Slashdot Mirror

Take this discussion to:

Tor Talk ML
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk/

and/or

Tor Development ML
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev/

to get in touch with the Tor developers and users.

Take this discussion to:

Tor Talk ML
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk/

and/or

Tor Development ML
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev/

to get in touch with the Tor developers and users.

If not on https://www.torproject.org/ then it does not exist.

Tor trainings for the Dutch and Belgian police https://blog.torproject.org/blog/trip-report-tor-trainings-dutch-and-belgian-police

Torbrowser, and you get the added benefit of Tor! Or, if you just want Firefox, download the latest ESR release (10.X I think). If you can find it.

A LiveCD with TBB:

https://www.torproject.org/

for LiveDVD/USB preconfigured not to leak try TAILS:

https://tails.boum.org/

in both instances unplug your HDD(s) before use.

The project TOR was based upon (Onion Routing) that was a research project by the U.S. Navy.
https://www.torproject.org/about/overview

For a quite some time, Tor was getting code contributions/updates from them.

So, at the very least, the US government has known about it's existence from the very beginning.

There is a non-zero probability that there is a backdoor has been put into the TOR system.
As for how likely that is, would be anyone's guess. ::Insert conspiracy theory here::

It is worth mentioning that the NSA *has* been caught putting in a backdoor in encryption stands in the past - see the DES Standard (http://en.wikipedia.org/wiki/Data_Encryption_Standard).

Take it as you will

"It's called Tor, and the more people who use it, the safer it becomes."

There's a potential problem with that.

While it is true that the more people who use it (or more accurately, the more people who host exit-nodes) the better, as it stands the government has been singling out those who use privacy-enhancing technologies, like Tor and encryption.

Bad, BAD Government! (Seriously, it IS bad. It's an attack on the whole "right to communicate privately" concept.)

Having said all that, the more people who use these technologies the better. I particularly recommend Tor and OneSwarm.

Just looked at the tor exit addresses list at http://exitlist.torproject.org/exit-addresses - what is in that 'ExitNode' string? There must be something somewhere that explains how to decode that and get some meaningful info from it, but I can't find it.

We have been through this before. You can all you want at the browser level to ask the bullies to stay away, but they will just go on ignoring that and track you anyway. BOOM, rap song. Seriously, though, this is nothing new, and no slimy advert company is going to pay attention to the browser flag. Just get a Proy/VPN/Tor Connection already. For the uninitiated, just forget it. This is why man has crated the Tor Browser https://www.torproject.org/projects/torbrowser.html.en

Agreed, however TOR provides an anonymous network (or as much as can be) if your client is insecure (in the case of the one link you referenced re: Bittorrent clients) then you may be exposed, hence they don't recommend it. Not saying you can't, but anyway.. I wouldn't do it because yeah, the performance would probably suck. There may be other attacks based on theory or practice against TOR but as the original posting article states, the NSA is possibly watching TOR under the guise:

For instance, a person whose physical location is unknown—which more often than not is the case when someone uses anonymity software from the Tor Project—"will not be treated as a United States person, unless such person can be positively identified as such, or the nature or circumstances of the person's communications give rise to a reasonable belief that such person is a United States person,"

So net, net, if they see traffic where they don't know where it originates or is destined to, you're considered a viable candidate for data collection unless they find out you're in the US and a citizen. Wow, I wonder what that algorithm looks like? They don't specifically say TOR is being watched, but it would increase your chances. That's like standing 10 miles from a nuclear test explosion = being watched, vs standing in uranium mine for 10 years = possibly watched. At a minimum, I would imagine that they'd be watching the exit node traffic and any other peers they can identify since a lot is publicly available there are a lot of exit nodes in the US and in friendly countries. If those other countries are friendly, they may just let the NSA tap in at the far end. So, you originate in the US, your traffic is in a TLS wrapper, it goes to France, then to .. then exits in the UK, or Sweden.. Anyway, this is supposition.

