 3:01 AM, Moritz Bartl wrote:

Is tor-project list not for fairly advanced users, or bug filers, or
those giving more to the community than just asking questions (but never
contribute useful input)?  Or is it only for devs or people providing
highly technical input (e.g., providing code suggestions or highly
technical bug work arounds, etc.)?

So, one thing, and the most important one, is that _tor-project is for
non-technical discussions "about the Tor Project_". Which can be a lot of
things, but it should not be technical discussions (tor-dev), relay
operation discussions (tor-relays), onion service stuff (tor-onions),
but also _not_ anything else _related to Tor the software_, but Tor the
project. Which basically means the website, organizational stuff, etc etc.
Your comments mostly follow what I assumed.  But, seems to leave even 
advanced users abandoned on timely Tor / Tor Browser & related software 
tech support.  I get that "tor-project" is intended to discuss  project 
related issues.
The ideal scenario may be for quality contributors to return to 
tor-talk.  They may not come back to the same unmoderated list.


It's not happening, now.  As you said, no one can be forced.  If 
tor-talk remains unmoderated, the ranting will likely continue. *"If 
nothing changes, nothing changes."*  Same is true for most unmoderated 
forums or lists I've briefly viewed - they're usually a free-for-all.  
Something about hiding behind computers...


This leaves 2 questions.  1) Where is the real technical support for Tor 
/ Tor Browser & network now?  The questions & problems didn't disappear.


2) If tor-talk is unmoderated / unstaffed, doesn't that leave users in a 
bind?
Tor-talk exists, but isn't providing consistent support. Apparently, 
being unmoderated drives away technical users, but allows long rants.


For a *technical support list,* why not moderate tor-talk?  To keep 
peace, but also provide qualified support?  There's nothing preventing 
making changes.

If a few just want to insult, they could start their own "Tor Sucks" list.
I know of very few developer run forums allowing endless rants or 
pointless, crude comments.


_Polite, sincere_ suggestions for features or policies changes are often 
necessary.  Many forums allow that.  I've made polite, critical 
suggestions on many forums, that lead to change - though sometimes 
initially got criticism.  A few got snarky, initial comments from the 
devs, until the reasoning was clarified or they thought it over.  Then 
some showed up on change lists.   Very different from ranting.


AFAIK, there are very few major softwares w/o _moderated_, active forums 
or lists.  Usually with mods' or official reps' technical input, as needed.
Otherwise, users are on their own.  With Tor, lives or freedom could be 
at stake.   It's unimaginable that Mozilla wouldn't have actively 
moderated, staffed support forums for each product.
Now, Tor users might get better support on Mozillazine, if mods allowed 
the question.  There may be more advanced Tor users on Mozilla / 
Mozillazine forums than on tor-talk.


It seems that's what's happened to Tor users.  For most software or 
hardware, if users can't get timely support, the user base may decline.
Even one man, open source projects often have active, moderated tech 
support forums.

Thanks.



The archive and subscription is public, so everyone can have a look at
what has been discussed there so far. There is a lot of overlap with
things that used to be covered on tor-talk and still are, and the
distinction is not clear at all. But, on the other hand, going through
the archives you can probably identify a lot of things that are
"accepted" on tor-talk that don't fit the range of topics covered on
tor-project (-- and not the other way round).


Is tor-talk now for the most basic beginner questions / answer /
discussion?  If still for technical issues and fairly technical people
rarely visit it, there may be mostly questions & few answers.  Is this
partly because on tor-talk, numerous times that unmoderated discussions
strayed from Tor issues?

Not only partly, but mostly. :( A lot of people just didn't want to cope
with the amount of off-topic threads, nonconstructive endless debates
and other violations of netiquette that happened on tor-talk. tor-talk
degenerated quite a bit over time, and due to the libertarian nature of
a lot of people nobody stepped up and intervened until only a short
while ago. Users of tor-talk cannot be fully blamed because for a long
time there were no clear guidelines on what is acceptable behavior and
topics on it (which there still aren't) and no moderation. Sane people
just gave up and moved to a moderated list, which is tor-project.

Everyone, especially the active Tor contributors, want tor-talk to
become as useful again as it has been a long time ago, but only very few
of them are remaining as 

Re: [tor-talk] Tor and Google error / CAPTCHAs.

[Joe Btfsplk]

On 9/27/2016 9:57 AM, blo...@openmailbox.org wrote:



This is exactly my issue. If I login to my Gmail or FB account then
invariably Gmail or FB thinks I am a suspicious person hence "Something
seems a bit different about the way you're trying to sign in. Complete
the step below to let us know it's you and not someone pretending to be
you" or worse "Google couldn't verify it's you, so you can't sign in to
this account right now." In the FB case, I am asked to identify my
"friends" half of whom have baby photos or the image is unclear..
Sometimes I get them wrong and am locked out for a few hours. And this
is when connecting via the FB .onion address.

IMO, and I am curious to know what Alec thinks, Google, FB, etc are
creating far too many false positives. Googling "Something seems a bit
different about the way you're trying to sign in" results in numerous
cases where innocent users have been locked out.

Two questions:

Is there a way that using an exit node for Gmail, FB, etc will not be
considered suspicious? Is that even possible?
I can't say about Gmail today (I hope you're not trying to use it w/ 
Tor, hoping for anonymity).
But w/ other login sites that balked at Tor, forcing a exit relay in 
same country that you signed up from, sometimes fixed the messages like, 
"We've detected unusual behavior...  Give us your home phone & address & 
we'll call you." :D   Sometimes even Startpage, DDG, etc. will pop a 
captcha.  I wonder why, until I look at the exit country & it's China or 
Uzbekistan or such.  After I change that to a country less known for 
cybercrime, no more capthcas on those sites.


Is it possible to use a different proxy way to access Gmail, FB, etc
without being seen as suspicious? For example, one could use proxychains
with Tor followed by a SOCKS proxy to login.
Probably depends on the proxy.  You could try, but I'm guessing that's 
what a lot of spammers & scammers try.  Gmail has pretty strict rules to 
try & prevent fraud (keep a good reputation). They don't want to lose 
many users, or they don't get to scan the email & scrape the private 
data.  Would be financial loss, so they don't want other ISPs or sites 
blocking gmail.


