Slashdot Mirror

If you value democracy then you should understand that the backlash from the WL episode will be a push for laws and technology to control communications at the direct expense of democratic ideals which require free speech. Anonymity and secure peer-to-peer communications, already at risk, will be further threatened under the premise of terrorism. If you want to help ensure that democracy prevails in the face of reactionary politics, then run a TOR server ( http://www.torproject.org/ ) now, and consider any of these alternatives.

I know I'm preaching to the choir, here, but human-nature says that most people (even Slashdotters) are watching this unfold without realizing they can be a part of it.

The WL episode is showing us that our own politicians would readily abandon core values of democracy in order to avoid embarrassment. It also clearly demonstrates that we live in a world where our personal communications can readily be disrupted at the whim of private corporations under pressure from these same politicians.

Democracy can only thrive with the uninhibited exchange of communications between individuals. If you want to help ensure democracy, do any of the following:


1) Run a TOR server ( http://www.torproject.org/ ). This is software that helps provide freedom and privacy by encrypting and distributing network communications. If you don't want to run TOR on your machine, rent a Virtual Private Server (VPS) and do it on someone else's box.


2) Support the EFF ( http://www.eff.org/ ). This organization understands technology and knows that in the digital age, information is power.


3) Support open-source distributed alternatives to web-based software-as-a-service. EveryDNS, Paypal, Twitter, Amazon's EC2, and even our beloved Google are points of vulnerability in democracy since their fundamental obligation is to shareholders instead of to an innate code of ethics. How would you find information if Google bowed to Government pressure? The only thing that will ensure corporations stay in line is the existence of alternatives such as a distributed search engine (http://yacy.de/ ).


4) Support open-source software by using it, contributing time or money to its development, and requesting that our Governments make policies to use it. The world would be a very different place if the power of public-key-encryption was kept solely in Government and Corporate hands. Only Free and Open Source Software ( http://en.wikipedia.org/wiki/Free_and_open_source_software ) ensures that all members of society who use information technology are on the same footing.


5) Let others know what is at stake, spread the word. Democracy takes active participation, and this takes patience and explanation so that nontechnical Constituents have the understanding that you possess.


Our communications technology is only a tool and can be used to both facilitate democracy and better the world, or to enslave humankind. We are witnessing the first infowar of the digital age, and the powers that be will use it to push hard for bans on encryption, crackdown on peer-to-peer communication, and other information tools.

Will you watch silently and let information technology turn into a tool of repression, or will you take a stand while you still can? The race is on, do something!

I am still wondering why don't they publish the data as a hidden Tor service. This way the potential attackers would have hard time finding their IP address to attack.Cables are also small in size, so the limited bandwidth of the Tor network (usually around 2-20 kB/s) is not a problem.

... support and use TOR.

http://www.torproject.org/

However that may be, just blatantly disregarding the law is not the solution.

Of course not. Using and helping develop tools that hide your activities, such as Freenet and Tor is. Why fight ogres on their terms when you can simply hide and leave them to starve?

I wonder if there's ever been a time when the Powers That Be - governments, nobility, corporations - have not been the enemy of the people? I guess not.

If you want to help, setup a Tor Relay (make sure you have the DirPort (9030/tcp) and ORPort (usually 443/tcp[windoze] or 9001/tcp[linux]) forwarded in your router/firewall - or use uPNP. Make sure you have at least 20kb/sec outbound bandwidth. I am donating 200KB/sec both ways. You can download Tor from http://torproject.org/

I recommend downloading the full Vidalia Bundle which includes Tor, Polipo, and Tor Button for FireFox. You do not have to be an exit node if you do not want to take on the risk.

