Slashdot Mirror

I brought that up one day but heard that BitTorrent over Tor might not work. Dunno.

https://cloud.torproject.org/

To help new customers get started in the cloud, Amazon has introduced a free usage tier. The Tor Cloud images are all micro instances, and new customers can run a micro instance for free for a whole year. The AWS free usage tier also includes 15 GB of bandwidth out per month.

Tor has changed since you read last... "Bridges" were added to Tor and are not listed in any central directory.

Tor bridges

Introduce your friends and family to The Onion Router.

Set up a Tor node yourself. Amazon will provide an entry level EC3 host to anyone free of charge for a year.

Register a domain that is not under US control and so cannot be taken from you by the Feds. .is looks good - Iceland.

Mirror some Samizdat at PRQ AB of Sweden. They have a full time legal staff to defend their customers against takedown orders. you can host anonymously and pay them with anonymous money orders.

Running BitTorrent over Tor is stupid:

1. Malicious exit nodes can correlate your BT streams to your Tor web browsing, and learn your real IP.
2. The high bandwidth used by BT cripples the Tor network for everyone else
3. Most popular BT clients send the tracker your IP anyway.

https://blog.torproject.org/blog/bittorrent-over-tor-isnt-good-idea

If you want anonymous P2P, then I2P is a much better option.

Also, for all you Spanish-speaking geeks reading this, help now by translating Tor documentation.

Subject says it all. Even among CS grads, I'd bet that only small minority have ever heard of Tor. What's worse is that a little knowledge can be a dangerous thing--I'd hate to go to Nuevo Laredo Online and spam it with links to Tor, only to have someone download it and get beheaded because they used it incorrectly. So, there needs to be a push to educate the bloggers about the basics, benefits, and pitfalls of anonymizing tools. This means that we nerds actually have the power to help Mexicans defeat the cartels. How cool is that?

Most people who browse for child porn use Tor though, which makes it very difficult (almost impossible) to guess who is distributing and who is requesting the content. In fact, I would be some what surprised if any of these websites are accessible to someone who doesn't use the onion routing protocol.

Well, so they took down those "porn" websites, but one has to ask, why the authorities have done nothing, preferring to sit on their backsides? Politicians or police using such sites and they want to cover it up?

Sigh. Quality of Slashdot readership is steadily going down.

These were TOR sites. That means that the hosting servers are near impossible to track because the TOR network is meant to allow for anonymous hosting.

Subsequently, unless you manage to globally packet-inspect the entire Internet (which is the very thing that the child-porn crusaders advocate, along with introducing a totalitarian global police state to "protect the children") or somehow crack in and identify the location of these servers from whatever data is within, you cannot even tell what country they are in.

Freedom Hosting is an extreme libertarian host service, with 0% censorship rules, which is meant to host sites of political dissidents and other web contents that is likely to get you killed by a mob of raving religious lunatics for breaking whatever taboo in whatever nut-infested country you happen to live.

So Anonymous cracked into some sites hosted on Freedom Hosting and defaced them, stole some meaningless login ids (like those of people logging in with the names of their least-liked politicians or neighbours) and did not even get the IP addresses of the servers or the users because on the TOR network they would be meaningless.

End result: upgraded and hardened CP sites on TOR.

This action defines the very concepts of "pointless", "futile" and "counterproductive". Which not very surprising since it is usually the fate of all vigilante witch-hunts in the long run ...

Here is what I found on the Tor-site:
"For efficiency, the Tor software uses the same circuit for connections that happen within the same ten minutes or so. Later requests are given a new circuit, to keep people from linking your earlier actions to the new ones."

https://www.torproject.org/about/overview

That doesn't sound all that great.

I agree with all your philosophical questions. I occasionally check the "Post Anonymously" checkbox when I want to post some unpopular truth. Am I now a member?

Until these problems are worked out (and they may never be), I encourage you to keep a copy of the Tor Browser handy. Use it whenever you want to see the truth for yourself without having to worry about who's watching over your shoulder.

It's sad that I have to be so paranoid in a "free" country, but at least we have tools to help.

They wanted any computer equipment that may have had evidence relating to the investigation. The probable cause was that the IP address used was assigned to Mr. King's Internet connection, and Mr. King had entered into a legal agreement taking responsibility for the use of that connection, so it's probable that he knows what happened.

I guess because of OMGPRIVACY and OMGFUCKTHEPOLICE those sorts of facts get the boot.