It's hard to sign up for gmail w/ Tor.  They want SMS authentication, 
which is usually going to blow most users' anonymity.
By contrast, if you create an acct w/ non-Tor browser, then access it w/ 
TBB, that accomplishes nothing - as for anonymity.


Only creating an acct w/ TBB & then *never* accessing it w/ anything 
else (& not having addons or plugins that might leak IPa) will 
accomplish anonymity.  For Tor Browser email, it just seems a better 
idea to start w/ a provider that's both Tor friendly AND privacy / 
security conscious.  That's not google.


Even then, I'm not sure.  What if you get an email - via TBB, that 
mentions your real name, or is from someone in your town - using their 
real IPa - saying, "come on over tonight, to 123 Oak St.," or gives 
their phone #, etc.?  Then the mail provider effectively knows which 
town you live in, at minimum.  The right agencies can then cross 
reference that person's contacts - if they want.  And then probably the 
national security agency know all that.


In both cases above (exit node and exit node plus SOCKS) we assume that
the IP address more or less matches the "normal" non-proxy login. I am
in Paris and use a Paris exit node and a Paris SOCKS proxy for example.

Finally, thanks for participating in this discussion. It is rare to have
people who work or used to work at the major webmail and social media
companies from a) getting involved and b) providing a nuanced (not
anti-Tor) perspective.


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor and Google error / CAPTCHAs.

[Joe Btfsplk]

On 9/26/2016 11:57 PM, Jeremy Rand wrote:

If it matters, I usually have Tor Browser in Medium-High security level,
so Javascript is enabled for HTTPS sites (including Google Translate).

Cheers,
-Jeremy

Yep, mine can be in Med or Med High security, and a lot of captcha's & 
other features don't work reliably.  Even if allow all scripts for the page.

Sometimes it does work.

The times - as a test - I immediately visited the same sites w/ firefox 
(immediately going to same site probably isn't a good idea, if strict 
anonymity is required) & same NoScript settings -AFAIK, plus had AdBlock 
and / or Ghostery running, the captchas or page features usually worked 
right away.  I'm convinced that sometimes, it's just Tor Browser they 
don't like, or certain countries of exit relay, or certain IPa ranges.  
I've repeated it enough to know it's not a fluke.
For a fact, I know it's mostly *not* because I incorrectly solved the 
captcha, which they often say.


Sometimes, they start renewing pictures in the array that I've already 
checked, before I get to the end & submit.  I tried doing it faster - 
they replaced them faster.

Obvious they didn't want Tor users on those types of sites.

--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] is it me or did tor talk get really quiet?

[Joe Btfsplk]

On 9/26/2016 7:07 PM, Moritz Bartl wrote:

On 09/26/2016 09:02 PM, Joe Btfsplk wrote:

Some may say they still get several tor-talk emails / day  and I do, too.

But several current, relevant technical questions I've asked about Tor
issues get no comments.
Questions I'm pretty sure a lot of people would be interested in. And
that at least some advanced users would have partial answers or
suggestions for, but not a peep.
This is in stark contrast to the past on this list.

At times, it almost seems that many knowledgeable people gave up or moved.
Need to find where the cool kids are hanging. :)

Some of it has moved to more specific lists like
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-onions and
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-project
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays . I
know you, Joe, are aware of that, but others who follow this thread
might not be so I wanted to mention it.


Thanks Moritz.  I was aware of some, but not all.  I'm a bit confused.
The subject matter for tor-onions and tor-relays lists are pretty obvious/./

But the tor-project link says,
"About tor-project
Moderated discussion list for tor contributors..."  [ellipsis is included]

/"How do I get permission to post to tor-project@
Just ask. Anyone is allowed to watch, but *posting is restricted* to 
those that actively want to make Tor better."/


What does "for tor [Sic] contributors" mean, exactly, or "those that 
actively want to make Tor better?"


Is tor-project list not for fairly advanced users, or bug filers, or 
those giving more to the community than just asking questions (but never 
contribute useful input)?  Or is it only for devs or people providing 
highly technical input (e.g., providing code suggestions or highly 
technical bug work arounds, etc.)?


Is tor-talk now for the most basic beginner questions / answer / 
discussion?  If still for technical issues and fairly technical people 
rarely visit it, there may be mostly questions & few answers.  Is this 
partly because on tor-talk, numerous times that unmoderated discussions 
strayed from Tor issues?


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] is it me or did tor talk get really quiet?

[Joe Btfsplk]

Some may say they still get several tor-talk emails / day  and I do, too.

But several current, relevant technical questions I've asked about Tor 
issues get no comments.
Questions I'm pretty sure a lot of people would be interested in. And 
that at least some advanced users would have partial answers or 
suggestions for, but not a peep.

This is in stark contrast to the past on this list.

At times, it almost seems that many knowledgeable people gave up or moved.
Need to find where the cool kids are hanging. :)


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor-friendly email provider

[Joe Btfsplk]

On 9/24/2016 8:26 AM, Mirimir wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 09/24/2016 06:53 AM, Oskar Wendel wrote:

Joe Btfsplk:

What is it about Riseup that you don't like? Just curious. I've
not used it, but most people seem to like it.
Riseup silently drops email with certain words in the subject. I
have notified them and I'm still waiting for the response.

Really? Please share what words trigger this. And I'll test. If you
prefer, you can email me off-list, encrypted. My key is on the SKS
servers, and at <https://keybase.io/mirimir>.

Yes, I'd be interested in knowing if Riseup just "drops" email with 
innocent trigger words or phrases, or if the messages accidentally 
contained "spam like" phrases.
I've seen that with other providers.  A phrase or sentence out of 
context may seem like spam to them.
My ISP used to spam filter some of its *own* important messages to me, 
containing contract info on my account.

--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor and Google error / CAPTCHAs.

[Joe Btfsplk]

On 9/25/2016 12:15 AM, Jeremy Rand wrote:

hi...@safe-mail.net:

You can't use Google Translate at all with most Tor exit nodes, while there are 
no sane reaons why they would block Tor users from just translating text.

Interesting.  I don't use Google Translate very often (maybe 2-3 times
per month), but I can't remember ever being blocked from it due to
coming from a Tor exit.  I wonder why your experience differs from mine.

Don't know for sure.  Part may depend on NoScript / java script settings 
or other addons?
"No sane reason why they would block Tor," except they want to make 
money.  The less personal data or real IPa's they get, the less money.
Also, I've seen various sites *seem* to block exit relays from certain 
countries.


