from:"bo0od"

Re: [tor-talk] torproject forum hosted by 3rd party?

2021-10-29 Thread bo0od


> - no IP logging
> - no external resources

You shouldnt trust TPO on not doing that either (not because they do 
that but because there is no control on that from user side so you 
should assume the worst when it comes to security/privacy/anonymity).


And allowing JS in order to participate in the forum thats also an 
issue. (Good thing you can read the forum topics while JS disabled, But 
you cant login,type..etc)


At the end user need to trust an entity to make discourse functional, 
TPO or not doesnt matter. (I agree on seeing google or amazon or ..etc 
from shitty corporations thats the worst thing user want to see when 
using Tor or any other anonymity tools and should be prohibited)


nusenu:

Hi,

the Torproject is about to launch the new Discourse based forum next 
week [1]

https://forum.torproject.net

With this email I'd like to initiate a discussion on whether it is a 
good idea to externalize

hosting of what might become a important platform for the tor community.

I believe discourse is a great platform, but
I was surprised to learn that the forum is _not_ self-hosted on 
torproject infrastructure.
It is hosted by "Civilized Discourse Construction Kit, Inc." the company 
behind discourse.org.
That means the torproject does not have full control over the 
infrastructure and its security and logging practices.

Discourse's third party hosting also does not support onion services [2].

The forum privacy policy mentions that IPs get logged and stored over an 
extensive amount of time

https://forum.torproject.net/privacy
As Jérôme pointed out [5] the forum is also subject to discourse's 
privacy policy, so maybe it would be good to include a link
to https://www.discourse.org/privacy on 
https://forum.torproject.net/privacy.



Especially since this forum will be used for tor browser support it will 
also include people's IP addresses

when they are unable to use tor browser to protect themselves.


When you open https://forum.torproject.net in a browser it will fetch 
resources from multiple places:


fonts.googleapis.com (Google)
fonts.gstatic.com (Google)
aws1.discourse-cdn.com
avatars.discourse-cdn.com (proinity LLC, AS44239)
forum.torprojec.net/torproject1.hosted-by-discourse.com (CNAME)  
Hurricane Electric LLC



To quote Gaba from the gitlab ticket [3]:
If there is a risk on running this forum outside TPA infrastructure 
then we need to change this and host Discourse in TPA.


(TPA is the torproject admin team 
https://gitlab.torproject.org/tpo/tpa/team)


I agree with Gaba and I'm glad anarcat (torproject admin team) is not 
totally against self-hosting [4] even though

discourse is docker based.


Self-hosting would also allow for:

- better domain: forum.torproject.org (the torproject.net domain is 
basically unknown and I guess many people
will be confused. I agree with anarcat to use the .net domain when it is 
not run on TPA infrastructure)

- no IP logging
- no external resources
- no troubles for tor browser users should discourse decide to enable 
CAPTCHA or use a CDN that enforces CAPTCHAs in the future



What is the main reasoning for using a 3rd party hosted Discourse 
instance instead of a self-hosted instance?

(besides the obvious 'so we don't have to patch and maintain it ourselves')


related gitlab ticket:
https://gitlab.torproject.org/tpo/tpa/team/-/issues/40183
https://gitlab.torproject.org/tpo/web/team/-/wikis/Plan-To-Launch-Tor's-Forum 





kind regards,
nusenu



[1] 
https://lists.torproject.org/pipermail/tor-community-team/2021-October/000423.html 


[2] https://gitlab.torproject.org/tpo/tpa/team/-/issues/40183#note_2740700
[3] https://gitlab.torproject.org/tpo/tpa/team/-/issues/40183#note_2749919
[4] https://gitlab.torproject.org/tpo/tpa/team/-/issues/40183#note_2750060
[5] https://gitlab.torproject.org/tpo/tpa/team/-/issues/40183#note_2751283





OpenPGP_signature
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] [New Report] No Access: LGBTIQ Website Censorship in Six Countries

2021-09-03 Thread bo0od

I think if you waited more Afghanistan would be added to the list.

Maria Xynou:

Hello,

Today, in collaboration with the *Citizen Lab* and *OutRight Action
International*, we co-published a new research report, "*No Access: LGBTIQ
Website Censorship in Six Countries*", which examines the blocking of
LGBTIQ websites in Indonesia, Malaysia, Iran, Russia, Saudi Arabia, and the
United Arab Emirates (UAE).

The report is available on each of our websites:

* OONI:
https://ooni.org/post/2021-no-access-lgbtiq-website-censorship-six-countries/

* Citizen Lab:
https://citizenlab.ca/2021/08/no-access-lgbtiq-website-censorship-in-six-countries/

* OutRight Action International:
https://outrightinternational.org/content/no-access-lgbtiq-website-censorship-six-countries

Download the full (203-page) report here:
https://ooni.org/documents/2021-lgbtiq-website-censorship-report/2021-lgbtiq-website-censorship-report.pdf

*# About the report*

We joined forces with OutRight Action International and the Citizen Lab to
examine the *blocking of LGBTIQ websites in 6 countries: *Indonesia,
Malaysia, Iran, Russia, Saudi Arabia, and the United Arab Emirates (UAE).

We selected these countries because they are (a) known to serve block pages
(i.e., pages that website visitors may see when access is restricted),
which enable us to automatically confirm the blocking of LGBTIQ websites,
and (b) known to censor LGBTIQ related content, based on prior research.

We adopted a mixed methods research approach, combining *OONI network
measurement analysis with interviews and literature research*. The
timeframe that we selected for OONI data analysis was *June 1, 2016 to July
31, 2020*. To examine the impact of online LGBTIQ censorship, OutRight
Action International and the Citizen Lab interviewed LGBTIQ communities in
the six countries.

*# Summary of key findings*

*1) Variation in the blocking of internationally-relevant LGBTIQ websites
vs. locally-relevant ones.* All six countries blocked LGBTIQ websites that
are internationally-relevant and meant for an international audience (such
as www.grindr.com, www.advocate.com, and ilga.org). In Malaysia and
Indonesia, all local LGBTIQ websites tested (e.g., queerlapis.com and
suarakita.org), however, were accessible during our analysis period, and
therefore, it appears that both countries block internationally-relevant
LGBTIQ websites only. In contrast, Iran, Russia, Saudi Arabia, and the UAE
blocked access to several local and regional LGBTIQ sites, in addition to
blocking internationally-relevant LGBTIQ sites.

*2) LGBTIQ websites on “culture and community” were blocked most often. *In
Indonesia, Iran, Malaysia, and Saudi Arabia, the most frequently blocked
LGBTIQ websites were those that belong under the “Culture and Community”
category. These are websites that aim primarily to create a sense of
community among LGBTIQ individuals, as well as provide information about
art and culture. This is not the case in Russia, however, where LGBTIQ
websites under the “News Media" category instead presented the most
blocking, while in the UAE, most of the LGBTIQ websites found to be blocked
were no longer operational (categorized as “404 Not Found”).

*3) Variation in how block pages are served for LGBTIQ websites.* ISPs in
Indonesia and Malaysia serve block pages by means of DNS hijacking, whereas
Iranian ISPs serve block pages primarily by means of DNS injection. In
Russia, ISPs commonly make use of HTTP transparent proxies to serve
blockpages, but some Russian ISPs serve block pages by means of DNS
hijacking instead. In Saudi Arabia and the UAE, ISPs deliver block pages to
internet users through the use of censorship technologies.

*4) Detection of censorship technologies in Saudi Arabia and the UAE.* In
both Saudi Arabia and the UAE, ISPs serve block pages through the use of
WireFilter technology, which is a network filtering device made for the ISP
and commercial market, manufactured by Riyadh-based Sewar Technologies Ltd.
In the UAE, we also observed blocking using a tool manufactured by
Netsweeper, which is a Canadian company that sells internet filtering
products to ISPs around the world.

*5) Some block pages in Russia contained affiliate ads.* Unlike other
countries, some block pages in Russia contained affiliate ads, suggesting
the presence of financial incentives. We previously observed ads being
served as part of censorship efforts in Egypt (
https://ooni.org/post/egypt-internet-censorship/).

*6) Iran blocks the highest number of LGBTIQ URLs in our test lists. *Out
of the six countries, the highest instance of LGBTIQ URL blocking was seen
in Iran, where 75 unique LGBTIQ URLs were detected as blocked. In Iran, we
also observed the blocking of www.outrightinternational.org, the website of
OutRight Action International, one of this report’s authors.

Further details and findings are available through our report:

Re: [tor-talk] How does TBB manage downloaded files (e.g. PDFs)?

2021-08-29 Thread bo0od


> Can the files be re-established
> (undeleted) from the hard drive / SSD?

TB is not anti-forensic:

https://www.researchgate.net/publication/332004753_Forensic_Analysis_of_Tor_Browser_A_Case_Study_for_Privacy_and_Anonymity_on_the_Web

https://research.torproject.org/techreports/tbb-forensic-analysis-2013-06-28.pdf

Thus either use tails or host live + whonix live mode if you dont want 
traces to be left.


matthew...@danwin1210.me:

I notice that when I open a PDF in TBB I can choose to open it in the Tor
browser (which is what I do).

I also notice that, on my Ubuntu system, this creates a directory called
/tmp/mozilla_mycomputerusername0 which contains the downloaded PDFs.

So "open in browser" actually involves a download to the /tmp directory.

The permissions of the PDFs are -r

I close TBB and the PDFs vanish while the directory remains.

I am wondering how the PDFs are removed. One of the attractive aspects of
TBB (IIRC) was that all cookies, temp files, etc, are securely removed.

Can I ask how the PDFs are deleted. Can the files be re-established
(undeleted) from the hard drive / SSD?




--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor browser 10.5 lost all saved passwords

2021-07-14 Thread bo0od

saved logins in TB ? TB doesnt by default offer to save passwords unless 
change stuff in about:config (so what happened to you can be expected 
because its not supported by default). But if you have to save passwords 
while browsing then either use bitwarden or local password generator 
like keepassxc.


Note: adding external addons (not coming by default) is recommended 
against due to fingerprint issue which effect your anonymity.


Jerome Lille:

I just updated to version 10.5 and all the saved logins are gone!!

Can they be recovered?

