Slashdot Mirror

If you think that's funny, why not gather some Tor Bridges for each day's use and use them instead of regularly connecting to Tor?

https://bridges.torproject.org/

Here's some useful tor bridges from today:

bridge 212.185.225.5:443
bridge 109.120.56.218:443
bridge 203.153.227.210:5557
bridge 174.22.134.22:443
bridge 68.52.174.15:443
bridge 79.84.34.209:443
bridge 18.85.46.218:14242
bridge 74.82.1.191:19030
bridge 24.110.168.130:443
bridge 78.34.108.121:443
bridge 94.23.58.19:1443
bridge 72.24.220.108:443
bridge 74.207.232.33:443
bridge 77.251.74.120:443
bridge 72.174.8.28:443
bridge 91.6.174.212:8888
bridge 169.234.106.251:9001
bridge 69.62.132.186:443
bridge 97.102.122.25:443
bridge 129.244.144.200:9001
bridge 83.169.1.47:442
bridge 188.40.112.195:443
bridge 92.107.52.186:9001
bridge 79.6.97.120:443
bridge 66.51.242.115:9001
bridge 92.25.201.211:443
bridge 93.194.192.154:8080
bridge 121.190.2.55:443

just add them to your torrc file along with:

UseBridges 1

And enjoy!

Roger's entries to date on the subject (excluding first page linked within /. summary):

(this is for those who are too lazy to page through mailing list threads, this post is
missing other individuals replies as well as future replies from Roger and others)

http://archives.seul.org/or/talk/Jan-2010/msg00165.html

Here are some more technical details about the potential impacts, for
those who want to know more about Tor's innards:

----- #1: Directory authority keys

Owning two out of seven directory authorities isn't enough to make a new
networkstatus consensus (you need four for that), but it means you've
only got two more to go. We've generated new v3 long-term identity keys
for these two authorities.

The old v3 long-term identity keys probably aren't compromised, since
they weren't stored on the affected machines, but they signed v3 signing
keys that are valid until 2010-04-12 in the case of moria1 and until
2010-05-04 in the case of gabelmoo. That's still a pretty big window,
so it's best to upgrade clients away from trusting those keys.

You should upgrade to 0.2.1.22 or 0.2.2.7-alpha, which uses the new v3
long-term identity keys (with a new set of signing keys).

----- #2: Relay identity keys

We already have a way to cleanly migrate to a new v3 long-term identity
key, because we needed one for the Debian weak RNG bug:
http://archives.seul.org/or/announce/May-2008/msg00000.html

But we don't have a way to cleanly migrate relay identity keys. An
attacker who knows moria1's relay identity key can craft a new descriptor
for it with a new onion key (or even a new IP address), and then
man-in-the-middle traffic coming to the relay. They wouldn't be able to
spoof directory statements, or break the encryption for further relays
in the path, but it still removes one layer of the defense-in-depth.

Normally there's nothing special about the relay identity key (if you
lose yours, just generate another one), but relay identity keys for
directory authorities are hard-coded in the Tor bundle so the client
can detect man-in-the-middle attacks on bootstrapping.

So we abandoned the old relay identity keys too. That means abandoning
the old IP:port the authorities were listening on, or older clients will
produce warn messages whenever they connect to the new authority. Older
Tor clients can now take longer to bootstrap if they try the abandoned
addresses first. (You should upgrade.)

----- #3: Infrastructure services

Moria also hosted our git repository and svn repository. I took the
services offline as soon as we learned of the breach -- in theory a clever
attacker could give out altered files to people who check out the source,
or even tailor his answers based on who's doing the git update. We're
in pretty good shape for git though: the git tree is a set of hashes
all the way back to the root, so when you update your git tree, it will
automatically notice any tampering.

