Slashdot Mirror

Tor is building an anonymous instant messenger

"Forget the $16 billion romance between Facebook and WhatsApp. There's a new messaging tool worth watching[1].

Tor[2], the team behind the world's leading online anonymity service, is developing a new anonymous instant messenger client, according to documents[3] produced at the Tor 2014 Winter Developers Meeting in Reykjavik, Iceland."

http://slashdot.org/submission...

[1] http://www.dailydot.com/techno...
[2] https://www.torproject.org/
[3] https://trac.torproject.org/pr...

Tor is building an anonymous instant messenger

"Forget the $16 billion romance between Facebook and WhatsApp. There's a new messaging tool worth watching[1].

Tor[2], the team behind the world's leading online anonymity service, is developing a new anonymous instant messenger client, according to documents[3] produced at the Tor 2014 Winter Developers Meeting in Reykjavik, Iceland."

http://slashdot.org/submission...

[1] http://www.dailydot.com/techno...
[2] https://www.torproject.org/
[3] https://trac.torproject.org/pr...

Tor is building an anonymous instant messenger

"Forget the $16 billion romance between Facebook and WhatsApp. There's a new messaging tool worth watching[1].

Tor[2], the team behind the world's leading online anonymity service, is developing a new anonymous instant messenger client, according to documents[3] produced at the Tor 2014 Winter Developers Meeting in Reykjavik, Iceland."

http://slashdot.org/submission...

[1] http://www.dailydot.com/techno...
[2] https://www.torproject.org/
[3] https://trac.torproject.org/pr...

Tor is building an anonymous instant messenger

"Forget the $16 billion romance between Facebook and WhatsApp. There's a new messaging tool worth watching[1].

Tor[2], the team behind the world's leading online anonymity service, is developing a new anonymous instant messenger client, according to documents[3] produced at the Tor 2014 Winter Developers Meeting in Reykjavik, Iceland."

http://slashdot.org/submission...

[1] http://www.dailydot.com/techno...
[2] https://www.torproject.org/
[3] https://trac.torproject.org/pr...

Tor is building an anonymous instant messenger

"Forget the $16 billion romance between Facebook and WhatsApp. There's a new messaging tool worth watching[1].

Tor[2], the team behind the world's leading online anonymity service, is developing a new anonymous instant messenger client, according to documents[3] produced at the Tor 2014 Winter Developers Meeting in Reykjavik, Iceland."

http://slashdot.org/submission...

[1] http://www.dailydot.com/techno...
[2] https://www.torproject.org/
[3] https://trac.torproject.org/pr...

Tor is building an anonymous instant messenger

"Forget the $16 billion romance between Facebook and WhatsApp. There's a new messaging tool worth watching[1].

Tor[2], the team behind the world's leading online anonymity service, is developing a new anonymous instant messenger client, according to documents[3] produced at the Tor 2014 Winter Developers Meeting in Reykjavik, Iceland."

http://slashdot.org/submission...

[1] http://www.dailydot.com/techno...
[2] https://www.torproject.org/
[3] https://trac.torproject.org/pr...

"Forget the $16 billion romance between Facebook and WhatsApp. There's a new messaging tool worth watching.

Tor, the team behind the world's leading online anonymity service, is developing a new anonymous instant messenger client, according to documents produced at the Tor 2014 Winter Developers Meeting in Reykjavik, Iceland."

"Forget the $16 billion romance between Facebook and WhatsApp. There's a new messaging tool worth watching.

Tor, the team behind the world's leading online anonymity service, is developing a new anonymous instant messenger client, according to documents produced at the Tor 2014 Winter Developers Meeting in Reykjavik, Iceland."

That's why, if you watch TV, you should use broadcast, or watch streaming media over the internet with The Onion Router.

If you have cable, or your use Dish network, your provider can tell what shows you watch and when. In principle they could tell when you change channels in the middle of the show, either because you dislike or disagree with what you are watching, or are excited about something else.

Obama already experimented with individually-targeted TV ads during his 2008 campaign. During this year's congressional elections everyone will be doing it.

I will be writing up a submission about it but if you want to do it yourself, be my guest. I read about it in The Columbian the other day, the Vancouver Washington paper.

https://www.torproject.org/doc...