I say "seem to" because if I switched exits to different countries, 
sometimes it works.  Not always.  More often, it's a matter of allowing 
the right trackers / scripts.
Google almost always wants or needs a lot of scripts enabled for content 
to work.  Admittedly, sometimes the content or service Google provides 
is useful.  But more ways to gather extra data is icing on the cake for 
them.  After all, they're primarily in business to gather data, deliver 
ads & who knows what else.

--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor-friendly email provider

[Joe Btfsplk]

On 9/22/2016 1:00 PM, Oskar Wendel wrote:


gmx.com doesn't want me to register: "Your registration could not be
processed at the moment. Please try again later."

gmx.net seems to blacklist Tor, too:

Registrierung leider nicht moglich!

Sie haben versucht, sich mit der IP-Adresse 77.247.181.162
bei GMX zu registrieren.

Diese IP-Adresse ist nicht zugelassen.

Whatever it means, but it looks like "you are using Tor, so flick off".

- From the link provided by nusenu:

Sigaint doesn't allow pop3/smtp unless you buy a pro account, which is
quite expensive...

mailbox.org allows only 30 days for free.

riseup.net is the provider I'm using currently, but I'm not happy with
it and that's why I'm looking for another one...

mail.ru is in Russian, too... any way to switch to English?

mail2tor, according to the site, is not very reliable.

bitmessage.ch doesn't seem to allow creating custom addresses.

Doesn't look good, maybe it's time to learn Russian...

I don't think GMX allows using Tor, but they don't offer anything 
special - as to privacy, security.  They're not a lot different than 
most others - anymore.
What is it about Riseup that you don't like?  Just curious.  I've not 
used it, but most people seem to like it.


Unseen.is - located in Iceland is a more privacy conscious provider.  
I've created an acct using TBB in the past.  They don't - or didn't - 
keep logs or store messages after you delete them.
They offer end to end encryption - between Unseen users, using their own 
app loaded on computers.  They'll keep encrypted messages on their 
server, if you want.  It's proprietary encryption, which some don't like 
(can't be independently tested).  They claim they intentionally never 
have the private key, so no LEAs can force them to decrypt or hand over 
messages.


I'm not sure that independent testing of encrypton or software is as 
relevant today, if - - avoiding state players is a main concern. For 
protection against _non-government criminals_ (see what I did there?), 
independent testing is important.  Even the largest universities' or 
security firms' resources are tiny compared to the time, money, talent 
and computing power that nations put towards cracking encryption, paying 
for or coercing back doors, or finding exploitable software bugs.  I'm 
sure governments have made huge advances since Snowden's papers in 2013, 
that we probably will never hear about.


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Image EXIF data used to geolocate

[Joe Btfsplk]

On 9/22/2016 9:46 AM, ban...@openmailbox.org wrote:

Pretty basic opsec fail but I wonder if mapping out tags was a good
idea. Imagine tagging a city that has a handful of Tor users. They
should have consulted the Tor Research Ethics process.
When it's important not to reveal location or other data stored in 
images' EXIF info, remove the EXIF data.  Couple of mouse clicks in many 
image viewers.

Save as new image, then send or post.

See image viewers_editors like Irfan View, XnView & others for details 
on  typical EXIF data and removing it.
These editors also make it very easy to edit out unwanted parts of 
images, that might help narrow down a location (landmarks, native 
vegetation), time of day, time of year.


See sites like this, explaining some of it: 
http://www.makeuseof.com/tag/3-ways-to-remove-exif-metadata-from-photos-and-why-you-might-want-to/
Types of data stored in EXIF (though my camera stores more than 
mentioned on this site): 
http://www.makeuseof.com/tag/exif-photo-data-find-understand/


Many modern cameras / phones, allow disabling the recording of geo 
location data with images .
But often still records in EXIF data the device brand & model, date and 
all technical specs about the image.  Some of that data might narrow a 
list of suspects to owners of specific devices, or coincide with dates 
they were in specific, identifiable locations.


From what I've read, it's less common that devices allow totally 
disabling storing all EXIF data with images.


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Running a relay for some months

[Joe Btfsplk]

On 9/17/2016 2:46 PM, Tor Dev wrote:


I see now. My apologies! I pressed the button indeed multiple times, but the 
window with the mail didn’t close after pressing the button. Even disabling GPG 
signatures made no difference. After a few minutes I force quitted my mail 
client and went to other things.

Now I’m also surprised that not a single spam filter across the infrastructure 
noticed this.

Sorry for the inconvenience.



No problem.  So much for all the spam filters.  None of at least 3 on my 
side made a peep.  I'd think tor-talk server / provider also has spam 
filters.  Maybe not if they allow 14 identical messages in a couple of 
minutes? :|

--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Running a relay for some months

[Joe Btfsplk]

On 9/17/2016 11:23 AM, Tor Dev wrote:


So the bandwidth is probably not sufficient of your relay.

@ Tor Dev 
Just curious.  I received 14 copies of your above reply with identical 
body text.  Did you somehow send that many?  Do you possibly have a 
virus or sticking "Send" button? :)

Several of the 14 have different UIDL strings;
different Google-DKIM-Signature's, different time stamps - e.g., 
11:35:57, 11:25:59, etc.

I suppose meaning, they were individually sent over several minutes.

I'm surprised either gmail, tor-talk servers, my client or my ISP didn't 
mark any as spam.

--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Question - NoScript ClearClick bug

[Joe Btfsplk]

#14985  new 
 defect 
NoScript 
Clickjacking warning when clicking on embedded content


This obviously hasn't been fixed yet.
How many / what type non-Cloudflare sites does it affect?  For 
Cloudflare captchas, disabling ClearClick seems to be a moot point for 
me - haven't gotten past one using TBB.
And so far, haven't seen a NoScript clearjacking warning on 
non-Cloudflare sites.



--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] bug

[Joe Btfsplk]

On 9/12/2016 9:41 AM, xuzixa...@polyfaust.com wrote:

https://www.browserleaks.com/firefox

it can be used for both fingerprinting (different users use different OS setups 
or different Tor versions) and exploiting software vulnerabilities because when 
attacker don’t know your OS or browser version they don’t know what payload can 
do the thing that if be used incorrectly will show a download warning that 
compromises their valuable malware to citizenlab like groups.
Using TBB, I looked at the link - browserleak.com/firefox - with JS 
disabled.  The code that supposedly detects values in firefox.js giving 
away the OS.