I'd just watch out for those TOR exit nodes in unfriendly territory.. Say, an exit node in Afghanistan or Lebanon, maybe Syria (that's a joke by the way)

Note, that above link although the article is from 2010, the data from teksimple.com appears to be kept up to date I'm not sure about the KML file though.

Shit, to paraphrase Farnsworth: "now I'll need a fake ID to download ultra-porn!"

What kind of horseshit rhetoric is this? From all accounts, there are not enough TOR nodes to support much torrent activity. TOR project itself has explained this as well as common attacks against TOR users. I doubt performance is much better in 3 years. So let me re-phrase.

You cannot use Tor to download as the speed is too slow. In fact, you will most likely use it for communication purposes such as e-mails, web browsing, instant messaging, and other low-bandwidth activities.

TCP, IP, UDP are communication protocols, and anything that happens over them is a form of communication. Sharing software like linux distributions, source or binary, is communication. You're not going to do a lot of it over TOR.

What kind of horseshit rhetoric is this? From all accounts, there are not enough TOR nodes to support much torrent activity. TOR project itself has explained this as well as common attacks against TOR users. I doubt performance is much better in 3 years. So let me re-phrase.

You cannot use Tor to download as the speed is too slow. In fact, you will most likely use it for communication purposes such as e-mails, web browsing, instant messaging, and other low-bandwidth activities.

TCP, IP, UDP are communication protocols, and anything that happens over them is a form of communication. Sharing software like linux distributions, source or binary, is communication. You're not going to do a lot of it over TOR.

The latest alpha release of the Tor Browser uses a deterministic build process for exactly that reason: users of open source software (or the small minority of users with the necessary technical skills) should be able to check that the published binaries match the published source exactly - no malware, no easter eggs, no backdoors. If someone detects a mismatch, they can alert the rest of the community.

Mike Perry, who spent six weeks getting deterministic builds working for Tor, has some interesting thoughts on why this is an important issue for security tools, even if the users completely trust the developers.

I'd like to see more open source projects following Tor's lead. Gitian is a deterministic build tool that might help - it enables multiple people to build a binary from the same source and check that they get identical results.

The latest alpha release of the Tor Browser uses a deterministic build process for exactly that reason: users of open source software (or the small minority of users with the necessary technical skills) should be able to check that the published binaries match the published source exactly - no malware, no easter eggs, no backdoors. If someone detects a mismatch, they can alert the rest of the community.

Mike Perry, who spent six weeks getting deterministic builds working for Tor, has some interesting thoughts on why this is an important issue for security tools, even if the users completely trust the developers.

I'd like to see more open source projects following Tor's lead. Gitian is a deterministic build tool that might help - it enables multiple people to build a binary from the same source and check that they get identical results.

It doesn't take a PhD to use the TOR Browser bundle, you could also direct users to a TOR gateway service like onion.to if you only care about protecting the anonymity of the site. I think the main reason it's not happening is because the current whack-a-mole game is not working very well. Search for any popular item + torrent on Google and you'll find plenty sites, public torrents usually refer to many independent trackers and on top of that there's trackerless peer exchange. It doesn't really matter where you get the torrent/magnet link, you'll be part of the same swarm. They can't win unless they shut down that down and if they shut that down moving the torrent sites to TOR wouldn't help.

For someone who just needs a torrent every 3 months or so, this cat-and-mouse game quite annoying. How about making a Tor hidden service for things like thepiratebay, just like the silk road? ( https://www.torproject.org/docs/tor-hidden-service.html.en ). I am wary of suggesting it, because it will turn the powerful media lobby against Tor, but someone is going to have a fit about Tor sooner or later anyway. In fact, Tor is quite extreme, because it allows hosting of *anything* without any possibility for censorship. Most people (excluding me of course) would want to be able to censor some kinds of (more or less extreme) information, be it porn, exploits, national secrets or copyrighted material.