As explained in the last mail, it appears the attackers didn't realize
what they broke into. We had already been slowly migrating Tor services
off of moria (it runs too many services for too many different projects),
so we took this opportunity to speed up that plan. A friendly anonymous
sponsor has provided a pile of new servers, and git and svn are now up
in their new locations. The only remaining Tor infrastructure services on
moria are the directory authority, the mailing lists, and a DNS secondary.

----- #4: Bridge descriptors

The metrics server had an archive of bridge descriptors from 2009.
We used the descriptors to create summary graphs of bridge count and
bridge usage by country, like the ones you can see at
http://metrics.torproject.

Download, install, properly configure Tor:
https://www.torproject.org/

Certainly you should choose an open source and free operating system to
increase your security/privacy: http://www.distrowatch.com/

Use one of the many tools available to build your own Linux liveCD/DVD/USB
with Tor installed/configured and yank out all of your HDDs or unplug them
while using Tor via Linux liveCD/DVD/USB, then while running Tor:

Scroogle SSL:
https://ssl.scroogle.org/

and for mail:

Safe-Mail:
No cookies, no script, no java, no flash required!
https://www.safe-mail.net/

In the words of Woody Woodpecker:
Hah ha ha HAH ha, Hah ha ha HAH ha, HAHAHAHHAHAHHAAH!

Fuck you corporations, fuck you snoopers, I do it MY WAY.

Fire up Tor:

https://www.torproject.org/

Properly configure it and use Scroogle SSL:

https://ssl.scroogle.org/

Couple it with a decent mail client not requiring cookies or script:

https://www.safe-mail.net/

Problem solved!

I have no desire or need for Microsoft/Google's direct offerings and surely not mail from either when Tor + Safe-Mail SSL does the job without scripts, cookies, flash, java, etc.

Exit nodes? Hah! It's all SSL, baby! (provided the user verifies everything is correct and in order)

Do you really, really, REALLY trust Microsoft (or Google)? HAHAHAHAH!

If it's not encrypted, it's not worth a SHIT.

None of it is done correctly (regarding insecure unencrypted websites), if you search naked without something like tor & ssl, you are stupid.

Time to start using TOR: http://www.torproject.org/.

Here kitty, kitty!

Yeah, it will come handy for e-fooling around while on the clock using work assets <sarcasm>

Your personal freedoms and right to anonymity end when you use equipment that is not your own (but your company) and you are doing it while on the clock for purposes other than those tasked to you while on the clock.

At home (or out of your company's equipment) and while off the clock, certainly, protect your privacy and right of anonymity.

While on the clock and/or using your company's assets, sorry dude, you have no right to that.

Time to start using TOR: http://www.torproject.org/.

Here kitty, kitty!

Incorrect. Vidalia makes it easy to not only operate Tor but set up a middleman, bridge, or exit node as well.

So long as services like I2P and Tor are not illegal, people can access and provide otherwise filtered content.

http://www.i2p2.de/
https://www.torproject.org/

I've been thinking, why don't torrent trackers work through a Tor hidden service?

All they have to do is block the known Tor entry points

Tor bridges are designed to provide F2F access to the tor network in such a situation.

or set up their own hacked TOR routers.

Tor traffic is encrypted and authenticated end-to-end within the tor network, so unless they manage to get the users to download hacked tor binaries, this shouldn't be an issue.

awesome. http://www.torproject.org/

It needs to be redesigned specifically so that entry points were available everywhere, to everyone, without any registration.

What do you mean by "it" here, the Internet?

What you are asking for (once you tune out the hyperbole of "everyone/everywhere") is not an architectural problem, but a political one.

Any one organization, co-op or consortium could provide the service you ask for. One consortium that does in fact is the EFF's TOR. While onion routing is complex under the hood and that complexity leads to a dialup-like user experience, the alternative would be obfuscation provided by the Network Service Provider itself. The Pirate Bay has shown us what that is like however. If you "hide" all of your clients from the rest of the world, then you will be held responsible for their actions when they hack, threaten, or disseminate spam and trojans.