Relay Information: https://www.torproject.org/docs/tor-doc-relay.html.en

If you plan on using Tor as a client, I recommend EFF's HTTPS Plugin: http://www.eff.org/https-everywhere

If you want to help, setup a Tor Relay (make sure you have the DirPort (9030/tcp) and ORPort (usually 443/tcp[windoze] or 9001/tcp[linux]) forwarded in your router/firewall - or use uPNP. Make sure you have at least 20kb/sec outbound bandwidth. I am donating 200KB/sec both ways. You can download Tor from http://torproject.org/

I recommend downloading the full Vidalia Bundle which includes Tor, Polipo, and Tor Button for FireFox. You do not have to be an exit node if you do not want to take on the risk.

Relay Information: https://www.torproject.org/docs/tor-doc-relay.html.en

If you plan on using Tor as a client, I recommend EFF's HTTPS Plugin: http://www.eff.org/https-everywhere

NTP solves that issue. If you're extra paranoid, sync your clock more often. If you're extra extra paranoid disable your ntp daemon and put this in root's crontab instead:

SHELL=/bin/bash
*/15 * * * * sleep $(($RANDOM%900)) && ntpdate pool.ntp.org

This syncs your clock every fifteen minutes with a random delay of fifteen minutes. It is also overkill.

Also note that while tor continues to be slow as molasses, its latency may help defeat this kind of identification for any properly synched system clock.

Viewable with Tor installed, Search
Engine DuckDuckGo has erected a hidden service for secure, encrypted searches through the Tor network. While past attempts at hidden service search engines failed due to uptime or quality issues, DuckDuckGo marks the first time a real company operating a public search engine has offered a solid search engine as a hidden service for Tor users. Tor users may find DuckDuckGo's hidden service here.

The main advantage lies in using tools such as TOR.

I lived in Dubai for four years (2001-2005) and just used a HTTP proxy. Everyone knew about them. I've gone back since then and Etisalat (the telecoms monopoly, they now have 'competitors' but they're all state owned too through a bunch of holding companies, so it amounts to the same thing) seems to have blocked them but when I was there last summer I managed to use Tor to get around it.

I'll meet you all in the undernet.

The best thing people can do to help wikileaks is by running Tor Relays and Freenet nodes. Just make sure that there is nothing illegal on your computer, because the pigs in ICE have been raiding Tor Relay operators under the guise of fighting kiddy porn.

http://torproject.org/
http://freenetproject.org/

I now sometimes think Tor should come built into modems and routers.

https://blog.torproject.org/blog/life-without-ca

...thanks to Adblock

Blocking ads is one thing, not being tracked anymore is something else. I don't mind targeted ads when they are not annoying but you don't have to track people to be successful in your advertising. For instance, show ads for new games on websites that provide game review or better: ads for divorce lawyers on meetics (Lawl). This doesn't need tracking to be shown to the targeted audience. I see tracking as an offense.

I've spent a lot of time trying tools to protect my privacy: one can try privoxy along with Tor. There are also great add-ons for firefox such as BetterPrivacy and NoScript. There is Ixquick.com (AKA StartPage) which offer anonymous searches, an https proxy access to the search results and they are working on an email service that respects your privacy.

Local internet-crime-and-game hysteria here in Sao Paulo crteated local laws requiring we keep ID, name, phone, address, DOB, access times, school hours, blabla forever, from every user at cybercafes. I said "I refuse to" - and let everyone go undocumented. Couple of smarty-pants lawyers sent anonymous email offending each other from here. Sued each other. Fines we may face, around USD 7,000. Damages we may pay, about another USD 7,000. Profit we get there, around USD 1000/mo. Result - hell if I know, just that we're sad one day, angry the next. And reading up. On Tor, Aircrack, new legislation, how to send anon email appropriately. And perhaps for a new job, if I just close...

3. "Nice" for bandwidth. It would be great if there was a command similar to "nice", which acts not on cpu-cycles but instead on bandwidth.

Check out this script from the tor project. It sets up the kernel routing/queuein/prioritizing capabilities to quickly set up prioritizations for user or virtual interfaces.

I use it for giving a lower priority to torrent upload traffic. Unfortunately it's only upload, since it's the router that drops download packages.

And did they have any influence even at the start?