You've been able to do this since Raspian was released ... probably before then and in other releases for the pi as well.

https://www.torproject.org/docs/debian

Why exactly does anyone care that adafruit posted something about using pre-packaged software from probably close to 2 years ago?

Everybody needs to be using Tor on their mobile device and running lots of servers to help these people.

And then Tor will be blocked (if it isn't already).

Countries like Saudi would rather cut off the Internet altogether then lose control of it.

Everybody needs to be using Tor on their mobile device and running lots of servers to help these people.

And then Tor will be blocked (if it isn't already).

Countries like Saudi would rather cut off the Internet altogether then lose control of it.

Not if you're using a bridge relay. A very powerful adversary could determine the existence of relays and flag you if you talk too much to them, but that's beyond the power of even a rather rich Middle Eastern country. https://www.torproject.org/docs/bridges

Now, they could try to ban https as a way of indirectly banning Tor but I don't think that will go over too well for security reasons.

Everybody needs to be using Tor on their mobile device and running lots of servers to help these people.

If a government has every TCP ACK and window size to analyze at their leisure, how is Tor going to help?

End-to-end encryption?

Everybody needs to be using Tor on their mobile device and running lots of servers to help these people.

If a government has every TCP ACK and window size to analyze at their leisure, how is Tor going to help?

End-to-end encryption?

Everybody needs to be using Tor on their mobile device and running lots of servers to help these people.

If a government has every TCP ACK and window size to analyze at their leisure, how is Tor going to help?

Everybody needs to be using Tor on their mobile device and running lots of servers to help these people.

If a government has every TCP ACK and window size to analyze at their leisure, how is Tor going to help?

Everybody needs to be using Tor on their mobile device and running lots of servers to help these people.

Everybody needs to be using Tor on their mobile device and running lots of servers to help these people.

“The young do not know enough to be prudent, and therefore they attempt the impossible -- and achieve it, generation after generation.” -- Pearl S. Buck

Given that monitoring is impossible to prevent or really limit, all efforts should be made in shaming those taking bad ACTIONS based upon collected data.

It is not impossible to prevent or limit.

There are many projects working on software and technologies to do just that. Some are:

What you're saying
RedPhone and TextSecure: https://whispersystems.org/
Wickr: https://www.mywickr.com/en/index.php/
Parley.co: http://parley.co/
Silent Circle: https://silentcircle.com/
Seecrypt: https://www.seecrypt.com/

Who you're saying it to / who or where you are
Tor: https://www.torproject.org/

Both (for the most part)
LEAP: https://leap.se/ (Full disclosure: I am a developer on this project)

to name a few :)

Admission: I am not completely familiar with the details of many of these projects

Strange, this "article" does not even mention the official Tor Project Cloud effort: https://cloud.torproject.org/

can run a query like "Google: Show me the kitchen sink from the home on 1920 Sycamore St". And anyone who has access to the plumber's account could run a query like "Google: Show me all paintings from all houses visited in the past 6 months, ordered by estimated value"

Hey, that'd be great. If someone comes along and takes my paintings after he runs that through Google, the cops should know exactly where to go look.

It's a good thing there's no way to use stolen credentials to do searches anonymously!

Tracking tickets: iD@GitHub, EFF-HTTPS Everywhere@Tor

During the year I lived in China, I ran into several people whose only means of free and open Internet access was through Tor. While everyone I met only used it for Facebook and Youtube, if there ever is a democratic revolution in Iran or China, Tor will be there to help to make it possible.

If you want to help people in China, Iran, and possibility Japan, where Tor is being blocked, you can run a obfsproxy bridge to circumvent the block. There is currently a shortage of these bridges,
http://arstechnica.com/information-technology/2013/04/tor-calls-for-help-as-its-supply-of-bridges-falters/
so every little bit helps now. The quickest and easiest way is to setup your free Amazon EC2 account with the Instructions at the Tor Cloud Project page
https://cloud.torproject.org/
Or for a general Linux setup, [detailed instructions can be found at:
https://www.torproject.org/projects/obfsproxy-debian-instructions.html.en

NOTE: A bridge is NOT the same as an exit node. If you are just running a bridge, you are only helping people join the Tor network and are only routing a small amount of internal encrypted tor traffic, so there is no risk of getting into trouble with the authorities.