/Jerome


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Hardenize TorProject Website

2021-05-03 Thread bo0od


Hi There,

Checking Torproject website configs there are some stuff are outdated,or 
needed...lets see:


* https://www.hardenize.com/report/torproject.org/1619971139#www_tls

- TLS 1.0, 1.1 Deprecated since 2020
- Disable weak ciphers

Duo to the usage of TLS 1.0,1.1 website got B grade from SSLlabs:

https://www.ssllabs.com/ssltest/analyze.html?d=torproject.org

* https://www.hardenize.com/report/torproject.org/1619971139#www_hsts

- Preload policy doesn't satisfy preload requirements because:

"This HSTS policy doesn't cover subdomains, which is a requirement for 
preloading. Additionally, without full coverage, HSTS can't protect from 
certain cookie attacks that typically allow active network attackers to 
inject cookies into an application."


* https://www.hardenize.com/report/torproject.org/1619971139#www_xxssp

- Enforce XSS protection

"Name: X-Xss-Protection

Value: 1"

It should be:

"Name: X-Xss-Protection

Value: 1; mode=block"


* https://securityheaders.com/?q=torproject.org=on
* https://observatory.mozilla.org/analyze/torproject.org

- Content-Security-Policy: This policy contains 'unsafe-inline' which is 
dangerous in the style-src directive.


- (Experimental but maybe worth attention?) -> Permissions-Policy:

https://scotthelme.co.uk/goodbye-feature-policy-and-hello-permissions-policy/

Why experimental?

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy

ThX!
--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Onion available does not appear in http version

2021-03-22 Thread bo0od


great it is an intended behavior

Nicolas Vigier:

On Mon, 22 Mar 2021, qorg11 wrote:


The "Onion available" does not appear in a plain http version of a
website. But it does appear in the https version. I checked and my
website does have the onion-location header in the plain http
version. But tor browser doesn't show the button. Is this intended
behaviour? I've attatched some screenshots.


It is intended behaviour:
https://gitweb.torproject.org/tor-browser-spec.git/tree/proposals/100-onion-location-header.txt

"The webpage defining the Onion-Location header must be served over
HTTPS."


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] trackers in OONI Probe Mobile App / was: NEW RiseupVPN test in OONI Probe Mobile App

2021-02-06 Thread bo0od

Actually OONI tests is absolute useless to find anything bad, All the 
tests being done can be known trivially by using the internet e.g:


- check for websites blockage
- check for Tor blockage
- check for Internet speed
..etc

Which one of that need magic/effort to be known? child using the 
internet in that area can give you all the results without the need to 
run this OONI app


The current development/developers are giving garbage application.

It should give results for middle boxes , DNS/TLS hijacking ...etc 
something useful/worth to run OONI for.


One of the funny things it test for whatsapp if its blocked, But it 
doenst do that for signal or element/matrix where they are more 
important than the malware whatsapp... What a waste of effort and money


Christian Pietsch:

Dear Maria,
dear OONI Probe users,

having used OONI Probe on Android devices in the past, I was shocked
to find out today that at least the version distributed via Google's
Play Store seems to contain two trackers, namely Countly and Google
Firebase Analytics: https://reports.exodus-privacy.eu.org/en/reports/161999/

Countly is UK based. They admit that they collect personal data from
users as defined in the GDPR: https://count.ly/legal/privacy-policy
Regarding Google (Firebase) Analytics, we know they collect any data
they can. Trackers are spyware. Don't use apps that contain them!

F-Droid provides a version of OONI Probe to Android users that is
tracker-free – like all apps in this app store. I double-checked it
using the Exodus software mentioned above on the command line.
https://f-droid.org/de/packages/org.openobservatory.ooniprobe/

Why don't you provide a clean version of your app to the majority of
Android users who still rely on Google's Play Store, OONI?

Cheers,
Christian


On Thu, Jan 28, 2021 at 11:21:13AM +0100, Maria Xynou wrote:

Hello,

We're excited to share that the latest OONI Probe version features a
brand new test for RiseupVPN!

You can now check whether RiseupVPN works on your network. Learn all
about this test here: https://ooni.org/nettest/riseupvpn/

To run the new RiseupVPN test, update to the latest version (2.9.1) of
OONI Probe Mobile: https://ooni.org/install/mobile

All RiseupVPN test results from around the world are openly published in
near real-time:
https://explorer.ooni.org/search?since=2020-12-30_name=riseupvpn

Warm thanks to the folks from the LEAP collective for developing this
new test! <3

Cheers,

Maria (on behalf of the OONI team).




--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Onion v3 went offline in the entire network?

2021-01-11 Thread bo0od


Hi

The incident happened yesterday of taking onion v3 off is beyond 
horrible, Because the issue happened and (appear to be) fixed without 
any single patch downloaded to the user/client Tor.


Someone might come with explanations but on the same time this bug or 
attack or whatever can tell alot on the issue whether tor is reliable 
alternative (secure) mirror to the clearnet, Well saying onion v3 went 
off and on is like saying the whole clearnet on earth went off and on if 
we really put them into parallels.


This mean power/control on the tor network is not really on the hands of 
the users or contributors, Its above them and worse than the clearnet...


I think maybe TPO should rethink about reimplementing P2P design rather 
than the current centralized design. But what is clear is that the 
current state not good as it should be.


Note: Im aware of this ticket 
https://gitlab.torproject.org/tpo/core/tor/-/issues/40237


Thx!
--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Where is the tor signing key?

2020-12-23 Thread bo0od

Just followed the instructions mentioned in 
https://support.torproject.org/tbb/how-to-verify-signature/ working good 
now.


Matthew Finkel:

On Thu, Dec 10, 2020 at 09:19:46AM +, Colin Baxter wrote:


The URL https://support.torproject.org/tbb/how-to-verify-signature/
gives the impression that the signing key email address is
torbrow...@torproject.org. However

  gpg2 --search-keys torbrow...@torproject.org 

gives

gpg: key "torbrow...@torproject.org" not found on keyserver.

What's the correct email address for the signing key?


torbrow...@torproject.org is the correct email address, but you may be
querying the wrong server. On the page you referenced there is a section
for this:

"""
Fetching the Tor Developers key

The Tor Browser team signs Tor Browser releases. Import the Tor Browser
Developers signing key (0xEF6E286DDA85EA2A4BA7DE684E2C6E8793298290):

gpg --auto-key-locate nodefault,wkd --locate-keys torbrow...@torproject.org
"""

The key is available on keys.openpgp.org, as well, if you need it from
another key server:

https://keys.openpgp.org/search?q=torbrowser%40torproject.org


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] U-tube new-er denial criteria?

2020-11-12 Thread bo0od

- Complain to google which owns youtube and tell them to allow Tor 
traffic (because this is not Tor issue).


- Use one of the instance from Invidious project:(or build your own 
instance)


https://github.com/iv-org/invidious/wiki/Invidious-Instances

- Not anonymity option (but i think watching youtube/google is already 
anonymity fuck due to Javascript): Use VPN (whether your own server or 
subscribing to a company). You can combine Tor with VPN as you -> Tor -> 
VPN. Again not anonymity option just circumvent the issue of Tor 
blockage done by youtube/google.


joebtfs...@gmx.com:

Quite recently, youtube has started showing more messages than in the
past, similar to: "Uh-oh We detected some unusual activity from your
address."  Once that happens, changing clearing all data, a new identity
& changing exit relays to other countries & IPa's (3, 5 or 10x) rarely
helps.

Sometimes it mentions "too many requests," but often not.  When it does,
it has to be others assigned the same relay as me, also visiting youtube
within a short period.

The "block" popups often show before I've looked at any or maybe one video.
They aren't age restricted or possibly offensive vids.  I've rarely seen
msgs: "Not available in your locale."

Seems this increased since last TBB update, more than I remember for
years. That could be coincidence, but...

It doesn't seem to matter if I have exits in US, CA, DE, UK - or others.
It's possible that exit relays from well behaved, but higher Tor use
countries or faster, higher use relays are hurting me instead of
helping?  Though I'm not selecting or excluding individual exits.

It's now sometimes happening after I close TBB completely, wait 10+
min., then make sure my exits AREN'T from same countries as when they
blocked me, by using custom torrc files.


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] >600 Tor relays without ContactInfo and similar properties

2020-11-02 Thread bo0od

I doubt excludenodes does any good, as tpo stated the behavior of how
Tor will react to it is not studied well and might be disabled in the
future. Aside from that just because too many nodes puppet up or you
feel suspecious doesnt necessary be worse than any old trusted node
located within spying countries like US or UK or Germany..etc or even
anywhere. What im trying to say is we need permanent design mitigation
to solve that not temporary blockage of x or y then another a and b will
pop up and the game continues forever...

li...@for-privacy.net:

On 26.10.2020 00:54, nusenu wrote:

These 600 (and other) are easy to block in torrc:
ExcludeNodes Unnamed,default,ididnteditheconfig

tor's man page disagrees:
ExcludeNodes node,node,...
A list of identity fingerprints, country codes, and address
patterns of nodes to avoid when building a circuit.

You're right. I read that in Jens Kubieziel's German blog. (very old
pages) Nicknames were allowed earlier?
Country codes are too error-prone. My exits are in Luxembourg. Tor
Metrics shows it wrong in the US. :-(
https://metrics.torproject.org/rs.html#search/family:6D6EC2A2E2ED8BFF2D4834F8D669D82FC2A9FA8D

376DC7CAD597D3A4CBB651999CFAD0E77DC9AE8C
5D84900DBE6D6365684A9675B81A68ACE9577A68

Banning nicknames in ExcludeNodes is than a missing feature by me.

--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] >600 Tor relays without ContactInfo and similar properties

2020-08-21 Thread bo0od

Its stupid anyway to provide contact info for running relies, if Tor is 
an P2P protocol it would be funny to even think about it because thats 
mean like each user of Tor should provide his info.


Its not a big deal because solving malicious nodes and putting trust on 
DA  wouldnt be through having contact info or not, This is protocol 
level to solve.


nusenu:


Since the Tor directory authorities are no longer removing such undeclared 
relay groups
and I feel bad about sitting on this list without doing anything with it
I'm posting it here for your information.

This is a set of over 600 Tor relays that got added since 2020-01-29  on a 
limited set of hosters.
They have some similarities in their sign-up pattern and properties.