So, they trace back the traffic to a Tor exit node and conclude that the owner is, contrary to the Tor Exit Notice, actually secretly keeping logs about activity going through it? If they wanted data, they could have done to him what they do other private entities like ISPs and Telcos. But they can't because they know how Tor works, and that he's not going to have anything of benefit for them.

This is just a way to discourage the use of Tor and run an otherwise not-guilty person through The System, enabled by whatever today's criminal boogeyman is.

You are talking about search a list of strings for a particular string

I've parsed the Tor list before myself. I'm fully aware of how little effort it takes, and I'm also aware that it's far beyond the capacity of most police departments. Remember, these folks are funded by taxes, and nobody ever wants tax increases. If it's a choice between getting a programmer to parse the Tor list and getting an extra set of body armor, no sane police department is going to pick the programmer.

Then you have someone who lied to the police (which is evidence that can be used against them), and if they destroyed the incriminating evidence, they are guilty of another crime -- destruction of evidence.

Lying to the police is useless without more evidence of wrongdoing, and destruction of evidence is trivial compared to child pornography. The suspect could just be an ass to police for the fun of it.

They could maintain their own up-to-date list of Tor exits, or just download the list before they go ahead and get a search warrant. It is really not that hard.

Maintaining an accurate list is hard. My purpose was to identify incoming Tor connections on my web server. In testing, I found that the list of exit nodes changes significantly within a span of 10 minutes, and the list I was using had update delays of up to 30 minutes. That's enough variation to cast doubt on any list. Linked in TFA is the ExoneraTor, which strives to do exactly what you suggest, but apparently its results can only show that a given exit node was likely to be running or not.

I view it as a threat -- they are telling the guy that he will have to go through this entire situation again if he continues to run a Tor exit.

That's not so much a threat as a statement of fact. It's not a threat for me to tell you that you're likely to be injured if you start throwing punches at random people on the street.

He was never committing a crime to begin with, so why should his behavior change?

He wasn't convicted of a crime or even accused of one. His behavior should change because he's making life more difficult for himself. If he likes making trouble for investigators and himself, fine. It's his choice. He can go through the hassle again.

ICE has no business showing up at an exit node operator's home.

So if a trail of bloody footprints leads from a murder scene to your front door, the police have no business talking to you about it, because those footprints could have been anybody's, and somebody could have used your porch to change shoes, and it's totally not your problem at all, right? Getting a warrant to check for bloody shoes in your closet is unreasonable, and they should have asked you first! Once you tell them that that guy down the street wears shoes sometimes, they should leave you for a while, and ignore the bonfire in your backyard, because you could be innocent, so they should respect your rights at all costs.

FWIW, there are guides out there for those do want to get around censorship such as this.
Tor project
Defeating censorship
etc.

What about using Tor bridges?

https://www.torproject.org/docs/bridges

This is assuming, of course, that simply using encryption will not put you under suspicion.

It seems those people are arrested thanks to the IP address they were using at the time.
Are they too young to know Tor and the like?

This is the best solution I have found so far:

1.) Install Vidalia: http://www.torproject.org/

2.) Install NoScript: http://noscript.net/ (Ghostery may be ok - but I'm not too familiar). This blocks Flash, Javascript, etc - but you can selectively enable certain content.

3.) Install the EFF's HTTPS Everywhere plugin: http://www.eff.org/https-everywhere
This will default sites like Google to use the SSL version of their pages if is possible - with Tor Exit Nodes being possibly monitored, SSL is your friend.

4.) Use AdBlock Plus: http://adblockplus.org/
This reduces unnecessary traffic through Tor (banner ads, etc).

Run your browser in Private Browsing mode as well and keep you History clean. Firefox has an option to clear this every time you exit. Tools to keep other things clear (Bleachbit on Linux and C-Cleaner on Windows never hurt)

If you are super-duper paranoid, you can use a Full Disk Encryption suite like Truecrypt: http://www.truecrypt.org/

Just make sure to pick a good passphrase (26+ characters) and keep your computer shutdown when you are not around it.

If you want to help out with Tor like me, I donated a share of my bandwidth to run a Tor Relay: https://www.torproject.org/docs/tor-doc-relay.html.en

PS I also change my IP address randomly every few weeks Simply changing your MAC address, hostname and then resetting your hardware will do this. Most ISPs do not retain data beyond 6mos so this also doesn't hurt.

PPS Fuck the police (with a cactus).