The hidden services doesn't even need an exit point. They choose entry nodes, just like clients, then tell via a DHT that to contact it clients should go through one of those nodes.

Nodes which doesn't know the service's placement any more than they know the client's placement.

I'm very surprised to see that the article and all posts fail to mention TOR.

TOR may not be perfect, but it's a lot better than any readily available alternative. I'd suggest using it for any browsing you think might be the least bit controversial. The more people that use TOR, the better it works. It's a bit slow, but it's livable.

http://www.torproject.org/

All of us together.

Which requires communication. Which is why NSA and its ilk are so hell-bent on wiretapping everything: to ensure any rebellion is crushed in the bud. Which, in turn, gives various governments ever greater assurance that they'll face no opposition no matter what they do, thus encouraging them to go farther.

It's a nasty vicious circle which could easily end up in another age of tyranny. It's why things like Tor and Freenet are so important: anonymous communication is the only way to organize effective resistance before things get so bad that lots of people are willing to risk death to fight, which in turn is the only way to keep things from getting that bad.

Of course, effective resistance also requires people to recognize a "divide and conquer" strategy when it's used against them. Which is why those in power are wish to discredit the concept of "class war": to keep the oppressed from having a group identity different from the oppressors. There is actually a class war going on, and has been for a while. The current economic troubles are part of the collateral damage, caused by the massive increase in debt caused by the concentration of wealth, and it will only get worse from here if the lower classed don't start fighting back effectively rather than dreaming futile dreams of winning the lottery and joining the 1%.

-- Spoiled Onions: Exposing Malicious Tor Exit Relays

(PDF) http://cryptome.org/2014/01/sp...
http://www.cs.kau.se/philwint/...

&

-- What the "Spoiled Onions" paper means for Tor users
https://blog.torproject.org/bl...

&

-- Scientists detect "spoiled onions" trying to sabotage Tor privacy network
Rogue Tor volunteers perform attacks that try to degrade encrypted connections.

http://arstechnica.com/securit...

-- Spoiled Onions: Exposing Malicious Tor Exit Relays

(PDF) http://cryptome.org/2014/01/sp...
http://www.cs.kau.se/philwint/...

&

-- What the "Spoiled Onions" paper means for Tor users
https://blog.torproject.org/bl...

&

-- Scientists detect âoespoiled onionsâ trying to sabotage Tor privacy network
Rogue Tor volunteers perform attacks that try to degrade encrypted connections.

http://arstechnica.com/securit...

confusing Firefox with Tor

I don't see how Firefox with Tor is so confusing.

What you secure and audit is the protocol, or the source code of the twister (they could even do deterministic builds like the bitcoin people if that becomes a priority), not the physical/virtual PC where it is running. You can do the same with bitcoins, even infected/compromised PCs don't change the network (and your wallet) reliability.

sometimes

It depends on your definition of sometimes.

Network effect works. They would hate to put an encryption key in plain text or the channel they use to send the data, or the destination name/address, so putting in a souce code that anyone could eventually see is a big no. Regarding binary packages, if well some distributions could be compromised by secret laws (RedHat at least resides in US) the code release that they must do ensures that other projects can pick the source, recompile it and use them instead (i.e. Centos), and if you trust the distributions packages are signed so is harder (maybe not NSA-level harder, but harder anyway) to do some MITM work to install touched binaries.

Also, some projects like Tor are adding deterministic builds to validate that the binaries really are what the author says.

The NSA hates Tor. So running a Tor Relay is a great and safe way for us to actually do something about the NSA.

People, read the docs before using something. You only make yourselves a more noticeable idiot for the NSA and friends [without doing so].

So, basically FBI didn't see what was sent through TOR, it just happened that this student was apparently the only one using TOR at that time.

For all you future dissidents, spend a little time reading docs and use obfuscated bridges when accessing TOR, because your ignorance hurts the project's publicity.

Tails 0.22 released @ Dec 11, 2013
============
CHANGELOG

tails (0.22) unstable; urgency=medium

[Tails developers]
* Security fixes
- Upgrade to Iceweasel 24.2.0esr that fixes a few serious security issues.
- Stop migrating persistence configuration and access rights. Instead,
disable all persistence configuration files if the mountpoint has wrong
access rights (Closes: #6413).
- Upgrade to NSS 3.15.3 that fixes a few serious security issues affecting
the browser, such as CVE-2013-1741, CVE-2013-5605 and CVE-2013-5606.