But the important thing, IMO, is that the project was sponsored at all. According to Tor's Sponsors page, they still receive funding from the Navy; presumably they are not unaware that various "bad" people can use (and are using) the network as well.

they wouldn't get much from my isp. i run linux from scratch on a vm with darknet because i don't like how my isp tries to dictate the dns server i use. a clear and obvious sign they glean info from user habits to sell to marketing firms. as far as data security goes the file system is loop-aes. i guess if i wanted to be paranoid i could point my cache to /dev/null. there is a howto for a tor based vm on encrypted file system that is a lot like my environment here: https://svn.torproject.org/svn/torvm/trunk/doc/design.html

There's already an opt-out option:

https://www.torproject.org/

Visit https://bridges.torproject.org/ to grab some bridge IPs and
add this to your torrc file:

UseBridges 1
paste the bridges you obtained from the url above here starting
with the word bridge and following with the IP, one on each line,
like so:

Bridge 1.2.3.4
Bridge 5.6.7.8

Need help with Tor? Speak to the developers (and users) directly:
irc.oftc.net #tor

Or join the Tor mailing list: click the first url above, click
Docs at the top of the page, scroll down for the mailing list
information.

If this is true:

"The FTC wants a do-not-track mechanism that would allow Web users to
opt out of online behavioral tracking, similar to the national do-not-call
registry." they could encourage the use of Tor on their website, possibly
running some tor nodes themselves to aid the Tor network.

There's already an opt-out option:

https://www.torproject.org/

Visit https://bridges.torproject.org/ to grab some bridge IPs and
add this to your torrc file:

UseBridges 1
paste the bridges you obtained from the url above here starting
with the word bridge and following with the IP, one on each line,
like so:

Bridge 1.2.3.4
Bridge 5.6.7.8

Need help with Tor? Speak to the developers (and users) directly:
irc.oftc.net #tor

Or join the Tor mailing list: click the first url above, click
Docs at the top of the page, scroll down for the mailing list
information.

If this is true:

"The FTC wants a do-not-track mechanism that would allow Web users to
opt out of online behavioral tracking, similar to the national do-not-call
registry." they could encourage the use of Tor on their website, possibly
running some tor nodes themselves to aid the Tor network.

With networks like Freenet or Tor, these types of laws will be impossible to enforce without an outright ban on strong-crypto. Even if there were such a ban, brightnets like OFFSystem (or even Freenet, if configured in Darknet mode) would be unaffected.

Servers live places. The people who do the uploading live places. The people who run the servers can be punished. The people who do the uploading can be punished.

Where does Tor live? Where does Freenet live?

The horror of horrors to all who dream themselves the master of others: Freedom's here. You can no longer keep us ignorant. Die, shitheads, die and be forgotten!

First we'd need to throw away IP law entirely, which is pretty much the opposite of what is going on in the world today.

Really? Because to me, that seems to be exactly what's going on: nobody cares about copyrights anymore. The ever-more draconian attempts to upkeep the damn thing are failing miserably.

Choose any two.

I would suggest Tor. (Good and Cheap.)

--Pathway

You could use one of the old wireless routers to provide free & anonymous Internet access to others by routing all the traffic through TOR.

1. Disable any encryption & access restriction like MAC filters
2. Plug it into a separate ethernet port of a server / machine that's running 24/7
3. Route all the traffic through TOR
4. Throttle its traffic (QOS)

When your neighbor's Internet breaks down some day, they will be thankful for the free, albeit slow, Access Point of yours. Thanks to TOR, you don't have to fear any consequences for any mischief that's conducted over your AP.

I suggest that a Linux distribution designed specifically for journalists be created. Maybe call it Xerotrace. It has to be a liveCD, it can include Tor, Freenet, GNUNet, and encrypted truecrypt container for permanent storage.

Several already exist.

And they aren't currently in development. I'm guessing governments got pissed off and threatened the developers with torture.