This is the best solution I have found so far:

1.) Install Vidalia: http://www.torproject.org/

2.) Install NoScript: http://noscript.net/ (Ghostery may be ok - but I'm not too familiar). This blocks Flash, Javascript, etc - but you can selectively enable certain content.

3.) Install the EFF's HTTPS Everywhere plugin: http://www.eff.org/https-everywhere
This will default sites like Google to use the SSL version of their pages if is possible - with Tor Exit Nodes being possibly monitored, SSL is your friend.

4.) Use AdBlock Plus: http://adblockplus.org/
This reduces unnecessary traffic through Tor (banner ads, etc).

Run your browser in Private Browsing mode as well and keep you History clean. Firefox has an option to clear this every time you exit. Tools to keep other things clear (Bleachbit on Linux and C-Cleaner on Windows never hurt)

If you are super-duper paranoid, you can use a Full Disk Encryption suite like Truecrypt: http://www.truecrypt.org/

Just make sure to pick a good passphrase (26+ characters) and keep your computer shutdown when you are not around it.

If you want to help out with Tor like me, I donated a share of my bandwidth to run a Tor Relay: https://www.torproject.org/docs/tor-doc-relay.html.en

PS I also change my IP address randomly every few weeks Simply changing your MAC address, hostname and then resetting your hardware will do this. Most ISPs do not retain data beyond 6mos so this also doesn't hurt.

PPS Fuck the police (with a cactus).

Sounds just like a sting operation to me. If you are anonymous please go over there to hand over your IP address and a chat log of all your activities. Thank you, The Management

This will only catch the ones that don't know how to use TOR or something similar.

https://www.torproject.org/about/torusers.html.en#activists

* Human rights activists use Tor to anonymously report abuses from danger zones. Internationally, labor rights workers use Tor and other forms of online and offline anonymity to organize workers in accordance with the Universal Declaration of Human Rights. Even though they are within the law, it does not mean they are safe. Tor provides the ability to avoid persecution while still raising a voice.
        * When groups such as the Friends Service Committee and environmental groups are increasingly falling under surveillance in the United States under laws meant to protect against terrorism, many peaceful agents of change rely on Tor for basic privacy during legitimate activities.
        * Human Rights Watch recommends Tor in their report, “ Race to the Bottom: Corporate Complicity in Chinese Internet Censorship.” The study co-author interviewed Roger Dingledine, Tor project leader, on Tor use. They cover Tor in the section on how to breach the “Great Firewall of China,” and recommend that human rights workers throughout the globe use Tor for “secure browsing and communications.”
        * Tor has consulted with and volunteered help to Amnesty International's recent corporate responsibility campaign. See also their full report on China Internet issues.
        * Global Voices recommends Tor, especially for anonymous blogging, throughout their web site.
        * In the US, the Supreme Court recently stripped legal protections from government whistleblowers. But whistleblowers working for governmental transparency or corporate accountability can use Tor to seek justice without personal repercussions.
        * A contact of ours who works with a public health nonprofit in Africa reports that his nonprofit must budget 10% to cover various sorts of corruption, mostly bribes and such. When that percentage rises steeply, not only can they not afford the money, but they can not afford to complain — this is the point at which open objection can become dangerous. So his nonprofit has been working to use Tor to safely whistleblow on government corruption in order to continue their work.
        * At a recent conference, a Tor staffer ran into a woman who came from a “company town” in the eastern United States. She was attempting to blog anonymously to rally local residents to urge reform in the company that dominated the town's economic and government affairs. She is fully cognizant that the kind of organizing she was doing could lead to harm or “fatal accidents.”
        * In east Asia, some labor organizers use anonymity to reveal information regarding sweatshops that produce goods for western countries and to organize local labor.
        * Tor can help activists avoid government or corporate censorship that hinders organization. In one such case, a Canadian ISP blocked access to a union website used by their own employees to help organize a strike.

it was funded by both NRL and EFF concurrently. i am not making things up, you are denying reality.

You're not smarter about Torbutton than the developer of Torbutton

You are comparing a user with a developer. For the user TorButton is very useful, even if the developer now thinks his approach is not the best, because it requires extra work (compared to a different approach). In fact, even if you provide a second browser you would still benefit from functionality offered by TorButton, no matter if it is built-in the browser or offered as an add-on.

Also, TorButton doesn't seem to be discontinued, yet. At least there is nothing on the home page, plus the latest release is from 1 May 2011.