* Major improvements
- Switch to Iceweasel 24 (Closes: #6370).
 Resync' (most) Iceweasel prefs with TBB 3.0-beta-1 and get rid
of many obsolete or default settings.
 Disable WebRTC (Closes: #6468).
 Import TorBrowser profile at commit
51bf06502c46ee6c1f587459e8370aef11a3422d from the tor-browser-24.2.0esr-1
branch at https://git.torproject.org/tor-browser.git.
- Switch to Torbutton 1.6.5 (Closes: #6371).
 Prevent Torbutton from asking users to "upgrade TBB".
 Use the same Tor SOCKS port as the TBB (9151) for our web browser.
This should be enough to avoid being affected by Tor#8511.
 Disable Torbutton 1.6's check for Tor.
Unfortunately, the new check.torproject.org breaks the remote Tor
check. We cannot use the local Tor check with the control port. So,
the shortest and sanest path to fixing the check issue, because the
remote Tor check is broken" seems to simply disable this check.
Patch submitted upstream as Tor#10216.
- Prepare incremental upgrades to be the next default way to upgrade Tails,
on point-releases at least.

* Bugfixes
- Deny X authentication only after Vidalia exits (Closes: #6389).
- Disable DPMS screen blanking (Closes: #5617).
- Fix checking of the persistent volume's ACL.
- Sanitize more IP and MAC addresses in bug reports (Closes: #6391).
- Do not fail USB upgrade when the "tmp" directory exists on the
destination device.
- Tails Installer: list devices with isohybrid Tails installed
(Closes: #6462).

* Minor improvements
- Create a configuration file for additional software if needed
(Closes: #6436).
- Translations all over the place.
- Enable favicons in Iceweasel.
- Do not propose to make permanent NoScript exceptions.

Sorry, but I don't think you understand how TOR hidden services work (to be fair, Wikipedia is downright useless here) :-)

https://www.torproject.org/docs/hidden-services.html.en - they do a much better introduction than I could ever hope to do ;)

Whatever it is, that's what we've come to. And it's no surprise. For all the reasons that broadcasts have ever been appropriately restricted, so should the internet be.

Now, you can certainly complain with the way that it's done. You can be upset at the sheer number of false positives. You can be correct in saying that it may actually be impossible or unfeasible to enforce. But then that becomes the debate, not the need for the restriction in the first place.

Not quite. The way it's done resembles blowing up that downtown building because they don't accept what's painted onto its side. By "complaining with the way it's done" I'd understand saying something like they should have used carefully placed dynamite charges rather than air-to-ground missiles. Instead, I want to say they really should leave the building in place. By design, there is no proper way to restrict the Internet! Safe browsing —for those who don't want to inadvertently see those sites— is a different story. The minister is not trying to safeguard people who cannot accept the publication. He targets those dangerous extremists who are actively looking for it, not reckoning that such technique is neither effective nor legitimate.

There's an EU opinion published a few days ago. (Oddly enough, no English version there, you may want to read The Telegraph instead.) The means for blocking which the EU advocate mentions are DNS blocks, not compatible with DNSSEC, and routing blocks, which are even worse. The advocate also says those blocks can be easily circumvented even by unexperienced users —e.g. using Tor— while they require a good deal of work to be set up. Nevertheless, he finds them not disproportionate. Here again, they consider that the copyright law must be protected, without reckoning that the Internet has a larger impact than printing industry, after which the copyright law started in the early 1700s.

IMHO, it's governments who are turning old-fashioned.

Have you installed TOR on a winders box recently?

You don't even have to install it (for web browsing at least).

https://www.torproject.org/projects/torbrowser.html.en

Even if you can't stomach the risk of running an exit node, you should give something back to the network. Run a non-exit relay, and donate 25 GB of your bandwidth a month. Just remember to set your RelayBandwidthRate and RelayBandwidthBurst (96 KB and 128 KB work well to provide roughly 25 GB/month).