I suggest that a Linux distribution designed specifically for journalists be created. Maybe call it Xerotrace. It has to be a liveCD, it can include Tor, Freenet, GNUNet, and encrypted truecrypt container for permanent storage.

Several already exist.

What if we all downloaded proxy programs that allowed others to use our internet connection like with P2P software? I would have 20 or so people browsing on my internet connection but my internet connection could be spread out over another 20 people's networks and so on. It would really screw up the goverment's ability to see who's browsing what. Granted, some type of illegal sites would have to be blocked so you don't get blamed for your neightbor's bad habits and you could turn off the program when you needed the full pipe like when gaming.

Isn't that called TOR? http://www.torproject.org/

I suggest you let Tor know. The headline on their web site says "Tor: anonymity online."

>Would this be a fundamental flaw of the TOR network?
Depends on your point of view. It is certainly a well known issue. And there are other issues as well:

https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TorFAQ?action=recall&rev=554#AnonymityandSecurity

From TFA:

"There are some effective countermeasures, however. A uniquely identifiable IDG News Service Windows XP computer running Firefox could not be identified with the NoScript safe browsing extension turned on. Adding the Tor Internet anonymization software also works, Eckersley said."

so maybe Tor should upgrade their infrastructure like every other ISP has had to do to keep up with demand

Tor is not designed to take bittorrent traffic. From the second link in the summary So what's the fix? There are two answers here. The first answer is "don't run Bittorrent over Tor". We've been saying for years not to run Bittorrent over Tor, because the Tor network can't handle the load; perhaps these attacks will convince more people to listen. The second answer is that if you want your Bittorrent client to actually provide privacy when using a proxy, you need to get the application and protocol developers to fix their applications and protocols. Tor can't keep you safe if your applications leak your identity.

To be fair, bittorrent is designed to efficiently distribute files, which it does very well. If you have a distributed file transfer system, it isn't going to work very well if it doesn't link to the files. What's the use of a tracker that doesn't track? Privacy on bittorrent is achieved with a private tracker, by screening out hostile connections rather than trying to make connections untraceable.

That's easy enough to do with iptables or pf.

Here are the instructions for doing transparent Torification.

It's been done already.

When you download movies, do you intend to profit from them? Petty piracy and real 'dollar bills' piracy are two completely different acts deserving of their own consideration, don't you think?

Actually, I disagree. When I download movies, the only reason I don't profit from them is because I am too lazy.

If the recent emergence of virtual economies in direct violation of the terms of service in games such as WoW can teach us anything, it is that there is no meaningful way to legislate against the circulation of money. So long as people can either legally or practicably do a thing, and people will pay them money to do it, then profit will inevitably be had.

Regarding copyright, if people can legally view the content then they can practicably copy it, legal or not. If people can copy it, then people may pay to obtain such a copy, legal or not.

This progression is inexorable and preventing it is astronomically impractical. The only way to keep a secret is not to publish it. Published information can and will be shared. Deal with it.

I am also in favor of entirely abolishing copyright. I do not believe that reproducing publicly available information is evil, whether or not you intend to profit and whether or not you intend to try to compete against the original authors in it's distribution. I do believe that granting authors a distribution monopoly is evil. I believe doing so harms our culture, harms the consumer and even harms the author. For example, they are strongly compelled by the market to sell off these rights to powerful marketing and distribution middlemen who clothe themselves as the extortionist gatekeepers to popular culture, indenturing the authors and fleecing the public in the process.

"An immoral law makes it a man's duty to break it, at every hazard." - - Ralph Waldo Emerson

Put another way, if breaking the law is unilaterally "Evil" then you should direct your ire towards TOR for aiding Chinese citizens in routing around censorship or Twitter for helping organize "illegal" protests in the middle east.

Every government seems to favor some method of censorship or another, and Copyright just happens to be our government's favorite flavor.

Tor is the obvious answer, combined with Foxyproxy for Firefox to redirect traffic through the tor network only when needed to contact the piratebay site. The Tor website provides a convenient prepackaged browser bundle you can download to see if you like it.