10. var el = document.createElement("script");
11.  el.type = "text/javascript";
12.  el.onload = load;
13.  el.onerror = err;
14. document.head.appendChild(el);
15.  el.src = "resource:///defaults/preferences/firefox.js";
16. }
17.

18. var pref,
19.  sticky_pref,
20.  os;
21.

22. pref = sticky_pref = function(key, val) {
23. if (!os)
24. if (key == "browser.gesture.pinch.out" && val == "cmd_fullZoomEnlarge")
25.  os = "Windows";
26. else if (key == "browser.backspace_action" && val == "2")
27.  os = "Linux";
28. else if (key == "browser.gesture.pinch.threshold" && val == "150")
29.  os = "Mac";
30. var include = function(load, err) {
31. }
32.

33. include(function() {
34. console.log( "OS: " + (os ? os : "unknown") );
35. },function() {
36. console.log( "OS: n/a (not a Firefox)" );
37. });
38. 


The prefs & values the code is querying appears in about:config, as 
would many firefox.js settings.


Question for devs / Firefox experts:  many prefs are reported to sites 
so they can display content, but are they allowed to access every 
setting in about:config - default or user set?

This can't be correct.  That would make users very unique.

Is this bug somehow supposed to allow only querying firefox.js values & 
no other files?  Why is that?  If allowed access to firefox.js, why not 
all firefox files?









--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Metrics in Iran and other countries

[Joe Btfsplk]

On 9/7/2016 9:40 PM, Mirimir wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 09/07/2016 11:05 AM, Joe Btfsplk wrote:





#4  The Tor Project is pretty clear that Tor Browser by itself is
probably not enough to provide reasonably reliable anonymity.


Tor Project doesn't make that clear enough, in my opinion.
True.  I said they make it clear that Tor Browser probably isn't enough 
- especially against powerful adversaries.  I didn't say they explain in 
logical order, what else is required.
Possible the instructions to make it as anonymous as humanly possible is 
reserved for the people that mostly pay for it.

Putting tor daemon and userland in separate VMs would have prevented
user compromise. Whonix does that, but there's no mention of Whonix on
Tor Project's site. If you dig around there, you can find old stuff
about the TorBOX project, which Whonix developed from. I have no clue
why Tor Project refuses to even mention Whonix. It's very strange.
It's not that surprising since Whonix isn't part of Tor Project. They do 
mention it in blogs.  But, they mention NoScript, depend on its 
functionality - and it's not connected with Tor Project.  Lots of things 
they don't mention.
From minimal knowledge, Whonix allows Tor to retain entry guard 
selection across sessions.
But could allow certain things to remain in the OS between sessions that 
theoretically could identify them.  Probably very low risk compared to 
other OSes, considering benefits gained.  Still, Tails & Whonix have 
very small staffs and tiny budgets compared to OS X, mobile OSes or most 
Linux distros.  If it was life or death situation, it'd be hard to trust 
Tails or Whonix completely.


Where Tails is amnesic across sessions, but loses the entry guard. They 
do discuss Tails quite a bit.
I'm not sure about any network that depends almost totally on unknown 
relay operators & no way to check the operators out.  As if any 
government couldn't plant agents as relay operators, that could pass the 
most rigorous, face to face interview, interrogation or background check 
by Tor Project.


Since it's supposed common knowledge the US Navy or military still uses 
the network, seems like it'd be very risky for them unless they were 
*positive* that their enemies - or group - aren't running a substantial 
number of entry and exit nodes.


One theoretical way they could be sure that aspect is not a huge risk 
is, if they're positive US agencies are running a substantial number of 
the relays.  Otherwise, aren't they're taking as big a chance as average 
users?  Leaving things to chance doesn't sound like modern military 
tactics of super powers.  I'm sure I missed something.



--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Metrics in Iran and other countries

[Joe Btfsplk]

I don't know the complete answers, depending on which question, or if 
they even exist.
Assuming the metric data are being handled correctly & graphs are 
displaying correctly, if we look at a graph for all users from Jan. 2013 
till now, the trend is still the same.  A huge increase - probably right 
after the Edward Snowden revelations & associated media coverage.  Then 
a brief, sharp drop.  After that a fairly consistent, moderate, negative 
slope.


Without knowing anything about the specific data generating the Tor 
usage graphs, they seem to follow expected patterns of human interest in 
big news stories.
A large, sudden increase, then a sharp decline that levels off. Once the 
initial shock of  an event is past, many people lose interest.  Plus, 
media coverage declines - onto the next story.
Going by many forms of current media coverage, some would hardly know 
the US is still engaged in 2 wars.  At lower levels than several years 
ago, but still engaged and spending tons of money.


Plus, a lot of negative publicity and anti Tor propaganda, whether 
accurate or not, probably turns moderately interested users away.
A lot of people are probably surprised and encouraged by the remaining 
increase in users from the pre-Snowden period until now.


# 2:  Depends partly on how small a number are connecting to Tor and 
number of users accessing a site at a given time.  And on the laws and 
government practices in your country.  If you're the only user 
connecting to Tor network via your ISP @ 8:00 PM and there's only one 
connection to site XYZ.com from a Tor exit relay at 8:00 PM, it's a good 
bet it was you.  That assumes an entity w/ the ability and desire is 
actually gathering the data at both ends, and that they care about the 
specific activity.  In that scenario, if you're doing something illegal 
or it's illegal to use Tor *at all* in your country & the government is 
actively monitoring, could be a problem.


If they're only interested in users accessing what they consider 
anti-government, illegal or subversive sites, but you only access 
Disney.com, they may not care.  That's one issue for Tor users in 
certain countries - you can't be positive how many Tor users are 
accessing a site at a specific time.  This is a _very simplified, 
incomplete_ explanation of some concerns about using Tor.


#4  The Tor Project is pretty clear that Tor Browser by itself is 
probably not enough to provide reasonably reliable anonymity. Especially 
against advanced adversaries with large resources, and if you're doing 
something they are keenly interested in.  If users' lives or freedom 
would be jeopardized by using Tor - at all or for a specific purpose, 
they need to study carefully other methods and practices to go along 
with Tor.  Much is discussed on Tor Project help / documentation / FAQ 
pages.  There's not a quick, easy to follow recipe to protect all Tor 
users in all cases, that I know of.