During the year I lived in China, I ran into several people whose only means of free and open Internet access was through Tor. While everyone I met only used it for Facebook and Youtube, if there ever is a democratic revolution in Iran or China, Tor will be there to help to make it possible.

If you want to help people in China, Iran, and possibility Japan, where Tor is being blocked, you can run a obfsproxy bridge to circumvent the block. There is currently a shortage of these bridges,
http://arstechnica.com/information-technology/2013/04/tor-calls-for-help-as-its-supply-of-bridges-falters/
so every little bit helps now. The quickest and easiest way is to setup your free Amazon EC2 account with the Instructions at the Tor Cloud Project page
https://cloud.torproject.org/
Or for a general Linux setup, [detailed instructions can be found at:
https://www.torproject.org/projects/obfsproxy-debian-instructions.html.en

NOTE: A bridge is NOT the same as an exit node. If you are just running a bridge, you are only helping people join the Tor network and are only routing a small amount of internal encrypted tor traffic, so there is no risk of getting into trouble with the authorities.

Cupcake allows you via a browser extension to run a bridge if you won't/can't install the whole Tor suite.

Currently available for Chrome / Chromium, Firefox is in the works.

Please help Tor!

https://www.torproject.org/donate/donate.html.en

When they came for us, there was no one left at all.

That's because they all installed Tor and continued on their merry, man.

I think https://www.torproject.org/download is better

b) Exit nodes don't matter for blocking purposes. Bridge nodes are discoverable, but Tor has made them difficult to discover the complete set, https://bridges.torproject.org/ (or, since that'll be blocked in most useful places, emailing bridges@torproject.org with the "get bridges" in the body) only gives out a few at a time with a captcha requirement, and only sends to https-enabled webmail hosts.

Tor also has an unknown number of private bridges people run and disseminate through their own channels to friends and family and so on. This, plus obfsproxy and related tricks like the flashproxy work from Stanford, make it really really difficult to discover and block enough bridges into the network.

...and Tor provides much higher privacy for the user, with related tools like leave-no-trace bootable-thumbdrives (TAILS) , and is much, much harder to block than a VPN (Iran just this week decided to restrict all VPN traffic).

Also, basing this off of Windows means that rapidly throwing up new servers is a bit more cost-prohibitive and licensing-restricted than flipping on an Amazon EC2 tor image (not using your free ec2 slot? go here: https://cloud.torproject.org/ ) , or hosting a tor server on a cheap VPS.

I value the guy's intentions, but question his supervisors approval of his field assessment sections.

Try https://www.torproject.org/ it'll get you to there even if the site is blocked by your ISP.

Get this

Then, go here: silkroadvb5piz3r.onion

Tor alone implements Onion Routing but not Onion Hidden Domains. Unless you know what you are doing, TOR alone is useless.

Get the Tor Browser Bundle. This comes preconfigured to access .onion domains, gives you a graphical interface to enable/disable TOR and provides a browser with noscript and other settings to prevent tracking and real IP leaks.

This is essential to check out the mentioned site just as a matter of curiosity. There are a lot of markets running on .onion hidden domains and it is a place I go to buy discount VPN/VPS services and some hard to find (yet legal) electronics.

Please note that while your activity while using this is hidden from the likes of Google (and possibly your ISP), your activities are not completely anonymous. Tor alone is not adequate to ensure complete anonymity, just enough to punch through any censorship mechanisms. The biggest problem with people using TOR for the first time is DNS leaks. This can easily be fixed with some custom packages or IPTables. Proxychaining a VPN in also helps. AirVPN are one of the best and come with great support though I skimp and use cheaper services as I only use this method to appease my paranoia rather than for illicit activities.