Still, if you are so gung ho that such services should be offered then start your own ISP and let us know how it goes. Offer service for less than a kazillion in my area, mebe I'll even sign up. *shrug*

If you are in the US, I am pretty sure I could post a series of links to convince you that not only does the US government not censor the Intertubes, but that a man, a woman, a horse, a communist, and an anarchist can get freaky in kiddie pool of astro glide.

Didn't the US government just recently ask Google to blur maps of public buildings so "terrorists can't use them"? For that matter, communism has been discredited, so not censoring links to it proves nothing; the US government certainly performed a fine witch hunt crusade against "suspected communists" back when the Soviets were still around.

The US sucks in a lot of ways, fanatical defense of free speech isn't one of them. The US trounces the shit out of the rest of the world, EU included.

And you know this... how? If the US was, in fact, the most oppressive society on the planet, wouldn't you think it's the best anyway, since every instance of someone "disappearing" for their opinions would remain unknown to you?

That's why censorship is so insidious: one it creeps in, you can't trust anything.

It isn't perfect, but it is certainly the best, and I have the Nazi midget porn to prove it.

Having access to Nazi midget porn proves nothing. It doesn't threaten anyone's wealth or power. If anything, it's in the best interests of those in power to allow you access to it, simply so that they can tar your reputation later if need be.

Besides, you have those obscenity laws still on books, do you not? You know, the ones which override the First Amendment if a judge decides that something is "obscene", in his opinion? So perhaps you shouldn't count on that fanatical defence, but join projects like Tor today? I did, when Finnish police took a page from the Chinese.

Reading all these about Conficker, I think it's an ideal candidate for securing p2p networks, better than Tor or freenet. I think the developers should open source it's code...

Because each relay sees no more than one hop in the circuit, neither an eavesdropper nor a compromised relay can use traffic analysis to link the connection's source and destination.

So, according to that description I believe that the iranian government would only stand a chance of being able to monitor traffic if the entire network was comprised of tainted tor nodes provided by the state of Iran. So even under that scenario Iran's job would become a bit harder if suddenly more people started contributing to the tor project. At least that's my non-security expert take on that. Nonetheless I'm getting my tor node up and running.

Here, they say it themselves. It is originally a US Marine project (just like many things)

http://www.torproject.org/torusers.html.en

I will demure and let you decide for yourself. Information is meant to be free.

The single click and least trouble free solution to help right now seems as this one:

http://www.torproject.org/docs/tor-doc-relay.html.en

If you don't know about it, Tor is a distributed proxy system which helps people in oppressive areas.

If you have questions about legitimacy of helping such a system, US DOD itself designed it and suggests their own personnel to use it when abroad.

If you think like a Iran nerd, Tor would be the only solution to implement really fast to gather and send information now. It could be life saving since those countries are really at limit of spying the internet right now.

They say just spare 20 KB (not MB) a second upspeed is enough. It is even lower than torrent traffic and shouldn't effect regular internet usage in any way even if you have multiple computers on NAT etc. (install to single in that case)

Also:

Run a tor bridge relay. Chrooted, of course.

Then email Austin Heap with the details so that he can distribute it to the needy.

Also:

Run a tor bridge relay. Chrooted, of course.

Then email Austin Heap with the details so that he can distribute it to the needy.

Some ways to subvert the censorship.

1) anonymous web proxies that only accept inbound connections from Iran IP space.
2) TOR servers.
3) Ad-Hoc WiFi networks could be used to create a Mesh networks.
4) Multicast information, documents, video over the Mesh.

There are numerous free programs out there that allow you to encrypt your online activities by using VPN. I've been using Hotspot Shield and Tor. Give those a try, hopefully they are not blocked by your college's IT infrastructure. Also, use OpenDNS - this will bypass simple DNS filtering and protect you against worms such as Conficker.

If people are concerned about their privacy then why don't they use Firefox, AdBlock, Flashblock, and NoScript? The truly paranoid can download and use Tor as well. Do people have a right to complain if they aren't willing to lift a finger to protect themselves?