This is a feature:
https://www.torproject.org/docs/faq-abuse.html.en#Bans

It's strange that the news hasn't made it to the Torbutton page yet: Torbutton is dead. Read this post by Mike Perry, developer of Torbutton (tldr: it's too hard for users to use it safely, it's too hard to maintain, and standard-issue Firefox is too buggy) and install the Browser Bundle.

Torbutton as an addon is a step backwards from Tor Browser Bundle. It was discontinued for a reason. You're not smarter about Torbutton than the developer of Torbutton, and here's what he says:

I realized at that same instant that in hindsight, this decision [to use one browser instance/profile for Tor and vanilla browsing] was monumentally stupid, and that I had been working harder, not smarter. However, I thought then that since we had the toggle model built, we might as well keep it: it allowed people to use their standard issue Firefoxes easily and painlessly with Tor.

I now no longer believe even this much. I think we should completely do away with the toggle model, as well as the entire idea of Torbutton as a separate piece of user-facing software, and rely solely on the Tor Browser Bundles, except perhaps with the addition of standalone Tor+Vidalia binaries for use by experts and relay operators.

The Tor Browser Bundles will include Torbutton, but we will no longer recommend that people use Torbutton without Tor Browser. Torbutton will be removed from addons.mozilla.org, and the Torbutton download page will clearly state that it is for experts only. If serious unfixed security issues begin to accumulate against the toggle model, we will stop providing Torbutton xpis at all.

Makes sense to me.

Does it have functionality similar to Firefox with TorButton ? Otherwise I assume it offers weaker privacy.

Btw, according to this link OperaTor is not maintained anymore, and it was replaced by YAPO which does not support Tor.

Use TorButton then (the Windows bundle includes it IIRC). AFAIK it solves most of the problems you mentioned. If you are using Firefox 4 then you need the alpha version from here.

Add to that BetterPrivacy, and you should be much harder to track.

Participating in a torrent is somewhat anonymous in that your peers' identities are not obvious. However there are much stronger anonymizing systems, such as Tor. They list many legitimate users, which may be sending messages, browsing the web or sharing files through Tor.

Even more comprehensive is Freenet, which is used to get around censorship in places like China.

Participating in a torrent is somewhat anonymous in that your peers' identities are not obvious. However there are much stronger anonymizing systems, such as Tor. They list many legitimate users, which may be sending messages, browsing the web or sharing files through Tor.

Even more comprehensive is Freenet, which is used to get around censorship in places like China.

Tor can't (and doesn't) encrypt the packets between the exit node and the open internet though. If you're operating an exit node and someone requests an illicit webpage through you than it appears that you requested the webpage.

Tor admits as much on their website.

http://www.torproject.org/about/overview.html.en

https://blog.torproject.org/blog/life-without-ca Of course, this may be asking too much of most people...

Exactly. They recommended Privoxy in the past, because it worked, but it didn't do any favors for performance. I used it then, and it was indeed terrible. Polipo is not designed with privacy concerns in mind, but focuses on performance. No, it's not going to magically make Tor un-slow, but it will make the most of a low throughput high latency network. I recently tried out Tor with Polipo, and it was impressively better. It could be that the Tor network has improved, but I'm crediting Polipo.

I read somewhere that the crux of the problem is that Privoxy will keep you waiting for little bits of content in a large page (possibly ads) while Polipo is more aggressive about giving you whatever it's gotten quickly. I don't know that this is the place, but this page mentions it: torproject blog

So setup a TOR exit node and contribute! Thats what I did, running off a debian VPS. https://www.torproject.org/docs/debian

Also....
Just for one service...this took all of another 10 seconds to find:

https://blog.torproject.org/blog/bittorrent-over-tor-isnt-good-idea

You think other services don't have similar problems?

Default exit policy: Link

The proposal above will do nothing to stop oppressive governments from taking advantage of blacklists created by western companies. These adversaries can simply request updates from fully-supported jurisdictions and forward them privately to filters running on their gateway routers. The filters are made up of bytes. Bytes can be copied. If adversaries are already pirating the software itself, they can certainly pirate updates to the software.

Yes, yes, you can try using some kind of traitor tracing technique to figure out who might be leaking blocking lists --- but it's a cat and mouse game, and these regimes have more resources than you do.

Look: in a larger sense, antipathy toward western hardware and software companies is misplaced. To internet censors, filtering is an existential imperative, especially in light of the recent unrest in the middle east. No cost is too great. If our adversaries need to sign up with multiple expensive dummy accounts in order to receive filter lists, they will. If they need to break DRM, they'll do it. And if all that becomes too expensive, they'll just switch to open source and home-grown filtering solutions. Currently, they use these filtering products because they're cheap, not because they're essential.