Tor is the obvious answer, combined with Foxyproxy for Firefox to redirect traffic through the tor network only when needed to contact the piratebay site. The Tor website provides a convenient prepackaged browser bundle you can download to see if you like it.

The only slightly dubious thing is that they do seem to want to restrict distribution of clients that could connect to their servers, even if they could also be used in other ways.

This part was "slightly dubious?"

You acknowledge and agree that we may require you to stop using or distributing a Third-Party Viewer for accessing Second Life if we determine that there is a violation.

This is exactly an attempt to erase the freedoms granted under the GPL.

I think the problem and the reason nobody seems to get the problem is that the story submitter, GigsVT, wanted to include more excerpts than just the worst one, and the worst one was the one that deserved the most scathing criticism, and the most scathing criticism is what got the headline. Imagine that.

So what do we have here? Let's see:

• A bunch of policy changes that might irk some people (see below for serious issues with one of those.)
• One egregious attempt to retroactively take back rights expressly provided to you by the distribution terms of the Second Life viewer.

It's confusing when there's more than one thing, and all of those things are not the exact same thing, isn't it?

Mod parent down.

Also...

You must not mask IP or MAC addresses (reported to the server)

This is like DRM: It only negatively affects those who want to conform to the rules, and does nothing to stifle those it calls attention to. The worst part is that "mask" is a completely informal term.

Changing your MAC address is routine networking for many people whose network admins tie their access credentials to their MAC addresses.

Someone might want to protect their privacy while cybersexing (snicker) or someone may even want to leak important information to the public using Second Life (I do have a fantasy to modify the open source Quake 3 engine to trickle out a stream of data out in the least significant bits of player movement. Can you imagine the Chinese trying to figure that one out?)

These aren't just obscure corner cases or open source zealotry, these are things I personally expect to have from open source software. I switched from AOL instant messenger to an open source IM client because I wanted an IM client I could retrofit with my own crude privacy software. Years later I am using sophisticated OTR, and I have TOR at my disposal if I feel the need to "mask" my IP. I realize this isn't a GPL violation, but distributing the client under the GPL and then telling me I can't protect my privacy (while not violating any other terms of service, mind you; remember this anti-"masking" restriction is only something that affects people who want to obey the rules, not those who wish to cheat them) is a bit like giving me an "open source cellular handset" and then telling me exactly what audio codec I'm allowed to use for voice conversations so spy software can analyze my calls for content, you know, unless I build my own cellular network.

They've even got one of those catchy web-2.0-style names for their new site, mail.ir [mail.ir].

I think this one is catchier. :)

Here's a nice recent introductory article for the less technically-inclined or via BoingBoing. (fd: I was interviewed for this one).

Please set up a bridge if you have the ability.

Not much you can do at that point besides feel sorry for their citizens.

If the government really didn't care, I would agree with your point. However, I think they really do care.... They have just realized that in the current circumstances, it's more effective to keep wearing the happy face and lose some trust than to open up and try to improve legitimacy.

However, it's a really precarious balance. It works right now because the government has the power to keep most people quiet. This way, not as much talk is spread, and only a few people at a time get upset enough about the lying and oppression to really start trying to affect change, and those few people can be stopped. However, there are tools which are a threat to that balance because they let people be really noisy about the lies and rile other people up. They've evidently identified Gmail as one of these threats, and are now blocking it.

The act of blocking Gmail shows that they care a lot about what people are saying about the lies. At the same time, it shows us that there is something we can do besides feel sorry for their citizens-- and that's advance the tools that let people be noisy. We're a geeky bunch, and we've all heard of them before: Tor, I2P and Psiphon all help people communicate openly. All of those organizations could use your support, whether that's donating money or just running a Tor relay. And if you're really committed, all of those organizations have open positions!

I know that it seems like this is totally out of our control sometimes, and often I feel like there's nothing I can do besides just go, "damn, I'm sorry," but actually, it turns out that we really want to, we can help.