On 9/5/2016 5:32 AM, Andri Effendi wrote:

Hi all,
1. I was wondering why there is such a huge drop in Direct TOR Traffic?

2. Does a country/government with only a small number of directly
connecting users pose a threat to the people using it in those countries?

3. Where is the most reliable source to find out how secure and trusted
the TOR Network is?
i.e. whether then network or browser has any known vulnerabilities.

4. Is TOR safe to use on it's own, do we need to use other tools along
with it?

Users from Australia directly connecting to the TOR Network appears on
the steady decline, at least according to the metrics data.


Does this mean TOR Users in Australia will be under more scrutiny and
danger?

Here is the metrics on users directly connecting to TOR from Iran.
Since January it has fluctuated significantly.


5. Can I still recommend TOR for people in Iran, or would that be
dangerous and irresponsible?

6. Is there a visual display of the TOR Network as overall? (similar
visuals to what vidalia use to provide)

Thank you for your replies :)

If you wish to reply to me directly PLEASE ENCRYPT your messages.

Kind Regards,




--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Medium removed the captchas for Tor users!

[Joe Btfsplk]

On 8/8/2016 8:53 PM, Sadiq Saif wrote:

On 08-Aug-16 21:42, Joe Btfsplk wrote:

I still don't know what those statements were about.
I've seen no change in Cloudfront captchas working better for Tor.
Meaning, they don't work at all.

Even major news outlets using CloudFlare, where I'd like to read
controversial articles don't work w/ Tor Browser.
Haven't for the longest time, regardless of having JS enabled.

The OP was referring to a specific site - Medium.com (using Cloudflare)
that was previously presenting captchas to Tor users and is no longer
doing so (this is an option in Cloudflare site settings that you can
enable).

It was not a statement on the general usability of Cloudflare's captchas
for Tor Browser users.

Thanks for clarification.  For a minute, I thought I was the only one 
unable to access CloudFlare sites.

--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Medium removed the captchas for Tor users!

[Joe Btfsplk]

On 7/14/2016 4:49 PM, Griffin Boyce wrote:

That is really awesome! :-) Thanks for the update.


On Thu, Jul 14, 2016 at 5:42 PM, Kate Krauss < k...@torproject.org
[k...@torproject.org] > wrote:
I don't say much on Tor-Talk, but I will say this:

Thanks, Medium, for removing all those CloudFlare captchas for Tor
users. As an activist from East Africa once reminded me, the Internet
means *all* of the Internet. Otherwise it isn't quite itself--it is
meant to be accessible and comprehensive; a nearly inexhaustible catalog
of the world.

Thank you for helping out.

Cheers,

Kate Krauss


I still don't know what those statements were about.
I've seen no change in Cloudfront captchas working better for Tor. 
Meaning, they don't work at all.


Even major news outlets using CloudFlare, where I'd like to read 
controversial articles don't work w/ Tor Browser.

Haven't for the longest time, regardless of having JS enabled.
--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Medium removed the captchas for Tor users!

[Joe Btfsplk]

On 7/14/2016 4:49 PM, Griffin Boyce wrote:

That is really awesome! :-) Thanks for the update.


On Thu, Jul 14, 2016 at 5:42 PM, Kate Krauss < k...@torproject.org
[k...@torproject.org] > wrote:
I don't say much on Tor-Talk, but I will say this:

Thanks, Medium, for removing all those CloudFlare captchas for Tor
users. As an activist from East Africa once reminded me, the Internet
means *all* of the Internet. Otherwise it isn't quite itself--it is
meant to be accessible and comprehensive; a nearly inexhaustible catalog
of the world.

Thank you for helping out.

Cheers,

Kate Krauss

--

Huh?  Did I miss something?  As of late, I haven't noticed CF captchas 
disappeared, or worked any better in Tor Browser.

Are you talking about a special case?

Sometimes, in Firefox on the same site I may not get any captcha, a few 
minutes after trying a couple of times in TBB.
If it's a trustworthy site (if there's such a thing) & JS is allowed for 
all necessary 3rd parties on the site, the captchas will either work in 
the 1st 1 or 2 tries in TBB, or they won't at all.
And in Firefox, where I have a lot of blocking addons, it almost always 
works w/ JS allowed on just the base domain.

--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] FBI cracked Tor security

[Joe Btfsplk]

On 7/15/2016 12:34 AM, Jon Tullett wrote:

On 15 July 2016 at 01:23, Joe Btfsplk <joebtfs...@gmx.com> wrote:

On 7/14/2016 2:34 PM, Jon Tullett wrote:

Thanks Jon.  I agree w/ most that you said.  Again, semantics. Whether they
cracked Tor or Tor Browser won't change if the brutal dictator has you shot
in the front or back of the head. :)

Again, remember that this conversation was in the context of Freedom Hosting.

Absolutely agree that the same style of investigation could (and
probably does) happen in a more brutal political regime. Users there,
being at greater risk, have a greater need to take further steps to
protect themselves.



Unless one is using Tor w/ their own internet browsing application, an
exploited weakness in Tor Browser - modified Firefox - has the same effect
on users.  They're a package deal.

Well, no. Tor does make it clear you need to do more than just
downloading TBB to be anonymous and secure. If you think TBB is a
single-solution prepackaged silver bullet, you are at risk.

I don't think there's any debate whether Tor should try to be such a
silver bullet - clearly it can't and shouldn't - the question seems to
be around whether Tor should give more clear guidance/warnings. I'm
always in favour of that.



You're not really suggesting that users under hostile dictatorships or ones
trying to expose democratic government unconstitutional actions,  take full
responsibility for the ongoing modifying, patching & constant reading about
weaknesses of Tor Browser "for their own security?"

Yeah, I kinda am. Users in such hostile environments absolutely need
to take more care to keep themselves secure, and not just online. If
you are relying on any product to keep you alive, you definitely
should be constantly reading about it.
Respectfully, you're dreaming if you think whistle blowers, political 
activists or citizens under brutal regimes are *necessarily,* or even 
mostly computer geeks. :)
You may be correct that only very advanced geeks or (sane) persons w/ 
unlimited access to one, _should_ use TBB in dangerous situations, if 
they don't understand every detail about what can go wrong & how to fix 
it themselves.