Most of them are middle relays (non exit relays).

total guard probability: 3.6%
total middle probability: 10.1%

https://github.com/nusenu/tor-network-observations/blob/master/20200129-20200819_unknown_middle_relaygroup.txt

+---+--+
| as_name   |   relays |
+---+--+
| Microsoft Corporation |  254 |
| Linode, LLC   |   82 |
| UAB Cherry Servers|   75 |
| |   62 |
| Cogent Communications |   44 |
| Hetzner Online GmbH   |   38 |
| OVH SAS   |   26 |
| DigitalOcean, LLC |   11 |
| Online S.a.s. |9 |
| Enzu Inc  |7 |
+---+--+





--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] secure website hosting over tor

2020-08-09 Thread bo0od

About whonix not necessarily virtualbox, actually its better to use KVM 
or Qubes/Xen OS.


And virtualization is better than containers, plus docker update 
mechanism just security sucks.


if you know about sysadmin and know how to use things for anonymity (e.g 
avoid leaky stuff like apache and use instead nginx and so on...) 
reading the source and playing with it and stuff like that is something 
extra not mandatory to maintain secure hidden services.


maboiteaspam spammaboite:

Hi!

I am really interested in running a website over tor and announcing it.
I already know how to do that, and it is already working for non sensitive
information. I have to say this was awesome to be able to run a website
with zero configuration, I really love that.

Although I am afraid my current setup is not secure and can be easily
traced.

Thus i would like to know if you can help me to find the right information
to get it correct.

Where can I learn more about securing my setup without reading the source
code and understanding the whole machinery ?

Apart, I have read it is better to use whonix, or alike. Though they talked
about using a VM, thus virtualbox.

Can I run this using Docker instead ?

Thanks a lot for your inputs and suggestions.


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Slides & Video Recordings: Internet Measurement Village 2020

2020-07-29 Thread bo0od

Ooni nowadays is really downgraded capabilities compared to old Ooni, no 
test for middle boxes , network tampering ...etc. And there is only 
proprietary operating systems support Windows and Mac come on


Maria Xynou:

Hello friends,

Over the last month (between 10th June 2020 to 3rd July 2020), we
organized and hosted the first virtual Internet Measurement Village
(IMV), which featured 18 presentations on internet measurement projects,
censorship measurement efforts, advocacy efforts fighting internet
shutdowns, and censorship circumvention tool projects.

As all the IMV sessions were live-streamed and will continue to live on
the OONI YouTube channel (https://www.youtube.com/c/OONIorg), we hope
that these recordings will serve as a valuable resource on internet
measurement for the internet freedom community.

We published a blog post where we share the video recording & slides of
each IMV presentation: https://ooni.org/post/2020-imv-slides-recordings/

Please help share these resources:
https://twitter.com/OpenObservatory/status/1288430388445163520

Warm thanks to the IMV presenters for sharing their important work with
the community! Special thanks to everyone who tuned in and shared
questions, comments, and resources.

All the best,

Maria.


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Using a Solid Tor Configuration

2020-07-23 Thread bo0od

Anonymity is not easy, you need to use operating systems designed to 
work with Tor and hardenize other stuff to work safely with it, and 
there are 2 options available:



- Tails if you want to use the OS on external USB
- Whonix if you want to use the OS on Virtual Machine like Qubes/xen 
(best option) or KVM or Virtualbox <- If you want to host hidden service 
this is the best option as well.


Without blinking an eye you must choose GNU operating system, Windows 
and Mac OSs are just malware.


And the more you read the more you are safe, to start with reading go to 
each project documentation and start from there e.g Tor,Whonix,Tails...etc


As a distro to choose use GNU/Linux Mint (easy) or Debian (medium) or 
Qubes (hard)


Enjoy!

con...@secmail.pro:

Hi all,

I would like to setup a solid Tor configuration in the States. I get a lot
of harassment from corrupted law enforcement and nosy corporations. My
goal is to keep my online activity private, but it appears Tor isn't doing
that at all.

Should I use Linux or Windows with Tor and how do I make it work well
enough to stop these kind of attackers?


Thanks in advance for your help.


--Conser


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Idea for a stand-alone browser based on Tor browser source code

2020-07-08 Thread bo0od

both (FF,Brave) are by default installation not designed for real 
privacy protection e.g:


looking at TB design , there are tons of work done to turn FF fork to 
what you have now:


https://2019.www.torproject.org/projects/torbrowser/design/#Implementation

Brave just worst than even FF vanilla e.g:

https://www.bleepingcomputer.com/news/security/facebook-twitter-trackers-whitelisted-by-brave-browser/

https://github.com/privacytools/privacytools.io/pull/657#issuecomment-463314974 



So to have a TB without Tor focusing on just security and clearnet 
privacy (without anonymity) from the first run by default its great idea.


Jason Evans:



On 7/7/20 9:12 PM, joel04g_t5...@secmail.pro wrote:

Tor browser has good defense against many tracking techniques, however,
internet users may want a way to browse the web without anonymity but with
some of the great features Tor browser provides. (Security Level,
Noscript, Isolate trackers, Anti Fingerprinting, etc)



First of all, why not use Brave or Firefox for your non-Tor required needs?

Secondly, you can turn off Tor in Tor Browser. See here:
https://tor.stackexchange.com/questions/10367/how-to-dissconnect-tor-browser-from-the-tor-network

JE


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Wahay: Mumble + Onion Service

2020-05-29 Thread bo0od


Nice Tool, More good suggestions:

-A better start is to look into integrating it with debian official repos

- Create an AppImage for GNU/Linux distros (safer and faster than adding 
external repos)


- Fuck Windows and MacOS , support BSD and/or any free software OS 
(optional suggestion)


Thanks for the great work!

Rafael Bonifaz:

Hello,

My name is Rafael Bonifaz and I work at Centro de Autonomía Digital -
CAD[1]. We are an organization based in Quito - Ecuador that creates
FLOSS applications for online privacy and security.

Our latest project is call Wahay that combines two great projects:
Mumble and Tor. The user interface is similar to Zoom, where you can
start a meeting or join a meeting.

When you start a Wahay meeting, in the background it starts a Mumble
server (Grumble) and publish it as a Onion Service. To join the meeting
other people would copy the onion address into the Wahay client and in
the background it would start a torify Mumble that would connect to the
Onion Address. To simplify the audio configuration in Mumble it
automatically starts in push to talk mode where you would use right
control key to talk.

The user experience is more like a Walkie Talkie than to a conventional
VoIP conference application.  At the moment it is available for Linux
and in the near future we plan to make it compatible versions for
Windows and Mac. We have installation instructions for several Linux
distributions[2].

You should be able to join a Wahay meeting with a torify Mumble in any
operating system.  There is work in progress in Mumla (Android Mumble
client - Plumble fork) to make it friendly to join torify Mumble[3]. You
might want to take a look to that nice project.

Wahay is GPL v3 and you can find the code in Github[4].

If you speak Spanish you could listen to how it works in this radio
interview[5]. We used Wahay for a live interview and it worked pretty
well :).

Have a nice weekend and please if you have time help us test it.

Best,

Rafael



[1] https://autonomia.digital
[2]
https://wahay.org/documentation/getting-started/installation/index.html
and the webiste in general https://wahay.org
[3] https://gitlab.com/quite/mumla/-/issues/3
[4] https://github.com/digitalautonomy/wahay
[5] https://archive.org/details/sonambules_wahay



--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] StartPage becoming Stop Page

2020-05-03 Thread bo0od


check here: https://blog.privacytools.io/delisting-startpage/

and when it ends with blocking Tor users just no surprise.

later maybe they will delete pages like this one:

https://support.startpage.com/index.php?/Knowledgebase/Article/View/288/15/how-does-startpage-interact-with-tor

history: https://trac.torproject.org/projects/tor/ticket/6151



joebtfs...@gmx.com:

In the last week or 2 - well after TBB 9.0.9 release, StartPage quite
often shows "sorry to interrupt" page, asking if you're doing weird things.
Has a place to send comments, explanation.  An excerpt (emphasis mine):


Just Checking... We apologize for the inconvenience: to prevent
possible abuse of the Startpage.com service, your Internet connection
has been prevented from accessing it at this time.

This happens when a *large number* of search requests are received
from one's Internet connection in a *short amount of time* -- for
example, if you are using "screen-scraping" software, or if you are
sharing a connection with many people, perhaps through a proxy service.



It's not tied to exit nodes in certain countries, AFAIK.  As with
youtube, quickly trying new circuits 5+ times has mixed results.  I
imagine they've recently had bad experiences or changed policies.

--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Revisiting youtube blocking TBB, virtually all 1st attempts to load YT

2020-05-03 Thread bo0od

whats the different between watching video over invidious or youtube? I 
dont see a reason for me to search or watch videos over youtube.


joebtfs...@gmx.com:

On 3/4/20 1:15 PM, bo0od wrote:

use invidious instance like: invidio.us or anyone eles. Also you can
download YT videos using for e.g youtube-dl. These solves the headache
of google shit.

That's one way. Not as easy or fast as viewing short videos in a browser.
If I'm researching something technical, I may only watch a few seconds
or a minute till I see it isn't what I expected (from the title /
summary, etc.). Then immediately to the next.

I have had more consistent results w/ youtube & a few other sites by
clearing the cache & new identity.  I'll try 1x - 2x getting a new
circuit, as it's very quick.

Over time - at least for me, if that doesn't immediately fix their
block, I immediately clear cache & get new identity, or close the site,
if other sources exist.  So far, that's had a high success ration.



--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Tor Post-Quantum Cryptography

2020-05-03 Thread bo0od

I wonder if Tor has a roadmap for applying pqc into their design, great 
to see that some projects trying to add it for experimental state:


- OpenSSH  https://www.openssh.com/releasenotes.html

"* ssh(1), sshd(8): Add experimental quantum-computing resistant
   key exchange method, based on a combination of Streamlined NTRU
   Prime 4591^761 and X25519."

- Wireguard 
https://www.wireguard.com/protocol/#Key_Exchange_and_Data_Packets


- TLS:

Benchmarking post-quantum cryptography in TLS: 
https://www.douglas.stebila.ca/research/papers/PQCrypto-PaqSteTam20/


Hybrid key exchange in TLS 1.3: 
https://www.douglas.stebila.ca/research/papers/draft-ietf-tls-hybrid-design/


- C library: https://github.com/open-quantum-safe/liboqs

--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Full storage OS doesnt give warning signal to Tor Browser thus not upgrading

2020-03-29 Thread bo0od


lol i see, thank you for pointing me to the tickets.

Roger Dingledine:

On Fri, Mar 27, 2020 at 10:15:54AM +, bo0od wrote:

no matter how many time you upgrade TB it wont upgrade (which is rational
because there is no space). But a notification telling the user that would
be better.

(same goes for plugins upgrade, tested on FF-esr manual download and gave
same result as TB)

Yes its FF/TB issue.


Yep! This is a bug with the Firefox updater, and they don't seem to have
any momentum at fixing it. :(

For the Tor ticket, see
https://bugs.torproject.org/18186

And for the Firefox bug, see
https://bugzilla.mozilla.org/show_bug.cgi?id=315278

Gotta love those 15 year old bugs. :(

--Roger


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Full storage OS doesnt give warning signal to Tor Browser thus not upgrading

2020-03-27 Thread bo0od

if user happened to be running VM or OS installed directly into the 
hardware (doesnt matter) and the storage reached its maximum and 
TorBrowser notified the user that there is new version to upgrade and 
user upgraded TB, he will open TB (after upgrade) without any sign there 
is something wrong unless he go and check TB version to discover hes on 
the previous version.


no matter how many time you upgrade TB it wont upgrade (which is 
rational because there is no space). But a notification telling the user 
that would be better.


(same goes for plugins upgrade, tested on FF-esr manual download and 
gave same result as TB)


Yes its FF/TB issue.
--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Revisiting youtube blocking TBB, virtually all 1st attempts to load YT

2020-03-06 Thread bo0od

yes invidious = invidio.us that what i was referring. It has onion v3/v2 
and https with many instances running it.


joebtfs...@gmx.com:

@ bo0od, not sure I follow.  Invidious means likely to cause unhappiness
or be unpleasant.
Does that have any relationship to invidio.us or similar sites?

Yes, you can D/L the videos, but you first have to get the URL.  I guess
if you saw a link on another site, your suggestion might make sense.  Or
if you use a proxy or VPN with regular Firefox - if YT worked with them.

On 3/4/20 2:55 PM, Matthew Finkel wrote:

On Tue, Mar 03, 2020 at 04:49:16PM -0600, joebtfs...@gmx.com wrote:
[snip]

I assume this means you are running Tor Browser in non-private browser
mode? Otherwise clearing the cache before restarting shouldn't have any
effect.

Yes, I don't consider YT an adversary or even a site to keep health
information secret, etc.
I'm usually looking for how to "fix something" that I had nothing to do
with breaking. :)

I'm assuming that unless I suddenly started getting an out of proportion
percent of what YT considers bad or suspicious exits, something that
stores in (memory) cache, causes them to continue rejecting new exits,
until I clear the cache.

I haven't tried clearing it manually, then recording how often new
circuits vs. identities are successful.

To see the percent of success that clearing the cache has with a new
circuit or new identity (don't set cookies on YT).
I went a couple of yrs at least, with very few access problems - not
just on YT, but most technical sites I visit.  For me, it's not a huge %
increase of sites now blocking TBB, but a noticeable up tick.



[snip]

YT / Google could also have changed their policy - again - how they were
going to treat TBB or changed their definition of "abuse," so now there
are many more sites meeting their criteria of abusive.


This is our current assumption, but we don't have any more information
than what you described and our personal experiences.



--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Mozilla's DNS over HTTPS does not complement Tor

2020-03-04 Thread bo0od

if they care about anti-censorship they would add Mozilla-over-Tor or 
Mozilla-over-I2P. but nah it wasnt their intention to start with.


Note: This is not recently, look for example on their agreement with 
cloudflare:


https://developers.cloudflare.com/1.1.1.1/commitment-to-privacy/privacy-policy/firefox/

Nathaniel Suchy:

Recently Mozilla has pushed an update to their product Firefox that enables DNS 
over HTTPS in the United States. However this is not the privacy or 
anti-censorship tech they claim it to be. Mozilla added a simple test to decide 
whether to allow DNS over HTTPS to run. If an unencrypted query to 
use-application-dns.net returns NXDOMAIN or SERVFAIL then Firefox will disable 
the DNS over HTTPS system. They claim this is to allow parental controls and 
corporate networks to remain secure. However this negates the security benefits 
of DNS over HTTPS altogether. At will a network operator, government, or hacker 
at a coffeeshop on public wifi - could block requests to the canary domain name 
and disable DNS over HTTPS. There is no security warning when this occurs. 
Unlike Tor, there are no bridges, no obfuscated protocols. You are just 
censored and lose privacy benefits, oh and you don't get to know about it.

I've seen a lot of chat online that DNS over HTTPS and TLS 1.3 with Encrypted 
SNI could end online censorship. This is not the case and is a risky line of 
thinking to say the least.

If there is one key take away from all of this Mozilla's DNS over HTTPS does 
not replace or complement Tor. Mozilla is not developing anti-censorship tech 
and has built-in backdoors into both their implementation of DNS over HTTPS and 
Encrypted SNI Extensions for TLS 1.3. We should be keeping a close eye on 
Mozilla, as there's no telling what will happen next!



--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Revisiting youtube blocking TBB, virtually all 1st attempts to load YT

2020-03-04 Thread bo0od

use invidious instance like: invidio.us or anyone eles. Also you can 
download YT videos using for e.g youtube-dl. These solves the headache 
of google shit.


joebtfs...@gmx.com:

Problems with TBB & YouTube were recently discussed on tor-talk.  Things
have changed fairly quickly.

Something new has developed for me.  1st, I don't visit YT daily or even
weekly, depending.
Until maybe 10 days ago, the site (often, not always) presented a
message about excessive traffic from the current IPa.

Before, for me, just getting a new circuit - maybe 1 to 3 times, made
things right.

Suddenly, that no longer worked.  Even if I forced using only U.S. exits
via torrc.
It appears the country location of exit being used isn't YT's only issue.
I started requesting new TBB identities & that worked on the 1st attempt
(most times) for 1 or 2 weeks.

Then getting new identities started failing to load the site.  I've also
recently seen a noticeable increase of other sites, large & small, that
refuse to load in TBB.  Allowing 1st party cookies or 1st party scripts
doesn't seem to matter for the majority of sites that won't load.

It's unclear if the exit relay's country was / is a factor - too little
testing by me to be conclusive.
But, I found that manually clearing TBB's cache in about:preferences,
THEN restarting TBB worked a high percentage of attempts.  Just getting
new identities was no longer enough; at least forcing new identities 6+
times, on a number of days.

It could be there are SO many Tor exits, in many countries with lots of
users doing things that YT considers abuse.  If that theory is correct,
YT's "issue" with TBB changed very suddenly - for me.

It makes me wonder if other recent changes in TBB, Tor or NoScript,
etc., is a main factor.
 From a simple probability stance, it's unlikely that for a few yrs, my
TBB was assigned only exits that YT considered good.  Then quite
suddenly, YT has a problem with dozens of exits in dozens of countries,
including U.S.

YT / Google could also have changed their policy - again - how they were
going to treat TBB or changed their definition of "abuse," so now there
are many more sites meeting their criteria of abusive. I also wonder if
Mozilla Fx changes on things like resisting fingerprinting are major
factors in more sites blocking TBB.




--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Use Tor in a right track.

2020-01-28 Thread bo0od

wrong , 9150 is for Tor browser so to make it connect to Tor change port 
9050.


Better as well to use these types of garbage applications inside 
anonymous systems like Whonix or Tails.




Jason Long:

Hello,
I want to secure the internet connection of an application like Telegram. If I 
set the Telegram proxy to use Socks5(127.0.0.1:9150) then is it enough?

Thank you.


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Ports required for Tor and hidden services

2020-01-28 Thread bo0od

Best to host your hidden service is by using Whonix Anonymous OS , as it 
separate Tor/firewall from the website software and it comes with many 
benefits. for more detail read:


Clearnet:

https://www.whonix.org/wiki/Onion_Services#Step_4:_Denial_of_Service_Mitigation_Options

Onion:

http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Onion_Services#Step_4:_Denial_of_Service_Mitigation_Options

Jim:

Forst wrote:
In that case, what would be best approach to achieve that all traffic 
is forced though Tor and direct internet connection blocked, 
preferably even if/when the system is breached?


Roger gave a good reply for the case where the system is not breached. 
But if your firewall is on the same system as the hidden service and an 
attacker gets root then nothing can save you since the attacker could 
alter the firewall at will.  The only exception I can think of is 
SELinux *might* provide a mechanism to prevent this but I am not 
familiar with it.


Jim


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Question for Roger (or someone): what is going on with TBB and NoScript?

2019-12-02 Thread bo0od


follow this ticket:

https://trac.torproject.org/projects/tor/ticket/32536#ticket

also dont always trust what plugins doing for you , if you want 
efficient way to do things then do them browser level.


mimb...@danwin1210.me:

I am using the latest version of TBB and for a while now I've noticed that
NoScript no longer appears on the TBB interface. I've got two icons for
"security level" and "new identity" but that's it. No NoScript.

When I check in Add-Ons I see NoScript (and HTTPS-Everywhere). Checking
the "Preferences" for NoScript reveals that, in "Default" mode, everything
- script, object, media, webgl, etc - is ticked under "allow" (i.e. is
on). I remember one used to have to allow these for all new sites.

Why the change? Why are the NoScript defaults allowing scripts and media
as standard?

I'm sure there's a reason - what is it?

Thank you.


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] TBird & torbirdy

2019-11-21 Thread bo0od

Enigmail compatibility with newest Thunderbird already fixed. Torbirdy 
goodbye you were a good plugin.


u:

Hi!

On 17.11.19 20:40, Roger Dingledine wrote:

On Sat, Nov 16, 2019 at 04:59:50PM -0500, eliaz wrote:

I just installed Thunderbird 68.22 on a new machine and find out that the
torbirdy extension cannot be installed in versions above 60. I've been
running Thunderbird with the -p flag so that when I run over the Tor Browser
Bundle 9.01 I can use the torbirdied instance. Does TBird 68.22 no longer
need to be torified? Thanks for any enlightenment. - eli


It is alas worse than that: somebody needs to look at the new 68esr and
evaluate it for privacy flaws, and nobody has had time + expertise to
do it. So there is no Torbirdy for recent Thunderbird because nobody
has made one:
https://bugs.torproject.org/31341


It even looks like it is not possible, see:
https://redmine.tails.boum.org/code/issues/17149#note-6
and https://redmine.tails.boum.org/code/issues/17219.
This also means that you will have Tor support for Email in Tails.

The same happens to Enigmail:
https://redmine.tails.boum.org/code/issues/17147

cheers!
- u.


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] YouTube Censored Tor

2019-11-19 Thread bo0od

use uget as the GUI alternative of ytdl

grarpamp:
>> Try running "torsocks --isolate youtube-dl", it will select different
>> circuit on each run.
> 
> That is often not as useful for this class of problem
> as users may think. One enhanced option to address
> this was ticketed over 7 years ago in #6256.
> 
> ytdl is command line, however it is not too hard to
> imagine handy gui widgets for the controller or tbb,
> see proof of concept pictures below...
> 
> https://lists.torproject.org/pipermail/tor-dev/2019-November/014081.html
> 
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] YouTube Censored Tor

2019-11-07 Thread bo0od

use invidio.us or invidious instances.

grarpamp:
> WARNING: unable to download video info webpage: HTTP Error 429: Too
> Many Requests
> "Sorry for the interruption. We have been receiving a large volume of
> requests from your network.
> To continue with your YouTube experience, please fill out the
> impossible to complete and broken form below, and terminate all use of
> non-browser-based tools. Thanks, Google User Tracking, Reporting,
> Advertising, Datamining and Sharing Team"
> 
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Tor Browser missing from github

2019-10-07 Thread bo0od

Hi There,

in this section https://github.com/TheTorProject/gettorbrowser there was
Tor Browser releases now its missing so any idea why is that ? is there
new website shifted to it?
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Does an Tor-friendly XMPP (Jabber) client exist?

2019-09-23 Thread bo0od

CoyIM

mimb...@danwin1210.me:
> Is there an official or promoted XMPP client that uses Tor plus OTR as
> Pidgin used to do?
> 
> 
> 
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Whonix Anonymous OS 15 has been Released

2019-07-21 Thread bo0od

After approximately one year of development, the Whonix Project is proud
to announce the release of Whonix 15. There are alot of great changes
hope you enjoy them :)

Clearnet link:

https://forums.whonix.org/t/whonix-15-has-been-released/7616

Onion link:

http://forums.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/t/whonix-15-has-been-released/7616




-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Surge in Users

2019-06-06 Thread bo0od

no secure TLS or onion connection to the website, first insecurity note.

Van Gegel:
> Maybe after publication on popular Russian resource Habr: 
> https://habr.com/ru/post/448856/
> This is Android app for talking over Tor:
> http://torfone.org/download/Torfone.apk
> http://torfone.org/download/Torfone_Android_howto.pdf
> https://github.com/gegel/torfone
> https://github.com/gegel/torfone/blob/master/white.pdf 
> BR, Van Gegel
> 
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Explain yourself Conrad Rockenhaus

2019-05-02 Thread bo0od

I dont care about anyone background , bring the technical stuff and let
us discuss them here. but no body should care about anyone background
because it doesnt matter he/she from military or was one ... or working
in any similar fucked up organizations or any similar examples.

From technical point view im not a fan of BSD world , but BSD better
than windows, mac (not better than GNU)

GreyPony from back in 2013 it was not bad to have it specially after
snowden. (i didnt use the service, but some said it was a good one)

anyway its offline now afaik.

Anonymous Tormaster:
>> i dont want to see posts rather than Tor or Tor related technical things.
> i dont want to see trolls or military or whatever, but if im told to choose
> one then i will choose trolls over military. but good thing its decided
> already to be Tor things list.
> 
> Conrad is a Tor Exit Relay Operator and has contributed numerous hours
> bandwidth and money to the Tor Project. He retired from the Navy back in
> 2015. Why do you even care about his military experience bo0od? It's not
> germane to the Tor project at all especially since he's not even in the
> military anymore.
> 
> The fact is Conrad is being censored and can't respond to his trolling or
> harassment because he wanted to offer his free exit services again and he
> wrote an excellent response why that he forwarded out to several people
> since he couldn't respond to list directly I think the bottom part mainly
> applies on why he's being censored in this case:
> 
> Quoting his email:
> 
> In the end, here's what I think is going on.
> 
> Several newbies started using GreyPony. Everything was fine, in fact,
> there was support for it on the mailing list until they started
> bragging about speeds in excess of 1 Gbit/s. Then the following things
> occurred (and if you look back at the mailing list history, you can
> see this):
> 
> 1. There were complaints that said newbies were lying about their exit
> relay speeds, even though speeds are measured by the bwauths, so user
> reported speed really doesn't matter anymore, so this wasn't a valid
> complaint.
> 2. There were complaints that the relays should all be in the same
> MyFamily, even though we don't expect relays hosted on OVH, Hetzner,
> etc. to be reported on the same MyFamily, after all, I didn't have
> access to any of these relays, so this wasn't a valid complaint, as I
> was just hosting the relays.
> 3. Excess traffic was being generated about GreyPony, which Teor asked
> everyone to stop bringing up GreyPony until October because of all of
> it. This was a valid complaint. Due to all of the newbie bragging and
> honestly, because I was proud of the fact that I was helping out
> several people, I let myself get out of hand and replied to the emails
> as well, so I understood and cooled it.
> 
> Now, again, I wind up back in the hospital, things go a little south
> for the project because I'm not around, but I come back and the
> project is ready to start again. Now GreyPony is back to the way that
> we originally intended it to be - a donation only project to provide
> FreeBSD/HardenedBSD exits to Tor. Most of the same guys that were
> running relays with the original one want to come back to the new one,
> plus some new people.
> 
> I'm sorry that people wanting to help the Tor network by providing
> high performance FreeBSD Exit Relays angers you and some other of your
> fellow travellers so much. If it makes you happy, the project will go
> on with or with out your support.
> 
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] [tor-relays] Explain yourself Conrad Rockenhaus

2019-05-02 Thread bo0od

i dont want to see posts rather than Tor or Tor related technical
things. i dont want to see trolls or military or whatever, but if im
told to choose one then i will choose trolls over military. but good
thing its decided already to be Tor things list.

Mirimir:
> On 05/02/2019 08:38 PM, bo0od wrote:
>> I prefer to see trolls posting rather than someone from the military
>> (specially USA). Aside from that this is technical list if im not
>> mistaken so trolls or military or related to Tor shouldnt moderate
>> anything in here in the first place because that would be meaningless.
> 
> Oh, so you don't want to see posts from paul.syver...@nrl.navy.mil?
> 
>> Mirimir:
>>> On 05/02/2019 02:10 AM, Herbert Karl Mathé wrote:
>>>> I strongly believe certain issues need be brought up into conscious, and 
>>>> into presence: into discussion, actually.
>>>>
>>>> Therefore appreciating this as it might fit too well into context, at the 
>>>> same time definitely deprecating 'filth' and similar.
>>>>
>>>> Keeping things below surface, or trying so, has too often proven to be a 
>>>> very bad idea as these will come up sooner or later anyway, then with much 
>>>> higher magnitude. Even worse, trust is then destroyed.
>>>>
>>>> --
>>>> Herbert Karl Mathé
>>>
>>> I met Conrad online in September 2013, not long after the Washington
>>> Navy Yard shootings. Which is how I remember when. He mentioned that he
>>> was serving in the Navy then. And I vaguely recall that he's posted on
>>> Tor lists about the military using Tor.
>>>
>>> Also, it's disgusting that he's been moderated off the Tor lists, while
>>> trolls who have trash talked him are still posting.
>>>
>>> 
>>>
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] [tor-relays] Explain yourself Conrad Rockenhaus

2019-05-02 Thread bo0od

correction: *or someone not related to Tor

bo0od:
> I prefer to see trolls posting rather than someone from the military
> (specially USA). Aside from that this is technical list if im not
> mistaken so trolls or military or related to Tor shouldnt moderate
> anything in here in the first place because that would be meaningless.
> 
> Mirimir:
>> On 05/02/2019 02:10 AM, Herbert Karl Mathé wrote:
>>> I strongly believe certain issues need be brought up into conscious, and 
>>> into presence: into discussion, actually.
>>>
>>> Therefore appreciating this as it might fit too well into context, at the 
>>> same time definitely deprecating 'filth' and similar.
>>>
>>> Keeping things below surface, or trying so, has too often proven to be a 
>>> very bad idea as these will come up sooner or later anyway, then with much 
>>> higher magnitude. Even worse, trust is then destroyed.
>>>
>>> --
>>> Herbert Karl Mathé
>>
>> I met Conrad online in September 2013, not long after the Washington
>> Navy Yard shootings. Which is how I remember when. He mentioned that he
>> was serving in the Navy then. And I vaguely recall that he's posted on
>> Tor lists about the military using Tor.
>>
>> Also, it's disgusting that he's been moderated off the Tor lists, while
>> trolls who have trash talked him are still posting.
>>
>> 
>>
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] [tor-relays] Explain yourself Conrad Rockenhaus

2019-05-02 Thread bo0od

I prefer to see trolls posting rather than someone from the military
(specially USA). Aside from that this is technical list if im not
mistaken so trolls or military or related to Tor shouldnt moderate
anything in here in the first place because that would be meaningless.

Mirimir:
> On 05/02/2019 02:10 AM, Herbert Karl Mathé wrote:
>> I strongly believe certain issues need be brought up into conscious, and 
>> into presence: into discussion, actually.
>>
>> Therefore appreciating this as it might fit too well into context, at the 
>> same time definitely deprecating 'filth' and similar.
>>
>> Keeping things below surface, or trying so, has too often proven to be a 
>> very bad idea as these will come up sooner or later anyway, then with much 
>> higher magnitude. Even worse, trust is then destroyed.
>>
>> --
>> Herbert Karl Mathé
> 
> I met Conrad online in September 2013, not long after the Washington
> Navy Yard shootings. Which is how I remember when. He mentioned that he
> was serving in the Navy then. And I vaguely recall that he's posted on
> Tor lists about the military using Tor.
> 
> Also, it's disgusting that he's been moderated off the Tor lists, while
> trolls who have trash talked him are still posting.
> 
> 
> 
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] is legind HTTPS-Everywhere support in Tor track dead or alive?

2019-04-29 Thread bo0od

Hi There,

Im just checking the list of the activity that signed by default to legind:

https://trac.torproject.org/projects/tor/query?status=!closed=legind

and it seems since ages not discussed or fixed, so shall i report my
issues to HTTPS-Everywhere on github or TBB ?

Thx!
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Nice to meet you! / WhatsApp by Tor?

2019-04-16 Thread bo0od

No body care, since all our countries share the same thing. So enjoy!

and dont use fucking proprietary software such as whatsapp. Only use
free/libre software.

GTI .H:
> Em ter, 16 de abr de 2019 às 12:33, Cyaniventer 
> escreveu:
> 
>> No! Don't use it if you are actually very serious about this.
>>
> 
> Well, my mistake can cost me my life.
> My country is one of those who has blocked WhatsApp and dings who tries to
> show their abuses. It is repressive, but for some reason the world sees it
> with good eyes, perhaps because it is not openly declared socialist, but it
> is certainly authoritarian, corrupt and very dangerous and constantly puts
> innocents in jail without the slightest humanitarian feeling.
> 
>>> or whatever you want and set that vpn to
 `always on`. Idk what else you can do, also your first method of
 routing your traffic through your computer is not that good.

>>> Why?
>>
>> because what if something fails somewhere and your ip gets leaked? are
>> you really sure that everything you've setup will work without fail?
>> Also see nat...@freitas.net 's email, > Since WhatsApp is executable
>> code on your Android phone, it can access information about your device
>> directly. This includes accessing your "real" IP address through local
>> network information APIs.
>>
> 
> That's why I'm here asking, I'm not sure of anything.
> 
> 
> 
 If you are real serious about this thing then just setup a virtual
 machine and route all traffic from that vm through Tor. This is the
 best method that comes to my mind.

>>> Could you give me more details?
>>>
>>
>> The idea is you'll setup a virtual machine and route all traffic from
>> that vm through Tor. First search result is ->
>>
>> https://www.howtoforge.com/how-to-set-up-a-tor-middlebox-routing-all-virtualbox-virtual-machine-traffic-over-the-tor-network
>>
>> Note: I don't know how they did it and didn't read that article.
>>
> 
> I'll take a look, but what the best current way is the physical protection
> how to use public WiFi far.
> It's disappointing.
> 
> 
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] DNS Spoofability Test on Tor

2019-02-26 Thread bo0od

I have run DNS spooefability with classic useful website GRC , and
surprisingly the test showed that most of the servers not really very
top level secured some of them moderate , many of them missed one or
more setting for better result. i dunno how Tor would love to solve this
but it might be good idea to check and see that.

To run the test is very simple, visit:

https://www.grc.com/dns/dns.htm

then go to the end of the page and click Initiate Standard DNS
Spoofability Test.(it will take time like 15 to 20 minutes)

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor browser and remembering settings

2019-02-05 Thread bo0od

to be honest personally favoring this bug, at least even when i
mistakenly click on "trusted" instead of "temp.allow" i wont get into
this trouble. plus even if a JS penetrating NoScript at least it wont be
persistent.

Robin Lee:
> Hi
> 
> There was a regression some time ago in Tor browser that it would no longer 
> remember that java scripts had been allowed for specific sites. Now every 
> time you start Tor browser it has forgotten all your previous settings. I 
> thought it was just some temporary regression but now it has been a while and 
> it has started to bug me so I thought I would ask if it is going to fixed at 
> some point?
> 
> Thanks
> Robin
> 
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] TorBirdy questions

2019-01-23 Thread bo0od

I dont think so , Torbirdy is not real something unless thunderbird
becoming a fork to work properly with Tor design.

There are numerous problem with thunderbird needs to be shutdown or
change in order to work anonymously.

Better to use Torbirdy+Thunderbird with an Anonymous OS like Whonix or
Tails.

anan:
> anan:
>> Hi,
>>
>> I have several email accounts in Icedove. When trying to get new
>> messages, does TorBirdy create a unique Tor circuit per selected
>> account? Or does TorBirdy sync all my email accounts through the same
>> circuit?
>>
> 
> By the way, is this the right place to ask about TorBirdy?
> 
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Detective Conan Japanese Cartoon Advertising Tor For Criminal Activity

2019-01-07 Thread bo0od

if would summarize things in one phrase: "Attempt to miss leading the
audience".

Nathaniel Suchy:
> What about it?
> 
> Cordially,
> Nathaniel Suchy
> 
> 
> 
> Jan 7, 2019, 10:37 PM by bo...@riseup.net:
> 
>> Detective Conan (named as case closed in America) which considered to be
>> the most famous cartoon in Japan.They produced a Movie in April,2018
>> named as "Zero the Enforcer" they mentioned stuff related to Tor Project
>> but in different ways, here is the comparison between the Movie and
>> Torproject regarding phrases,icons,values..etc:
>>
>> - Nor -> Tor
>>
>> - White Cabbage Icon (If im not mistaken) -> Onion Icon
>>
>> - Used for cybercriminal activity -> used to protect privacy which is
>> human right on the internet.
>>
>> - Teaching kids and families to stay away from using it -> Family Friendly
>>
>> * To read summarized details of the cartoon here:
>>
>> https://www.detectiveconanworld.com/wiki/Zero_the_Enforcer#Trivia 
>> 
>>
>> * To watch the Full Movie
>>
>> https://kissanime.ac/Anime/Detective-Conan-Movie-22-Zero-The-Enforcer-Sub.77113/Movie?id=148813=oserver
>>  
>> 
>>
>>
>>
>> -- 
>> tor-talk mailing list - > tor-talk@lists.torproject.org 
>> 
>> To unsubscribe or change other settings go to
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk 
>> 
>>
> 
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Detective Conan Japanese Cartoon Advertising Tor For Criminal Activity

2019-01-07 Thread bo0od

Detective Conan (named as case closed in America) which considered to be
the most famous cartoon in Japan.They produced a Movie in April,2018
named as "Zero the Enforcer" they mentioned stuff related to Tor Project
but in different ways, here is the comparison between the Movie and
Torproject regarding phrases,icons,values..etc:

- Nor -> Tor

- White Cabbage Icon (If im not mistaken) -> Onion Icon

- Used for cybercriminal activity -> used to protect privacy which is
human right on the internet.

- Teaching kids and families to stay away from using it -> Family Friendly

* To read summarized details of the cartoon here:

https://www.detectiveconanworld.com/wiki/Zero_the_Enforcer#Trivia

* To watch the Full Movie

https://kissanime.ac/Anime/Detective-Conan-Movie-22-Zero-The-Enforcer-Sub.77113/Movie?id=148813=oserver



-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Abuse complaint 418289

2018-12-27 Thread bo0od

Better to shift to new VPS, now they request these ports to be closed
maybe next day they will tell you something else to be closed and so on...

So if i were you i would say fuck their complaints , find more freedom
host.


potlatch:
> Good day Tor operators,
> One of my VPS providers has requested that I block exit output to ports 22, 
> 465 and 576.  I have never received a request like this before even though I 
> have (now or in the past) operated almost 40 Tor exit relays in diverse 
> countries.  The host making this request is understanding and the service 
> excellent.  He sees these ports as generating the most abuse complaints.
> Question:  Is this a reasonable request and how much critical communications 
> would be booted if I block these ports.  I think my alternative to blocking 
> as requested would be to close these accounts and find another host.
> Please help,
> Potlatch
> 
> Sent with [ProtonMail](https://protonmail.com) Secure Email.
> 
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Streaming Videos VS Downloading Videos

2018-12-12 Thread bo0od

comparison should be equal , like full video downloaded and full video
streamed.

Kevin Simper:
> If you can download the files with a slower speed, it would be better if
> you are watching the whole video.
> 
> If you only watch part of it then streaming would be better.
> 
> Just my intuition.
> 
> -Kevin
> 
> 
> On Tue, Dec 11, 2018 at 10:11 AM bo0od  wrote:
> 
>> We had discussions about which one is safer and add less loads on Tor
>> nodes , streaming the video or downloading the video and watching it?
>>
>> Thank You!
>> --
>> tor-talk mailing list - tor-talk@lists.torproject.org
>> To unsubscribe or change other settings go to
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>>
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Streaming Videos VS Downloading Videos

2018-12-11 Thread bo0od

We had discussions about which one is safer and add less loads on Tor
nodes , streaming the video or downloading the video and watching it?

Thank You!
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] comparison of Tor and Kovri in regards to deanonymization attacks

2018-12-07 Thread bo0od

i didnt reply to him on what he said because i knew he was a newbie user
with the statement "you cannot browse cnn.com anonymously via I2P".

and about IBB, like i said there is until now no official support for
any browser to I2P or coming with it. But there is work in progress:

- firefox.profile.i2p

https://github.com/eyedeekay/firefox.profile.i2p

- update-i2pbrowser , which convert TBB inside Whonix to work with I2P:

http://forums.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/t/i2p-integration/4981/248


grarpamp:
>> - I2P can be attacked with far less resources than Tor;
> 
> Moot when $10k is probably enough to Sybil at least
> some small fraction of either of them.
> 
>> - Tor is deeply researched and various attack types and problems have
>> already been solved;
> 
> So if Tor is done, why don't you start writing grants to reseach,
> advance, and solve some of the undone, equally applicable,
> and necessary problem space of mixnets and other potential
> designs, instead of continuing to throw [government] money
> at Tor's curve of diminishing returns.
> 
>> - Tor is larger as a network with more capacity, and more diversity;
> 
> Start advertising, using, analysing other types of networks then.
> 
>> They also have different purposes so they cannot be directly compared on
>> absolutely every feature
> 
> Why do so many reviews keep implying this copout,
> "B network doesn't have X feature therefore B sucks"...
> of course networks are different, unique features are
> not detractions they're just incomparable items,
> go compare and analyse the similar features then.
> 
> Both Tor and I2P generally claim their non-exit modes
> to be anonymous advanced designs resistant to attack.
> Go compare and analyze that. If you don't like the results,
> go start new designs.
> 
> Reviews can even conform features... users can
> actually torrent internally over both, and exit over
> both... analyze that.
> 
> Many orthagonal features are modular ideas embeddable
> in any decent network anyway, so they're not necessarily
> unique, only a matter of doing it, if sensible of course.
> 
>> - I2P is more oriented for traffic inside the I2P network (e.g. you
>> cannot browse cnn.com anonymously via I2P).
> 
> Yes you can, you just have to find or be an exit outproxy service
> and configure it manually.
> 
>>> I would summaries the success of Tor over I2P with these points:
> 
> Government: Initialed the Tor design, put in Decades of $Millions
> of controlling interest funding, and programmed Marketing.
> 
> Throw those kind of resources at I2P or any other network
> and they would be relatively equal contenders too.
> 
> Throw Voluntary versions of those kinds of resources
> at any network, and it might be a bit more novel and free
> to go up against the backer of the "successful" one above.
> 
>>> - Tor has a modified browser which is a fork of firefox-esr called Tor
>>> Browser Bundle which is easy to click and run with Tor. I2P until now
>>> there is no official browser supporting it and user needs to do the
>>> configurations manually.
> 
> So stuff I2P inside TBB's work and call it IBB.
> 
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] comparison of Tor and Kovri in regards to deanonymization attacks

2018-12-06 Thread bo0od

I2P and Tor comparison:

https://geti2p.net/en/comparison/tor

Kovri and I2Pd C++ bloody war:

https://i2p.rocks/blog/kovri-and-the-curious-case-of-code-rot-part-1.html

I2P by design safer than Tor. but due to the usage and rapid development
of Tor , I2P left behind many steps which needs long time to catch up or
sudden magic stick effect.

I would summaries the success of Tor over I2P with these points:

- Tor is way faster than I2P in the few past years (because I2P support
torrenting , so the speed is slow).

- Due to the slow speed of I2P , its very unlikely you can stream or do
heavy connections on the clearnet. Tor you can do it with even up to 1MB
speed.

- I2P meant to be for inproxy which is in other word it wont target/suit
the average user. Tor is suiting the average users due to its high speed
bandwidth and its ease interacting with the outproxy/clearnet.

- Tor has a modified browser which is a fork of firefox-esr called Tor
Browser Bundle which is easy to click and run with Tor. I2P until now
there is no official browser supporting it and user needs to do the
configurations manually.

- Tor programmed in C which gives it the opportunity to run on small
resources like home routers. I2P is programmed in Java which needs
resources and cant be functioning well on very small resources.

Hope that answered your question :)


Eugen Leitl:
> 
> I was curious for Monero dev's rationale to pick I2P over Tor, and then even 
> forking I2P as Kovri.
> 
> Whatever I've seen online doesn't strike me as particularly convincing.
> 
> Is there published research in regards to deanonymization attacks against 
> both Tor 
> and I2P, and given the design changes of Kovri, should we expect the attacks 
> to be easier, or harder? 
> 
> I realize that the answer would be likely we don't know, which is probably an 
> answer in itself.
> 
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor friendly email providers?

2018-12-06 Thread bo0od

check this list:

clearnet

https://www.whonix.org/wiki/E-Mail#Anonymity_Friendly_Email_Provider_List

Onion link

http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/E-Mail#Anonymity_Friendly_Email_Provider_List

enjoy :)

mimb...@danwin1210.me:
> I am asking for recommendations of Tor friendly email services.
> 
> The two problems I've noticed are:
> 
> 1. Demanding SMS verification e.g. ProtonMail.
> 
> 2. Having impossible CAPTCHAs.
> 
> VFEmail used to work but the last time I tried it just got stuck and could
> never create an account.
> 
> Any suggestions?
> 
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Most Security Assertions Dangerous [Re: YouTube via Onion Services]

2018-12-06 Thread bo0od

One simple line: how is that related to be bad for invidious ?

- You talked about JS been bad (agreed), but its unrelated/invalid to
invidious case. Protonmail cant operate/login without the JS and most
likely their JS is closed source but that has nothing to do with invidous

- You mentioned repos and bsd ..etc this has nothing to do with user
security while they are browsing invidous case.

- You mentioned the connection unclean , well hey the guy just started
the mirror yesterday give a chance. plus its free software do support
him in github to make this better place.

- You mentioned youtube-dl and similar services , well these firstly has
different goals than another safe front end to YB in our case with
invidous. Also Invidous onion by design it has Onion hidden services
security , whereas with youtube-dl downloading from youtube this isnt
valid case (no onion hidden services implementation).

So in short , instead of warning the ppl about something which has no
meanings on reality, go and help to make invidous (or any similar
service) better place for security and privacy for the end user.

Thank You :)

grarpamp:
> In a thread...
> https://lists.torproject.org/pipermail/tor-talk/2018-December/044709.html
> 
> on...
>> http://kgg2m7yk5aybusll.onion/
>> http://axqzx4s6s54s32yentfqojs3x5i7faxza6xo3ehd4bzzsg2ii4fv2iid.onion
> 
> (noting that all onions can be physically located by determined
> adversaries, thus failing another commonly sold security assertion)
> 
>> https://github.com/omarroth/invidious
> 
> 
>> - Its free software and the code is available for install/checkup.
> 
> That assertion is irrelevant in the security context
> of the thread so far, and it's dangerous advice.
> 
> As with protonmail and all the other fakeass encrypted email
> websites... the JS code is loaded by the browser from the web
> service itself, there is currently NO trusted way for the user to
> independantly audit that the code they end up executing in
> real time *from* the service matches the code *in* any repo,
> or for the user to choose to ignore the service code and load
> and execute any repo code of their choosing instead.
> 
>> Youtube is made by a dick company to humanity called Google, which is
>> funding their services by stealing/collecting users data. So the JS
> 
> The current code load model is a nasty exploit waiting to happen,
> does happen (Hushmail, NIT's, etc), and simply should not be trusted,
> no more than GOOG and FB the dicks, themselves, indeed.
> Or Java, ActiveX, Flash, and whatever other "secure" crap some
> scam tries to push into your pathetically insecure and
> untrusted exec platform.
> 
> Sure Invidious Onion is fun, probably has some merits and
> use cases, and even simple html could be an exploit, and
> users can run it all in a sandbox, etc.
> But let's not say there's any trusted link between the running
> and repo codes, nor that any sufficient set of people have looked
> at, and signed over, most codes, or are even allowed to... [1].
> 
> Also, clicking on any video listed on the onion frontpage
> index initiates at least three connections straight to google
> instead of the proxy onion. That's not clean.
> 
>> Plus you can watch the videos without the need to allow any JS.
> 
>> this particular YouTube frontend/proxy seems to be
>> more focused on offering an alternative viewing experience rather than
>> privacy.
> 
> https://github.com/mps-youtube/mps-youtube
> https://github.com/rg3/youtube-dl
> 
> ... those and a few others readers can find and post here.
> 
> 
> [1] You can't even say those for the release iso's of
> OpenBSD, FreeBSD, the Linux's, etc... back
> to their claimed source code repos... because
> either those repos have no internal cryptographic
> roots or hashes to sign over or with in the first place,
> or some process in the path from there to the iso's
> is not reproducible or cryptographically chained.
> Same goes for Apple, Microsoft, Intel, AMD, ARM,
> Government, etc...
> You're all still woefully fucked therein because you keep
> buying the Kool-Aid, and refusing to demand, fix,
> ignore, or eliminate them and their issues.
> 
> #OpenFabs , #OpenHW , #OpenSW , #OpenDev , #OpenBiz , #CryptoCurrency
> , #Anarchism
> 
> The list of requisites to even get close to improving
> the situation grows...
> 
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] You Can Now Watch YouTube Videos with Onion Hidden Services

2018-12-05 Thread bo0od

Im not the operator of the service but here are the advantages:

- Youtube is made by a dick company to humanity called Google, which is
funding their services by stealing/collecting users data. So the JS
which is closed source in case of YB prevent you from watching the
videos unless you allow the JS. in case of invidous the JS used already
licensed and the source code you can find it here:

https://invidio.us/licenses

Plus you can watch the videos without the need to allow any JS.

- Connecting to Youtube directly , then you are putting your security on
the SSL/TLS encryption. Whereas using in invidous hidden services your
security is through the Onion hidden services design more you can watch
Roger Dingledine speech at defcon:


http://kgg2m7yk5aybusll.onion/watch?v=Di7qAVidy1Y

or just normal youtube link if you like

https://www.youtube.com/watch?v=Di7qAVidy1Y

- Its free software and the code is available for install/checkup. You
are referring to FB which is completely the opposite of anything
mentioned here.


Hope that clarify the differences.


Seth David Schoen:
> bo0od writes:
> 
>> This is another front end to YouTube:
> 
> Hi bo0od,
> 
> Thanks for the links.
> 
> This seems to be in a category of "third-party onion proxy for clearnet
> service" which is distinct from the situation where a site operator
> provides its own official onion service (like Facebook's facebookcorewwwi,
> which the company has repeatedly noted it runs itself on its own
> infrastructure).
> 
> Could you explain how this kind of design improves users' privacy or
> security compared to using a Tor exit node to access the public version
> of YouTube?  In this case the proxy will need to act as one side of
> users' TLS sessions with YouTube, so it's in a position to directly
> record what (anonymous) people are watching, uploading, or writing --
> unlike an ordinary exit node which can at most try to infer these
> things from traffic analysis.  Meanwhile, it doesn't prevent YouTube
> from gathering that same information about the anonymous users, meaning
> that this information about users' activity on YouTube can potentially
> tbe gathered by wo entities rather than just one.
> 
> The proxy could also block or falsely claim the nonexistence of selected
> videos, which a regular exit node couldn't do, and if its operator knew
> a vulnerability in some clients' video codecs, it could also serve a
> maliciously modified video to attack them -- which YouTube could do, but
> a regular exit node couldn't.
> 
> Are there tradeoffs that make these risks worth it for some set of
> users?  Maybe teaching people more about how onion services work, or
> showing YouTube that there's a significant level of demand for an
> official onion service?
> 
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] You Can Now Watch YouTube Videos with Onion Hidden Services

2018-12-05 Thread bo0od

This is another front end to YouTube:

Clearnet:

https://invidio.us

Onion V2 Mirror:

http://kgg2m7yk5aybusll.onion/

Onion V3 Mirror:

http://axqzx4s6s54s32yentfqojs3x5i7faxza6xo3ehd4bzzsg2ii4fv2iid.onion


Special Thanks to Omar Roth for making this happen.


Source Code:

https://github.com/omarroth/invidious

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Yet another Tor failure - DanWin1210.me Hosting hacked

2018-11-16 Thread bo0od

or use Qubes OS , its useful with some knowledge about it to make it
great OS for hosting (i didnt test that for web hosting , but
theoretically possible).And more secure than docker or plain debian or
bsd ...etc.


Mirimir:
> On 11/15/2018 10:23 PM, Daniel Winzen wrote:
>> Hello,
>>
>> yes my server got hacked. How - I do not know yet and I will need to do
>> an extensive analysis. I did indeed not maintain backups, partly for the
>> reason that users should have the right to be forgotten immediately when
>> deleting their accounts. Around 1TB of data is gone.
> 
> Hey, sorry about that :( And I do got your point about backups.
> Although, in retrospect, a backup setup with relatively fast rotation,
> and thorough deletion of old backups, would be prudent.
> 
>> The scripts are open source and anyone who would like to build something
>> similar is welcome to do so. However you should note there might be a
>> risk of getting hacked too in case the vulnerability is hidden in those
>> scripts. I will re-instantiate my hosting only after the vulnerability
>> is found and fixed. https://github.com/DanWin/hosting/
> 
> As I said, shared hosting is a security nightmare. As I understand it,
> you're depending on not much more than permissions to protect users from
> each other. And in that situation, it's not _that_ hard for a skilled
> hacker to get root, and do what they like.
> 
> If I were going to attempt such an .onion hosting setup, I'd use a
> couple levels of isolation between users. But first, I'd use LUKS with
> dropbear for server FDE. It ain't perfect, but an attacker would need to
> take some care while impounding the server.
> 
> Basically, I'd setup several KVM domains, to help limit damage from a
> compromise. Within each domain, I'd put each website in a Docker
> container. Given a custom Docker-optimized kernel for the host, and XFS
> storage, it's possible to set hard limits on CPU, RAM and storage for
> each Docker container.
> 
> Docker containers rely on kernel namespaces and cgroups. That's not as
> secure as using full VMs, but _far_ lighter. And _far_ more secure than
> chroot, which many shared-hosting setups still rely on. Alternatively,
> one could use FreeBSD jails, and maybe that can also work with Docker.
> 
> Anyway, if you're interested, I'd be happy to help. I'm just a hobbyist,
> and totally self-taught. I mostly just use shell scripts. And I lack the
> patience and organization to actually operate a shared-hosting site.
> 
>> Any updates will be posted on my front page: https://danwin1210.me/
>>
>> Regards,
>> Daniel
>>
>> On 16/11/2018 06:13, Mirimir wrote:
>>> On 11/15/2018 09:52 PM, tor...@secmail.pro wrote:
 DanWin1210.me hosting service was hacked.
 https://danwin1210.me/

 All Tor Onions are dead.
>>>
>>> I guess that he didn't maintain backups :(
>>>
>>> Maybe some of those .onion owners did, though.
>>>
 FH1: Unknown
 FH2: Took down by FBI
 FH3: Unknown
 Danwin1210: Ripped by Anonymous

 Now where is "Freedom Hosting IV"?
>>>
>>> Shared hosting is a security nightmare. Just sayin'.
>>>
 And why so hate on Tor Onion service?
>>>
>>> This was just for lulz, no?
>>>
>>
>>
>>
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] onion balance needed by default

2018-11-12 Thread bo0od

glad to hear that :)

George Kadianakis:
> bo0od  writes:
> 
>> I see that from a safe hosting perspective to Tor Hidden services, That
>> Tor should maintain and ship onion balance by default.
>>
>> Which is sadly last ever maintained before more than 1 year or so, and
>> also it lacks the support of onion v3.
>>
>> This is really useful and needed for cheep/safe hosting of a hidden
>> service at home or any small server.
>>
>> as VPS not really always wise to host a hidden service + not much safe
>> and trusted who accept btc and accept onion hidden service in their
>> servers at the same time.
>>
>> so i prefer self hosted with latest Tor upgrade (onion v3) , but sadly
>> not possible atm with a DOS protection.
>>
>> so i hope Tor take care of that and consider it as a core software for
>> now and the future.
>>
>> Thank You!
>>
> 
> Yes, I agree that onionbalance is an essential tool for onion service 
> operators.
> 
> We have looked into how to make that possible for v3s but it doesn't
> seem to be a trivial project: 
>  https://trac.torproject.org/projects/tor/ticket/26768
>  https://lists.torproject.org/pipermail/tor-dev/2018-April/013128.html
> 
> For what it's worth, we've been applying for onion-service related
> funding as an organization so that we have more resources to support
> third-party tools like onionbalance.
> 
> Other than that, we've been ultra busy bugfixing v3s and in general
> supporting them, that does not allow us much time into improving
> onionbalance given the current state of our resources.
> 
> Hope this was useful! :)
> 

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] onion balance needed by default

2018-11-12 Thread bo0od

I see that from a safe hosting perspective to Tor Hidden services, That
Tor should maintain and ship onion balance by default.

Which is sadly last ever maintained before more than 1 year or so, and
also it lacks the support of onion v3.

This is really useful and needed for cheep/safe hosting of a hidden
service at home or any small server.

as VPS not really always wise to host a hidden service + not much safe
and trusted who accept btc and accept onion hidden service in their
servers at the same time.

so i prefer self hosted with latest Tor upgrade (onion v3) , but sadly
not possible atm with a DOS protection.

so i hope Tor take care of that and consider it as a core software for
now and the future.

Thank You!

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] 3rd Party Interact (re: BSD ISP VoIP PBX RadPony ...)

2018-10-18 Thread bo0od

Not sure what are you talking about , but i know one thing for sure=
Fuck Cloudflare , a cloud of farts.

grarpamp:
> Regardless of whether some components may or may not be
> fee, or subscription, or strings / rules attached, now or in the future...
> (that status or intentions should be made clear by any poster
> in this space so that things don't end up undeclared / unexpected
> thus trending against them later on)...
> 
> These entities and persons are engaging in interoperation,
> testing, concept validation, and providing services to Tor
> community in a fairly open mutual feedback model. In this
> example so far, Tor users get chances to plug and play
> and hack on...
> 
> a) Diverse FreeBSD hosting of Tor nodes
> b) IP Telephony apps, comms, and free speech over Tor
> 
> It's hard to deny those as being valuable and fun.
> 
> Nor did you see Cloudflare's CEO or hardly any other ISP
> coming straight from the start to Tor to talk / play / help.
> (Though to be fair this one has [ex] govt ties too
> which some may or not prefer.)
> 
> It's not much different than interacting Zwiebel, Emerald,
> Torstatus, funders, etc.
> 
> In the end, you get to choose what services to use,
> what interop to hack on, what milters to deploy, what
> to put in Bad/Good ISP List wiki, etc.
> 
> So, ease up a bit on who can and can't interact with Tor.
> 
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Does Facebook .onion work?

2018-10-15 Thread bo0od

I had this issue before , but instead of finding solution within
facebook i migrated to Diaspora. (open source,decentralized, privacy
respect platform).

bobby...@danwin1210.me:
> Facebook https://www.facebookcorewwwi.onion/ has existed since 2014.
> However, I am unconvinced that it works.
> 
> I go to the URL, register, get a confirmation email, click it, then have
> to enter my phone and receive a code. Fair enough.
> 
> When I login I get:
> 
> Upload a Photo of Yourself
> To get back on Facebook, upload a photo that clearly shows your face. Make
> sure the photo is well-lit and isn't blurry. Don't include other people in
> the shot.
> We use this photo to help us check that this account belongs to you. We'll
> delete the photo once we've done this, and it will never appear on your
> profile.
> 
> This is a new account - I've just created it.
> 
> I upload a random photo and apparently this will be manually checked to
> ensure it's me. I've no idea how they will do that since it's a new
> account. Until then, I can't use the account.
> 
> Has anyone successfully created an account using the .onion address?
> 
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Torify deja-dup

2018-10-15 Thread bo0od

yes if its installable/run inside debian , you can install it inside
whonix-workstation. as whonix workstation torify everything by default
without even modifications for the application once been installed/run,
through Whonix-GateWay. if you want to read more about whonix anonymous
OS you can visit the main website:

Clearnet:

https://www.whonix.org/

Onion

http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/

anan:
> Hello,
> 
> Does anyone know how to torify deja-dup so that I can use an onion
> service as the storage location?
> 
> And, is this the right list to ask for this kind of support?
> 
> Thank you.
> 
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] if browser remembers URLs visited before shutdown even during Never Remember History

2018-10-12 Thread bo0od

add the updated tests , the wiki even accept anonymous edits.

you can discuss that openly in the forum of Whonix as well.

(though, i dont see much changes that would make Tor safer only through
the amnesic usage)

intrigeri:
> bo0od:
>> There is a full comparison of Tails and Whonix (persistent virtual OS)
>> can be found here:
>> https://www.whonix.org/wiki/Comparison_with_Others#Introduction
> 
> FTR the Tails part of that page is quite outdated.
> 
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] if browser remembers URLs visited before shutdown even during Never Remember History

2018-10-12 Thread bo0od

Not really Tor is the best practice using it with amnesic system like
Tails due to the guards entry issue ..

There is a full comparison of Tails and Whonix (persistent virtual OS)
can be found here:

Clearnet Link:-

https://www.whonix.org/wiki/Comparison_with_Others#Introduction

Onion Link:-

http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Comparison_with_Others#Introduction

Nick Levinson:
>> This is the use case for Tails. . . . [T]here are no writes to storage, 
>> unless users configure [otherwise] . . . .
> 
> One need not use Tails to use Tor (I used to sometimes use Tor and never used 
> Tails), so, while Tails may be a good idea, the question remains for Tor and 
> its security architecture when not using Tails.
> 
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

63 matches

Mail list logo