Since the news of Tor server(s) being hacked, with the latest version of Tor
as of this posting, v0.2.1.22, the ExcludeNodes function appears to have
been toyed with. Now if you use the ExcludeNodes command in your torrc
configuration file, it doesn't seem to care what node you exclude from
building tor circuits, it will go ahead and use them anyway. But of course,
this is just a bug (suuure it is - having popped up after this so called
hack was done, was it really a hack or a smoke filled backroom agreement?).

Note: Be sure to visit the onionforums .onion board for more discussion

Try it for yourself, add all of the washdc
tor nodes, along with the 149.* nodes and amazon nodes to your ExcludeNodes
listing within your torrc file and within a few hours of your tor surfing,
watch the following so called bug pop up as you are told the nodes you
excluded are being used regardless of your intention to not use them.
This behavior is recent with Tor and I don't consider it a bug, in
my opinion, but an intentional privacy violation. I encourage Tor users
to visit the tor node listings and try this themselves, add as many
nodes as you wish to your ExcludeNodes feature in torrc and reload
tor and surf for hours until the error pops up and it will pop up!
This feature of ExcludeNodes in Tor is now useless and flawed. The
high bandwidth tor nodes should all be considered suspect for reasons
published elsewhere by enlightened individuals documenting potential
and real attacks on onion routing.

http://archives.seul.org/or/talk/Feb-2010/msg00006.html

[warn] Requested exit node 'X' is in ExcludeNodes or ExcludeExitNodes.
Using anyway (circuit purpose Z)

Where X = Node and Z = #. Fingerprints of my chosen nodes to exclude
correctly set within torrc in ExcludeNodes.

Is this a bug?

Why is Tor, when using Bridges, overriding my ExcludeNodes setting?
Was Tor suddenly given Artificial Intelligence? (AI). I assumed
I was under control of my Tor client's functionality with ExcludeNodes.
I guess I should be grateful it reported this to me at all.

- the reply:

On 02/02/2010 02:14 AM, twinkletoedturtle@xxxxxxxxxxxxx wrote:
> Is this a bug?

Yes, https://bugs.torproject.org/flyspray/index.php?do=details&id=1090.
  We're still working on it. In fact, we're working on rewriting the
entire codebase around {Exclude}{Entry|Exit}Nodes options.

--
Andrew Lewman
The Tor Project
pgp 0x31B0974B

Website: https://torproject.org/
Blog: https://blog.torproject.org/
Identi.ca: torproject

Since the news of Tor server(s) being hacked, with the latest version of Tor
as of this posting, v0.2.1.22, the ExcludeNodes function appears to have
been toyed with. Now if you use the ExcludeNodes command in your torrc
configuration file, it doesn't seem to care what node you exclude from
building tor circuits, it will go ahead and use them anyway. But of course,
this is just a bug (suuure it is - having popped up after this so called
hack was done, was it really a hack or a smoke filled backroom agreement?).

Note: Be sure to visit the onionforums .onion board for more discussion

Try it for yourself, add all of the washdc
tor nodes, along with the 149.* nodes and amazon nodes to your ExcludeNodes
listing within your torrc file and within a few hours of your tor surfing,
watch the following so called bug pop up as you are told the nodes you
excluded are being used regardless of your intention to not use them.
This behavior is recent with Tor and I don't consider it a bug, in
my opinion, but an intentional privacy violation. I encourage Tor users
to visit the tor node listings and try this themselves, add as many
nodes as you wish to your ExcludeNodes feature in torrc and reload
tor and surf for hours until the error pops up and it will pop up!
This feature of ExcludeNodes in Tor is now useless and flawed. The
high bandwidth tor nodes should all be considered suspect for reasons
published elsewhere by enlightened individuals documenting potential
and real attacks on onion routing.

http://archives.seul.org/or/talk/Feb-2010/msg00006.html

[warn] Requested exit node 'X' is in ExcludeNodes or ExcludeExitNodes.
Using anyway (circuit purpose Z)

Where X = Node and Z = #. Fingerprints of my chosen nodes to exclude
correctly set within torrc in ExcludeNodes.