Very few people meet those criteria.  I don't  & I've been studying Tor 
& TBB for yrs.   People that might have interests in whistle blowing or 
activism, *also* having the knowledge & ability to troubleshoot, modify 
or patch TBB on an ongoing basis are almost nil.  Except for those w/ no 
concept of the extreme risk they're taking, that leaves very few people 
to do any blowin' or activatin'.   People under brutal regimes don't 
need to be activists to have a real need for reliable anonymity (no 
unpatched browser bugs).  They just need to safely access info besides 
governmental propaganda or to pass info to similar minded persons.  Do 
we think they're all going to be coders that can patch browsers?  That's 
a dream.  :)


If the only people (in dangerous situations) that should use Tor / Tor 
Browser are geeks, it doesn't have a very wide audience. Regardless of 
whose job it is to make something like TBB "as secure as possible," 
there just aren't many people like E. Snowden w/ extreme computer talent 
- to do what you're suggesting -  & desire (possibly stupidity) to go 
after top officials or their government.


Many of things mentioned in "what else you need to remain anonymous" 
type articles - don't use Flash, plugins, file sharing, etc., are easy.  
It's all the other things that can go, or are, wrong that most people 
wouldn't understand.  For years, Tor devs weren't even sure how to 
report TBB screen size & many other unresolved issues.  I filed various 
bugs on many things, but had no idea how to fix them.   How can even 
advanced users be expected to fix these & more problems when it 
sometimes takes extremely talented Tor devs years to find solutions?  
Again, a pipe dream.


The sage advice under "List of Warnings:"  "Ultimately the best 
protection is a social approach: the more Tor users there are near you 
and the more diverse <https://www.torproject.org/about/torusers.html.en> 
their interests, the less dangerous it will be that you are one of 
them."  L I'll B.  Unless sites you're visiting  or your exact ISP 
server are known to have 100's of TBB users - at once, that doesn't help 
much.


I'm not too sure about trusting one's life to a system based in part on 
pure guesstimating how many entry & exit relays are enemy controlled.  
Calculating statistical odds of being identified, based on unknown of 
numbers of enemy controlled nodes; the number of times & frequency entry 
guards change, number of sites visited, etc. :D








That Tor Project is saying Tor is relatively anonymous; as for Tor Browser,
everyone's on their own.

It's saying that the Tor network will help you stay anonymous, and the
browser bundle will help facilitat

Re: [tor-talk] FBI cracked Tor security

[Joe Btfsplk]

On 7/14/2016 2:34 PM, Jon Tullett wrote:

2.  Aren't statements (from anyone) like, "... generally crack the servers
hosting the illicit material, not Tor itself," sort of a matter of
semantics?

Depends on the context, I guess. To the user, maybe, but in the
context of this (Tor) community, the distinction matters. Browser
vulns and server exploits are common. Tor's crypto is not, AFAIK,
known to be compromised.
Thanks Jon.  I agree w/ most that you said.  Again, semantics. Whether 
they cracked Tor or Tor Browser won't change if the brutal dictator has 
you shot in the front or back of the head. :)


Unless one is using Tor w/ their own internet browsing application, an 
exploited weakness in Tor Browser - modified Firefox - has the same 
effect on users.  They're a package deal.
If claiming, there are no known cases of authorities "cracking Tor" or 
using its weaknesses to deanonymize users, that may be correct, AFAWK.  
But, it's been shown time & again, "we" don't know very far regarding 
what  gov'ts & their agencies can / can't do, or have / haven't done.  
An unfortunate fact for citizens everywhere. "Absence of evidence is not 
evidence of absence," as to their capabilities.  If any government 
cracks Tor, it'll be of the highest security classification.  Most 
advanced governments aren't as bungling & clueless as many think they are.


True - if someone cracked Tor, this show is over - for a while.  To 
Prisoner Number Six, it makes no difference if the chink was in Tor 
proper, or in the browser.  It matters to Tor Project for ego & bragging 
rights & it matters regarding whether only a few unlucky freedom 
fighters got caught, or if Tor needs a complete overhaul.




The issue of who should be responsible for alerting a user to possible
risks is debatable. Tor's job, after all, is not to keep users secure;
it's to keep them anonymous. I don't speak for the Tor project, but I
expect the assumption is that users should take responsibility for
their own security, just as they should take responsibility for
antivirus, patching, and brushing their teeth :)

-J
You're not really suggesting that users under hostile dictatorships or 
ones trying to expose democratic government unconstitutional actions,  
take full responsibility for the ongoing modifying, patching & constant 
reading about weaknesses of Tor Browser "for their own security?"
That Tor Project is saying Tor is relatively anonymous; as for Tor 
Browser, everyone's on their own.


If one is in the right (or wrong) situation, anonymity = security. Lack 
of anonymity may = jail or death.  Not for me & presumably not Tor 
developers, but for some users that Tor was designed for.


Six out.
--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] FBI cracked Tor security

[Joe Btfsplk]

On 7/14/2016 1:23 AM, Jon Tullett wrote:


I think what you'll find in such cases is that the FBI generally crack
the servers hosting the illicit material, not Tor itself.

1.  Wasn't this discussed back when it occurred?  As to how they did (or 
likely did) identify the Tor / Tor Browser users for the porn arrests?

Or am I thinking of bringing down Silk Road & some other sites?

2.  Aren't statements (from anyone) like, "... generally crack the 
servers hosting the illicit material, not Tor itself," sort of a matter 
of semantics?
e.g., on clear net, a plain Firefox user browses to a trusted site 
that's been hacked (& might be detectable, if anyone was checking).  The 
browser has no defense against the specific attack, though addons (say, 
NoScript) are aware of the possibility.


So the site / server was attacked 1st, but that's not the goal.  Due to 
weakness in (any) browser, isn't it as much an attack against the 
browser as the site?  And just as much the browser devs' faults for not 
fixing the weakness - if possible, and / or not repeatedly, very visibly 
warning users in unmistakable language  - if they don't do so.  In many 
cases, the discussion becomes, "Was it Firefox's fault or Tor Browser's, 
for not fixing the Firefox weakness?"


Not many realistic people I know would expect the producer or 
distributor of a product to *continually* point out the shortcomings, if 
they expected to retain or increase users.  (They might like for this to 
happen, but don't realistically expect it to).  Especially when the 
producer & distributor won't be legally liable for anything, if they 
don't constantly warn users. There's no penalty for software devs - esp. 
not freeware.   There usually are certain warnings or known issue 
comments from software devs, but often fairly obscure to average users.  
If Tor Project - or any other developer - repeatedly splashes weaknesses 
on page 1, it could seriously decrease users.