Here's a sample configuration. I recommend using it with ARM and a local DNS server. If you enable the TransPort, you can use iptables to force all system traffic through Tor, though this requires extreme care to avoid leaking personal details. The choice of which nodes/exit nodes to exclude should be made carefully, after some consideration of your objectives. Don't forget to set up port forwarding and punch holes in your firewalls, or relaying won't work.

User tor
DisableAllSwap 1
AvoidDiskWrites 1
DataDirectory /home/tor/.arm/tor_data
Log notice file /home/tor/.arm/tor_log
CookieAuthentication 1
RunAsDaemon 1
DisableDebuggerAttachment 0

Address INTERNET_FACING_IP_GOES_HERE
ControlPort 9052
ORPort 9001
DirPort 9030
DNSPort 9053
AutomapHostsOnResolve 1
#TransPort 9040

BandwidthRate 192 KB
BandwidthBurst 256 KB
RelayBandwidthRate 96 KB
RelayBandwidthBurst 128 KB
ExitPolicy reject *:*
StrictNodes 1
ExcludeNodes {??}
ExcludeExitNodes {us},{gb},{??},{A2}
GeoIPExcludeUnknown 1
FastFirstHopPK 0
ExtraInfoStatistics 0
DirReqStatistics 0
BridgeRecordUsageByCountry 0

At the Tor blog they say "On Windows builds, something mysterious causes 3 bytes to randomly vary in the binary". No explanation though.

Being pedantic, you mean the Tor Browser Bundle, of which Tor is but one component. And using Firefox as the base browser is not without problems.

Being pedantic, you mean the Tor Browser Bundle, of which Tor is but one component. And using Firefox as the base browser is not without problems.

Being pedantic, you mean the Tor Browser Bundle, of which Tor is but one component. And using Firefox as the base browser is not without problems.

Sorry, my above post is not entirely correct. it seems, for Windows at least, it Vidalia control panel is included in the Browser Bundle.

https://blog.torproject.org/blog/plain-vidalia-bundles-be-discontinued-dont-panic

Not sure about OSX/Linux, but I assume it is similar

Tor has a service to detect exit points.

Besides that, block everything, and no complaints will reach you as well. The sales will be lower because of this. fraudlabs deny any responisblity in their ToS... so it will become your problem again in the end.

I've gotten a lot of hits, and that's a good thing. As I noted in another post, I got hit by reddit earlier this year. In general people are becoming more interested in protecting and verifying build environments, as this post about Tor demonstrates.

So please take a look at my Fully Countering Trusting Trust through Diverse Double-Compiling (DDC) page!

It's not a secret where the exit nodes are. In fact, none of the nodes are kept secret.

That said, you usually don't get blocked from websites for hosting a relay node, though you certainly do get blocked from many sites (this one included!) for hosting an exit node.

That's what the person you're replying to just said. Although, from the article, they apparently aren't running enough nodes to quite pull this off.

They can't just run all of these nodes from their own block of addresses, so I assume distributing enough nodes across the world is limiting their ability to properly analyze the network. There are only 4000 relay nodes and fewer than 1000 exit nodes, so there must be some operational limitation on their ability to outnumber the other nodes and own the network.

According to TFA, NSA knows full well exactly this and tried it, but couldn't gain control of a sufficient number of exit nodes. That's not surprising, it really would take controlling quite a lot of exit nodes.

Are we sure they didn't just root the botnet around mid-August/early September?

http://www.infosecurity-magazine.com/view/34453/massive-botnet-is-behind-tor-usage-spike-/

Can we be absolutely certain that the botnet itself, and every single node, is 100% secure and non-rootable from the NSA's 0-day toolkits?

TorBrowser should most likely NOT adopt Adid.

Or at least, spoofing it harmless somehow. hehe

If you want to see their status report and plans to address it, see this post from April, 2012 and follow the links:

http://archives.seul.org/or/talk/Apr-2012/msg00068.html

Here's the page to configure a yum repo for the 0.2.4 branch:

https://www.torproject.org/docs/rpms.html.en

They ask that relay nodes run this.

Tor was not created by the Air Force. Initial work was funded by the Office of Naval Research via the Naval Research Laboratory. See: http://www.onion-router.net/History.html. You can also see a list of funders here: https://www.torproject.org/about/sponsors.html.en.