Never mind Freenet for this, you could use I2P which also features in-network Bittorrent. Of course if you really want to only share the torrents with an anonymising network you'll need to do modifications but at least it'll be easier when you can use existing tracker software. TOR's hidden services would work as well I suppose.

Just hosting the tracker on one of these networks is an interesting idea. It wouldn't provide any protection for the downloaders and seeders themselves but if people aren't quite ready to sacrifice download speeds at least it would shift the attention back to the people downloading again if the indexing sites/trackers were impossible to attack. It would be a step in the right direction. I can see why no-one has done this so far though.

I say, quit telling people what they can or cannot do to themselves, and let the gamblers gamble. If you, Minnesota, want to do something about on-line gambling, figure out a way to squeeze taxes in there and make it a revenue stream and not a cost-center.

http://www.torproject.org/eff/tor-legal-faq.html.en

As I understand it, you are pretty safe. It's not *you* accessing the content.

The Tor guys recommend you have a web server on the machine which says "This is a Tor relay", presumably so that anyone who finds your machine during an investigation will know what is going on.

Two experiences of running a tor exit relay. One good, one less good:-

http://blog.torproject.org/blog/five-years-exit-node-operator

http://calumog.wordpress.com/2009/03/18/why-you-need-balls-of-steel-to-operate-a-tor-exit-node/#comment-2

As soon as there could be a danger that someone could actually hear (or, gasp, listen to!) what you have to say, i.e. when there's something akin to an audience, you have to provide identification, so it's easier to ... to what, exactly? To track you down and send you behind bars for talking about a serious problem (aka "lying according to the powers that be")?

I recommend a look at TOR. That way you're from Russia, China, the Netherlands, Australia, the US... all at once. Often enough while visiting one single page.

How do you think I get around another one of YouTube's favorites: "this video is not available in your country"? Fine. Since I can't change your policy, I change the country I come from. Today I feel very Russian.

Wikileaks is not as robust as you think it is.

This isn't about wikileaks. Your internet routing is not as robust as you think it is. If you only have one ISP, they control every chunk of unencrypted information that passes between you and the outside world. You need to have a couple of friends in topographically dispersed locations. For those of us who have no friends, the Tor folks are more than happy to help out.

It's the Anonymous network dance!

You can share if you want to
You can slow down to a crawl
But at least you will be safe
Sixty-five kay in a cave
But detection chance is small!

http://torproject.org/
http://www.i2p2.de/
http://gnunet.org/
http://freenetproject.org/

Tor was not designed for the type and levels of traffic BitTorrent generates. Using it for torrents squeezes out people who actually need to remain anonymous. Widespread use of Tor for torrents would be a disaster for freedom.

Please don't recommend Tor.

Tor was not designed for the type and levels of traffic BitTorrent generates. Using it for torrents squeezes out people who actually need to remain anonymous. Widespread use of Tor for torrents would be a disaster for freedom.

Please don't recommend Tor.

Sounds like a waste to me, unless you're downloading something that could get you in trouble.

Or maybe you just don't want your ISP, and Slashdot's ISP, and everyone in between, to have unfettered access to who you are and what you're doing?

RTFA. It's not specifically about BitTorrent at all.

In other words: It's really no more or less than a paid, likely faster version of TOR.

Even supposing you're right, "could get you into trouble" could mean "is against the PRC, and you are in China."

How about Guerillamail ? That + proxies (or maybe tor?) would get around this...

http://www.torproject.org/

If someone really wanted to mess with them, make an auto click system that pipes through Tor somehow...causing the IP addresses to appear to come from all over the world.

I'm sure there are some technical issues, but it would make more work for Google.

http://www.torproject.org/

Hey, actually that's a good point. Maybe they should create a Freenet site for the information... Get some more folk interested in that project too.