With software, lose-weight-while-you-sleep pills or OTC drugs, not all 
users necessarily understand the warnings, even if they hear / read 
them.  Often because they're ambiguous or don't give enough details or 
aren't worded so that average people understand.  And / or some users 
have a "it'll never happen to me" mentality.

--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] US Federal Court: The Fourth Amendment Does Not Protect Your Home Computer

[Joe Btfsplk]

On 6/24/2016 8:39 AM, Allen wrote:

On Fri, Jun 24, 2016 at 2:19 AM, grarpamp  wrote:


https://www.eff.org/files/2016/06/23/matish_suppression_edva.pdf




The judge's logic is pretty amusing and shocking at the same time:
basically, because of all the malware and software vulnerabilities in the
world, as soon as you connect your computer to the internet, you have no
reasonable expectation of privacy because your computer is probably going
to be hacked by someone, and if it just happens to be the FBI who hacks
your computer, you should have expected that.

By that logic,  when people go to Walmart & there's a very real chance 
their car may be broken into, or they might get pick pocketed, then LEAs 
shouldn't need a warrant or even probable cause to search their person 
or car?


Oh, wait... but they do need a warrant or probable cause in those 
cases.  I fail to see the difference.  Going on a "public" internet w/ 
some dangers is no different than going any other public place.

Appears they're trying the old "boil a frog" trick.
Just take away some constitutional rights - in one specific area. They 
won't put up too big a fight.  Many will be too busy watching The 
Bachelor to notice.  Later on, we can expand it to searching cars & 
houses w/o a warrant (burglars could break into your house - you 
should've expected that).


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] US Federal Court: The Fourth Amendment Does Not Protect Your Home Computer

[Joe Btfsplk]

On 6/24/2016 4:26 PM, I wrote:

" foreign law"

QED

Yes - most lands & their laws, other than the one a person grew up in or 
resides in are "foreign" to them.

It's not a slur. :D
--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] US Federal Court: The Fourth Amendment Does Not Protect Your Home Computer

[Joe Btfsplk]

On 6/24/2016 8:08 AM, I wrote:

Is this list for all Tor people or just USA?



Subject: Re: [tor-talk] US Federal Court: The Fourth Amendment Does Not
Protect Your Home Computer


Is that a serious or satirical question?
It's always been for people of all countries, as far as I remember.
If you're referring to frequent topics regarding U.S. law & happenings, 
I'd say it's simply because a lot of "stuff" happens in the US arena.
And a lot of what the US, UK, AU & certain other countries do winds up 
affecting a lot of other countries.


There've been plenty of list discussions on legal, security & privacy 
issues in other countries.
But most US citizens won't know specific details about foreign law or 
constitutions & vice versa.  So users from say, Germany, would probably 
have to provide most of the finer details about events in Germany 
(Deutchland).

--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] US Federal Court: The Fourth Amendment Does Not Protect Your Home Computer

[Joe Btfsplk]

Seems that saying "the decision is bad news for privacy" is an 
historical understatement.  It's more like burning the Constitution & 
shooting the ashes out of the solar system.

"We don't need no stinking warrant."
I have doubts that sending scolding emails or petitions will in any way 
change minds of the powers that be, intent on ignoring the Constitution.
It may be the type situation that needs boots on the ground to bring 
change.  People in significant numbers aren't willing to do that, pure & 
simple.  Too many good shows on TV or fun computer games.


Questions in general:
1) Is anyone aware of court rulings or scheduled for a vote - in the 
U.S. or other "free" nations, saying citizens in their homes, not named 
as suspect in any particular crime & with no warrant issued, have no 
reasonable right to privacy - _in general_?  (IOW, the Constitution is 
invalid).   I don't see why it should stop with computers, other than 
maybe no laws exist that explicitly include personal computers under 
right to privacy?


2) Does that ruling or any related documents claim no right to privacy, 
if reading documents on a computer - not transmitted over the internet 
and / or not using any public network; even electronic book readers; 
which TV shows are watched, radio stations tuned in? Or is it only if 
you "go on the public internet?"


3) Meaning for example, authorities could use various technologies to 
monitor & record *face to face* conversations of persons not named as 
suspects in any crime (esp. felonies)?


4) What about privacy for communications between *citizens* of free 
nations & their medical doctors, lawyers, clergymen, etc, whether or not 
using "encrypted / anonymous" methods; that took place entirely inside 
your home, in their office or by any form of communication, including 
postal mail?
Or privacy for computer stored, hand typed notes on doctor / lawyer / 
clergy conversations (NOT transmitted over the internet)?  In that case, 
is there any difference between storing it on a computer or in a journal 
in a desk drawer?
Some of this type data might be excluded in court trials - or not, 
unless persons are declared "enemies of the state".


5) What about written, photographic or sound recordings - not stored on 
a computer?
Why not INCLUDE landline / cell telephone, VOIP, postal mail, personal 
hand written or typed notes, conversations between spouses in the types 
of records or info not requiring warrants?



On 6/24/2016 1:19 AM, grarpamp wrote:

https://www.eff.org/deeplinks/2016/06/federal-court-fourth-amendment-does-not-protect-your-home-computer
https://www.eff.org/files/2016/06/23/matish_suppression_edva.pdf
https://yro.slashdot.org/story/16/06/23/2040255/federal-court-the-fourth-amendment-does-not-protect-your-home-computer

The EFF reports that a federal court in Virginia today ruled that a
criminal defendant has no "reasonable expectation of privacy" in his
personal computer (PDF), located inside his home. The court says the
federal government does not need a warrant to hack into an
individual's computer. EFF reports: "The implications for the
decision, if upheld, are staggering: law enforcement would be free to
remotely search and seize information from your computer, without a
warrant, without probable cause, or without any suspicion at all. To
say the least, the decision is bad news for privacy. But it's also
incorrect as a matter of law, and we expect there is little chance it
would hold up on appeal. (It also was not the central component of the
judge's decision, which also diminishes the likelihood that it will
become reliable precedent.) But the decision underscores a broader
trend in these cases: courts across the country, faced with unfamiliar
technology and unsympathetic defendants, are issuing decisions that
threaten everyone's rights.