We all want to stop internet censorship, but haranguing individual companies over the misuse of their software won't do it. Circumvention works. Alternative routing works. Political pressure works.

Internet censorship is a real problem. While it may feel good, hysterically screaming at corporations does nothing to solve it. Let's talk about thing we can to actually help.

(Note: I have a bit of experience in this area.)

Most of this has been the work of Jacob Appelbaum, core member of the Tor project. He is the one who investigated the fraudulent certificates and it's a fascinating detective story.

To use a phony cert someone has to MITM you.

And if they can MITM the SSL connection they can break the connection to the revocation list server. The browser treats this as a soft fail.

https://blog.torproject.org/category/tags/ssl-tls-ca-tor-certificates-torbrowser

Comodo knew about this on the 15th.

Chromium was patched on the 16th/17th.

Firefox was patched on the 17th,

https://blog.torproject.org/category/tags/ssl-tls-ca-tor-certificates-torbrowser

Executive summary - SSL is broken as designed.

The article says that browser makers rushed to put out patches to blacklist the fraudulent certs. Isn't this what certificate revocation lists are for? Are CRLs completely broken and unused?

As a matter of fact, yes. SSL revocation mehcanisms are broken and nobody knew until a few days ago. Jacob Appelbaum wrote a nice write-up yesterday about how he noticed the emergency patches in Firefox and Chrome regarding blacklisted SSL certificates.

Now that this finally happened, I think it's time we give them a helping hand: the least that we, the /. crowd, can do is donate some bandwidth to the Tor network by adding relay/bridge nodes and for those who can afford it exit nodes, too. This way we offer them a safer way to communicate among themselves and with the rest of the world.

For those yet unfamiliar with Tor, you can find out more here: Tor Project

"Your IP address has been logged"

They just need to make a connection available a Tor hidden service.

If you can show people that what their government wants to do wont actually stop whatever criminal activity people want the government to stop (and more to the point, suggest an alternative that will be more effective in stopping the criminal activity in question) people might just listen.

Your assumption is wrong: The Onion Router provides the proof you seek.

You see, no matter how blatant, commonplace or accessible the proof is people just won't listen; People are stupid -- It's the Wizard's First Rule: Some people will believe anything if they fear it to be true.

https://blog.torproject.org/blog/tips-running-exit-node-minimal-harassment

Egypt is one of the countries that still routinely tortures people. So these people really need anonymity.
http://www.torproject.org/ -- I use Tor most of the time. But it's terribly slow, there are few out-nodes.
The best I have thought of is a prepaid cellphone, or any phone not in your name. I think it would be correct to try to put it in the name of someone important to make sure someone else is not punished instead of you, and make sure not to use it with any of your personal data, like making and receiving calls to your friends and family with it, and logging into your personal accounts with it. You also will need to get a different phone from your own, as the operator records the phone's IMEI as well as the GSM chip number and phone number. Taking the battery out before you get near your home with the phone is a good idea too. If you think you have legal cover to be able to run Tor as an EXIT node, it would be helpful to people in Egypt today to have more exit nodes.

Updates from Tor blog:

blog.torproject.org/blog/update-internet-censorship-iran

I thought one of the reasons behind using Tor was to aid people in government? If the story is true, how/why are government official's IP addresses being traced back to them? Learn and use Tor!

I also delete my browsing history periodically....

It doesn't matter. The data's likely still there.

1. Deleting files (your browsing history) only unlinks them from the file system.
I routinely recover partial and entire lost files. With magnetic media: Even with multiple rewrites before deletion you are not guaranteed that the disk didn't swap out that sector before it was overwritten. SSD is a different beast...

2. Your ISP knows all the sites you've been visiting online.

If you really want to browse anonymously, boot up a Linux live CD & use TOR.

It is becoming clear that the censorship cat is out of the bag. Western countries are now joining their totalitarian counterparts and other tinpot regimes in openly trying to restrict free speech, contrary to Article 19 of the United Nations' Universal Declaration of Human Rights:

"Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers ."

More than ever, if you have the bandwidth, no matter where you are, please consider running a Tor relay, bridge or exit node.
http://torproject.org/

Hmm? I suggest you read up on how TOR works.

I suggest you learn how the 'whoosh' works. 8^)

Hmm? I suggest you read up on how TOR works.