For those that lack the knowledge or confidence to set this up properly, there are many DarkNet/FreeNet/etc USB Thumb drives that come with a preconfigured bootable live distro. I've obtained a few of these for my journo friends and given the following simple instructions: Set up in a cafe, maccas, starbucks, etc; Boot from USB; Run MACChanger; Surf away (but no personal surfing i.e. Facebook, Gmail).

Get this

Then, go here: silkroadvb5piz3r.onion

It has a major flaw that allows spoofing website addresses: https://trac.torproject.org/projects/tor/ticket/5477

Or just download the Tor Browser Bundle. Takes 2 minutes. Opens TPB from anywhere.

From the little I've read, it seems that they use a distributed host of volunteer servers to run the TOR network, so it might not be that easy to 'shut-down' the entire network (lack of centralized host) - If I'm wrong, I'd love to know why.

"They"? The Tor network is run by all its users... it's not like it requires some sort of specialized servers. Every (or most of) Tor node can act as both Tor client and Tor server.

My concern is that they will make TOR access illegal.

"They"? Who? Also, based on what would they make Tor illegal? If they can't make PGP illegal, there's also no basis to declare Tor illegal, as it works over the same principles.

Besides, you do know that Tor was invented by the US military, right? I mean... the US government runs Tor nodes. Why the fuck would they make that illegal? Should we ban knifes nationwide because some people use it to do illegal stuff/harm others?

Is there a way to detect TOR access uniquely?

Probably, but there also ways of obfuscating it as SSL traffic or whatever. Not even China has been able to keep their citizens off Tor (and, trust me, they HAVE been actively trying to), so I don't really see how other (less experienced with Internet censorship) countries would easily do that.

I recollect reading about a method that could identify IP address accessing TOR (don't remember the details), I'm not sure if that hole was plugged (or if it can be plugged).

Start here: https://www.torproject.org/projects/obfsproxy-instructions.html.en

TL;DR: Why exactly would anyone make Tor illegal in itself? Based on what legal basis? I don't know how it works in your country, but, where I live, things need to have a specific reason for being illegal. YMMV.

The Tor2Web project is pursuing just this. See the .onion nym system proposal specifically, one of the more exciting projects towards anonymity and decentralization on the internet (short of a decentralized dns system, but I digress).

It's a network designed to prevent you from being snooped upon, but by and large the (work of mouth) advertising isn't "And this way Google will never be able to select ads that are of interest to you" or "You don't have to worry that your affair will be discovered by your spouse" (to use two extremes) but "The government will not be able to snoop on you!"

The "word of mouth" I hear about Tor is that it's software originally developed by the U.S. government that can to help people in China and Syria and other totalitarian nations get net access without being snooped on.

If it occasionally gets in the way of lazy-ass cops who'd rather not be bothered doing legwork to track down real crimes, too bad. We have a word for states where freedom is restricted in order to make things easier for police: a police state.

They have a history of doing stuff like this in Austria (Germany also). I am now aware of this happening in the US, we have fairly clear laws on the subject. I have ran a 5 mb/sec exit node unmolested, without even one single abuse complaint for 10 years. Anyone who sees the obvious tor-exit hostname in their logs knows whats up, if they are still confused the exit node notice should clear things up. The EU has been trying to get some reasonable laws passed but their broken economy steels the show.

TOR is a bad choice for bittorrent traffic, and the TOR folks would kindly ask that you not use bittorrent on their service. A torrent proxy service or full VPN is the solution. I use BTGuard, which IS designed for bittorrent traffic. https://blog.torproject.org/blog/bittorrent-over-tor-isnt-good-idea

Please don't use Tor for torrenting. Not only it imposes extra load on the exit nodes, it won't keep you protected for the reasons mentioned in that link.