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] good ole cloudflarb

[Joe Btfsplk]

Tor Weekly news from April 4, 2016 mentioned Cloudflare's blog comment 
on Tor.
A cookie exception IS set ( but "accept cookies from sites" is not 
checked &  "accept 3rd party cookies" = never) - which allows other 
sites to set session cookie, if an exception is entered.

That setup allows _other sites_ to set a cookie.
But cloudflare doesn't set one unless actually check the box "accept 
cookies??"  Then it sets a permanent cookie (permanent in Firefox).


After that,  solving the puzzle infinity -1 times, still won't give access.
When I click pictures fitting instructions, they're replaced faster than 
I can look at / click rest of correct images, then verify.
It mentions "several solutions are necessary."  Don't know if that mean 
you have to do this till you get sick, cause you're using Tor, or if 
that's a way to say, there may be > 1 correct pic, in any given group?


We had this discussion a few mo. ago.  I was under impression that if 
had JS enabled & obeyed their commands, you could get in w/ Tor.

Maybe not - maybe that was what their blog was about?
Can anyone get to this blog w/ Tor (6.0.2)?

Thanks.
--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Day of Action: Is the FBI targeting YOU??

[Joe Btfsplk]

On 6/21/2016 11:58 AM, Kate Krauss wrote:

Greetings, Tor Talkers!

The US Department of Justice is trying to institute new rules that would
let the FBI hack computers that use Tor and other
privacy-protecting technologies--all over the world.

EFF and Tor are asking you to sign a petition or (if you are a US person
in the US) send a note to a member of Congress to stop this.

For background, check out our blog post:
https://blog.torproject.org/blog/day-action-stop-changes-rule-41

TO TAKE ACTION---> go to torproject.org or stopglobalwarrants.org

Judges would still need a warrant, but under the new rules, those
warrants could apply to thousands more people--and computers and phones
anywhere are vulnerable if they use privacy-protecting technology like
Tor or a VPN.

The rules are an amendment to Rule 41 of the US Federal Rules of
Criminal Procedure (rules for US judges). They will go into effect on
December 1, unless we stop them. They would greatly empower US law
enforcement to snoop into people's computers -- making sweeping changes
to US policy through a technicality--without Congressional oversight.
Picture the abuses against journalists, members of Congress, activists,
or everyday citizens that could occur under these new rules if the DOJ
(and FBI) get their way.

EFF and Tor have partnered to launch this Day of Action designed to
raise the profile of this critical issue.

Please sign the petition or email a member of Congress using the banner
at TorProject.org or the campaign's website: NoGlobalWarrants.org--but
remember that the new rules will apply to computers and phones all over
the world--so everyone's voice is critical, no matter where you live.

US Senator Ron Wyden is leading a bipartisan effort to defeat the rules
with a bill called the "Stop Mass Hacking Act" (#SMHAct)--so that's a
good hashtag for Twitter.

Spread the word! Forward this email! Tweet out the news! Protect the
right to privacy!

Cheers,

Katie
@TorProject
If we sign this, will black sedans w/ dark windows park outside our 
homes?  Will records of our bank accounts or financial holdings suddenly 
disappear? :) 8-(


Not that LEAs or pro Big Brother politicians (world wide) care, but is 
there any difference in mass surveillance of electronic surveillance w/o 
probably cause, and *mass* listening to citizens in their homes w/o 
probable cause, using powerful microphones?  They could mount unmanned, 
directional listening devices on utility poles (where exist), or make 
new TVs, light fixtures, etc., w/ hidden cameras / microphones & listen 
to as many as they want "just to be safe."


There's literally no end once any countries start violating their 
constitutions, which was & is constitutional experts' concern over mass 
monitoring & logging of internet, email, private voice communications.  
People "blame" the NSA & other 3 letter orgs, but w/o any nation's 
political system's approval of funds, these agencies couldn't exist or 
do what they're doing.  Many can understand them wanting to decrypt or 
de-anonymize devices of known criminals' or prime suspects; then  
prosecute.  But not gather intel on everyone just because they can.  
Some on this list probably never completely read Orwell's __1984__ 
(futuristic when I 1st read it).  They'd be surprised at its many almost 
identical similarities to what has transpired.


So really, in democratic / free election countries, it's a majority of 
officials elected to "do the will of the people" that are allowing these 
agencies behavior.
Remember?  The US & other countries' legislative & judicial branches 
met, discussed & several decided what was being done was 
unconstitutional & in some cases, considered unnecessary. Yet 
legislative funding for the projects was never stopped.

--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Question for those who say "Tor is pwned"

[Joe Btfsplk]

On 6/20/2016 7:10 PM, Roger Dingledine wrote:


If you want to read a lot more on this topic -- including how Tor's
design changed in response and how it still needs to change -- check
out the blog post here:

https://blog.torproject.org/blog/improving-tors-anonymity-changing-guard-parameters

(Also, yes, this mailing list has gotten out of control. We are all
distracted doing more urgent things, but I think we should soon find
the time anyway to proceed to the "clean up our lists" plan.)

--Roger
Thanks.  Very sincere questions arise - is the reason Tor / Tor Browser 
doesn't / hasn't change(d) yet to counter the worst of threats - often 
large players or states controlling or monitoring too much of the 
network, mainly because of difficulty of coding the changes - meshing w/ 
rest of the code?  I truly appreciate what Tor Project does, but if I 
lived in a hostile state, I'd be afraid for my life to use Tor Browser.
* Or, are solution(s) deemed "good enough" typically difficult to 
conceive, much less implement?

* BEcause large nations have massive brain power & almost limitless funds?
* A lack of Tor man power (lack of funds), brain drain to the NSA / FBI; 
kibosh by the navy on changes?   Or several, or other reasons?


We've read for many years now, how countries - or cooperating countries 
-  devoting enough time & money may well de-anonymize some or many 
users, depending.
I posed that question / theory many yrs B.S.  (before Snowden) & I know 
relatively little about *fine* details on packet timing, etc.  I'm not a 
coder.  (That idea was shot down __immediately & decisively__ by Tor 
mgmt). :)
Yrs later, we're still talking about same exact problem(s) - some 
improvements, several of which many advanced users & "researchers" say 
may still be woefully inadequate.  That we're "whistling past the 
graveyard."
Note:  "Just because someone says something repeatedly with conviction, 
doesn't make it true."  For anyone.

Thanks.


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk