On Wed, Mar 19, 2014 at 6:01 PM, Runa A. Sandvik <[email protected]>wrote:
> On Wed, Mar 19, 2014 at 9:05 PM, Soul Plane <[email protected]> wrote: > > More questions: > > > > Why is the only region available for the Tor images us-east virginia? I > > thought I could use the free tier in other places. Wouldn't it be better > to > > vary the regions instead of sticking them all in one place? > > We initially had images in all regions, but due to a bug/issue (see > https://trac.torproject.org/projects/tor/ticket/10318) I decided to > temporarily remove all images except the ones in us-east-1. The goal > is to bring back images for the other regions at some point. > Thanks, I read the bug and the AWS thread and it looks like there is something wrong with the image copy process. If I wanted to setup in a location other than Virginia would I be able to use your build script to do that or would I run into the same image copy problem? Also I noticed in ec2-prep.sh you have: curl -m 5 http://169.254.169.254/latest/meta-data/reservation-id That address is invalid, what is the reservation id for? > > > I read in Tor Weekly News today that the obfs3 protocol is vulnerable to > > active probing attacks and there is a replacement ScrambleSuit. If I > setup > > the AWS Obfsproxy image now does that mean the Chinese can detect it and > > block it? Is that image obfs2 or 3 or both? Should I just wait until > > ScrambleSuit is supported, or can I modify the config file to only use > > ScrambleSuit, or is that not a good idea at this point? I don't want to > run > > something that nobody is going to be able to use because governments can > > just detect it and block it. > > The current image is a "standard" bridge, an obfs2 bridge, and an > obfs3 bridge. ScrambleSuit is not included. If you create an SSH key > when setting up the instance, you can log on and change whatever you > want. The Great Firewall of China blocks "standard" bridges and obfs2, > but I believe it has yet to block obfs3. > Ok so after I do a build if I want scramblesuit I change this line: ServerTransportPlugin obfs2,obfs3 exec /usr/bin/obfsproxy --managed to this: ServerTransportPlugin scramblesuit exec /usr/bin/obfsproxy --managed According to this here I need to update obfsproxy first? Is that relevant here? https://lists.torproject.org/pipermail/tor-relays/2014-February/003886.html > > > Is Tor obfuscation specifically more likely to come under attack from > > repressive governments? > > More likely than what? > Than regular tor bridges. Are obfs3 bridges special bridges that users in repressive countries are more likely to use because other bridges are blocked? Maybe I don't understand. > > > How is security handled. For example suppose there's a known > vulnerability > > in Tor or Ubuntu does the server shut down until it's fixed and an update > > is available or does the server stay up and risk being hacked? Is there > any > > notification sent to the AWS administrator in these cases? I would > imagine > > even a small window is gold for some state run group to break in. > > The server stays up and checks for regular package updates from > Ubuntu. If someone were to break in, they would not learn anything > more than if they had set up a bridge themselves. > Ok. Let's say there was a security vulnerability being exploited in Tor bridges. Is there any warning from Tor staff? Like when there is one in Flash or Microsoft etc I will get a CERT or a security advisory saying "xxx is being actively exploited", view such and such a page for more information. In those cases I will just turn off flash or run the fix it. > > > How can I determine the integrity of the server and do I have any > > responsibility to do that? Do you guys who are running these instances in > > the Tor Cloud just set it and forget it or is there some oversight > required? > > The Ubuntu image the Tor Cloud image is based off of is verified when > the image is built. The Tor package is verified as it is installed > (which happens within the first five minutes you boot the server for > the very first time). > Thanks I took a look at the script. > > > I would take an active role in securing the instance if necessary but I > > need to know what to do. What do you guys do? > > The image has been configured to automatically check for package > updates. In addition, it is recommended that you only open certain > ports in the firewall (22 for SSH, plus 443, 40872 and 52176 for Tor). > Is there any obfuscation benefit to using random ports, like changing 40872 to 1234 etc. Thanks -- tor-talk mailing list - [email protected] To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