Air Force, Navy... point is, it was developed by the military. And it is used by the Air Force... I just noted that the first military link in the google search came up with this... and as the Air Force is the one spearheading the 'cyberwarfare' initiative in our military, it made sense that the Air Force would be the maintainer of military assets within the Tor network...

Tor was not created by the Air Force. Initial work was funded by the Office of Naval Research via the Naval Research Laboratory. See: http://www.onion-router.net/History.html. You can also see a list of funders here: https://www.torproject.org/about/sponsors.html.en.

The original blog post by Rob Graham that Arstechnica reports on has created some confusion about Tor versions. The current recommended stable version of Tor is 0.2.3.25-12. The current alpha release is Tor 0.2.4.17-rc, and people running relays are being encouraged to use this version on the mailing lists. So the repositories, by recommending Tor 0.2.3.x, aren't out of date. However, the Tor website does advise against using the Ubuntu repositories because they aren't "reliably updated" (https://www.torproject.org/docs/debian#ubuntu), which I don't think is the fault of Tor developers. Also, the most up to date version of Tor can be found at the following repository: deb http://deb.torproject.org/torproject.org/ tor-nightly-0.2.4.x-wheezy main.

The important bit, the one that has value to *me*, is that it can hide my identity. It can hide the identity of people who are afraid of oppression, it can hide the identity of whistle blowers, it can hide the identity of people asking for help.

Actually, no, it can't. You're thinking of i2p, not Tor.

If you're confused, you need to read up on the major flaws and vulnerabilities in Tor that allow the NSA or enough controlling entities to de-anonymize anyone using Tor. In fact, the more Tor exit nodes, the easier it is.

The tremendous spike in users using Tor could be both in reaction to the NSA news, or proactive from the NSA ramping up their use of Tor to more-rapidly de-anonymize the traffic coming across those exit nodes.

I thought a point of TOR was that {users} was a subset of {nodes}. Specifically I thought that part of the deal of accessing TOR is that you agree to act as a node for others using the network, partially to expand the network, and partially to make it difficult to prove that TOR traffic leaving your system is actually yours. Is that wrong?

Late reply, but it's actually the opposite. Generally, nodes ("relays" in Tor's vocabulary) are users that have chosen to also be a node, and even then, and entry/transit or exit node. See Tor Project: Relay Configuration Instructions for more information.

Essentially, you can run Tor as a client only, a client and a relay, or only a relay.

Here, look at this:

Pull up a google search:

http://www.vir.us.com/delete-trojanwin32mevade-b-user-guide-to-remove-trojanwin32mevade-b
> Countries Affected: Germany, USA, China, Switzerland, Canada etc.

Now look at the Tor user numbers from China:

https://metrics.torproject.org/users.html?graph=userstats-relay-country&start=2013-06-01&end=2013-08-30&country=cn#userstats-relay-country

Why is Mevade creating Tor traffic from places as tiny as Vatican city, and having zero impact from China? When apparently China *is* affected by the botnet, and if past knowledge is any indicator, is probably the world capital of malware?

It doesn't add up.

Just run a TOR exit node ...

Hardly an option in my circumstances, a laptop grabbing IP from almost random sources.

https://cloud.torproject.org/

"This project runs on the Amazon EC2 cloud computing platform, which powers Amazon.com and other major websites. Amazon EC2 allows users to launch their own virtual machines and computing resources with flexible and cost-effective terms"

There are a lot of Amazon cloud exit nodes, too.

The TOR Project has had the bundle for a while.

So all they have done is take the "Tor Bundle" which is nothing more than a specially configured version of Firefox, and call it "The Pirate Browser".

The TOR Project has had the bundle for a while.

Put your Tor client in a Secure Linux VM, so none of your hardware information can be exposed. Go to https://check.torproject.org/ to check if Tor is working, and make sure NoScript or something similar is enabled.

If your work browser is configured to accept certificates from the proxy server, SSL might not give you privacy.

Right. Unfortunately the Slashdot Editors seem to have started editing (I can see why the trolls keep complaining that this place is going downhill) and deleted my my sarky suggestion to use tor from my submission.. If you want to do anything from work you wouldn't want to know then make sure you use someone else's IP address to do it from. Alternatively buy an Android tablet and a data subscription.