The internet routes around censorship and other free-speech issues like this.

It sounds like we're getting to the point where anytime anyone wants to say something critical of a government, corporation, or even another person, we're going to have to use Tor.

http://www.torproject.org/

Subpoena all you want, you'll get nothing.

"Your Honor and Honorable Jurors, this man knowingly and willingly ran software designed to allow pedophiles and other criminals, even terrorists, to hide their identities while conducting crimes against children online, and to circumvent filters put forth by lawful authority. He will continue to help these people exploit the defenseless, unless we stop him here and now."

This would be where the EFF would step in. If one of their Tor operators was found criminally liable (and unable to appeal) for an exit node that was running on an otherwise clean machine, I can't imagine that the nodes in the country in question would stay online for long. Also, this is the link that I should have posted to begin with:
http://www.torproject.org/eff/tor-legal-faq.html.en

It is quite possible that you will be jailed, at least until the trial,

Held without bail? I seriously doubt it.

and even if you're not, you'll be harassed by the "save the children" -mob.

*grins* I've been harassed by *far* worse in recent memory. I might even be able to educate a few of their less zealous members.

Where is this anonymity everyone keeps talking about?

Tor, The MixMaster anonymous remailer, Freenet, and public proxy systems, among other places. We do have fairly good anonymity.

I found your privacy. You left it here

I'm going to venture a guess that tor is going to become very popular in Australia very soon...

Though, I'm sure some teenagers will figure out how to bypass those filters even more simplistically. Good on them. Say no to a censored Internet!

Pretty much everyone who runs a webserver would have to switch to SSL, at the expencive of more clock cycles or specialized hardware. p2p clients would force only encrypted connections, which is available in most clients but is not set by default.

It's not really something you can implement on your own, unless you want to use TOR. I've never really been all that happy with TOR because, at least for mean, it is too damned slow and it isn't totally secure.

Basically it is something everyone would have to switch to and it would make doing everything online a little more expensive.

From http://appshopper.com/utilities/incognito Incognito is an anonymous web browser for the iPhone and iPod touch. Now you can browse without leaving a history of any kind. Simply close the browser, and Incognito will erase the entire session!
Now you will no longer have to clear Mobile Safari's history just to hide a single entry, which rendered the URL auto-completion useless!

Are they kidding? Deleting browser and URL history might be as leaving less traces on that device, BUT for me, browsing anonymously means something like TOR...

Just an other incentive to design a tracker-less Torent protocol ...

BitTorrent already supports tracker-less torrents. The only problem is that there's at least two completing mutually incompatible versions, the Azureus one and the mainline (official client) one. Then again, there's a "mainline DHT" plugin for Azureus, so I guess that problem's pretty much solved now.

For that matter, nearly every P2P protocol still in use supports download meshes, which are basically the same as BitTorrent, so downloading large files even from the venerable Gnutella is reasonably fast nowadays.

No, the next step is getting Freenet up and running, to hide who's downloading what from whom. Tor, while it already gives this capability, is vulnerable to DOS attacks (in fact there's several going on there right now) and a kind of attack where you time node outages with server outages to figure out where a hidden server is located at. The current versions of Freenet are quite usable, as long as you forget browsing and use a searching/batch downloading tool like Thaw.

The IP could be traced, eh? I guess they should have used https://www.torproject.org/ to do those edits... if Tor users are not blocked from creating users at the moment, which is frequently is. "We traced those edits to some IP in China which happens to be a Tor server, now what do we do?"

Time for I2P and Tor on a cellphone?

Tor might be helful here...

If you are going to send an "anonymous" email then do it from your laptop in a public place, preferably a busy one that caters to lots of travelers who are there one day and gone the next so that new faces are nothing out of the ordinary, with open WiFi and for an added measure of security use TOR on top of that all combined with a throw away e-mail account (of course).

from your home computer (using an anonymous account)

And an anonymous IP address through Tor or the like, just to be safe.