Is this a bug?

Why is Tor, when using Bridges, overriding my ExcludeNodes setting?
Was Tor suddenly given Artificial Intelligence? (AI). I assumed
I was under control of my Tor client's functionality with ExcludeNodes.
I guess I should be grateful it reported this to me at all.

- the reply:

On 02/02/2010 02:14 AM, twinkletoedturtle@xxxxxxxxxxxxx wrote:
> Is this a bug?

Yes, https://bugs.torproject.org/flyspray/index.php?do=details&id=1090.
  We're still working on it. In fact, we're working on rewriting the
entire codebase around {Exclude}{Entry|Exit}Nodes options.

--
Andrew Lewman
The Tor Project
pgp 0x31B0974B

Website: https://torproject.org/
Blog: https://blog.torproject.org/
Identi.ca: torproject

Since the news of Tor server(s) being hacked, with the latest version of Tor
as of this posting, v0.2.1.22, the ExcludeNodes function appears to have
been toyed with. Now if you use the ExcludeNodes command in your torrc
configuration file, it doesn't seem to care what node you exclude from
building tor circuits, it will go ahead and use them anyway. But of course,
this is just a bug (suuure it is - having popped up after this so called
hack was done, was it really a hack or a smoke filled backroom agreement?).

Note: Be sure to visit the onionforums .onion board for more discussion

Try it for yourself, add all of the washdc
tor nodes, along with the 149.* nodes and amazon nodes to your ExcludeNodes
listing within your torrc file and within a few hours of your tor surfing,
watch the following so called bug pop up as you are told the nodes you
excluded are being used regardless of your intention to not use them.
This behavior is recent with Tor and I don't consider it a bug, in
my opinion, but an intentional privacy violation. I encourage Tor users
to visit the tor node listings and try this themselves, add as many
nodes as you wish to your ExcludeNodes feature in torrc and reload
tor and surf for hours until the error pops up and it will pop up!
This feature of ExcludeNodes in Tor is now useless and flawed. The
high bandwidth tor nodes should all be considered suspect for reasons
published elsewhere by enlightened individuals documenting potential
and real attacks on onion routing.

http://archives.seul.org/or/talk/Feb-2010/msg00006.html

[warn] Requested exit node 'X' is in ExcludeNodes or ExcludeExitNodes.
Using anyway (circuit purpose Z)

Where X = Node and Z = #. Fingerprints of my chosen nodes to exclude
correctly set within torrc in ExcludeNodes.

Is this a bug?

Why is Tor, when using Bridges, overriding my ExcludeNodes setting?
Was Tor suddenly given Artificial Intelligence? (AI). I assumed
I was under control of my Tor client's functionality with ExcludeNodes.
I guess I should be grateful it reported this to me at all.

- the reply:

On 02/02/2010 02:14 AM, twinkletoedturtle@xxxxxxxxxxxxx wrote:
> Is this a bug?

Yes, https://bugs.torproject.org/flyspray/index.php?do=details&id=1090.
  We're still working on it. In fact, we're working on rewriting the
entire codebase around {Exclude}{Entry|Exit}Nodes options.

--
Andrew Lewman
The Tor Project
pgp 0x31B0974B

Website: https://torproject.org/
Blog: https://blog.torproject.org/
Identi.ca: torproject

Tor Browser Bundle

Especially when there's unauthorized modifications to addons/plugins BEHIND the backs of the addon authors!

Imagine.. you've gone through all the trouble to properly configure Tor and the Proxy of your choice, only to have the possibility of the plugin itself (Torbutton) modified by someone other than the author and such access could easily provide a vector of attack where a trojan can easily be inserted.

Torbutton is a very popular Firefox addon which makes Tor usage easy.

Read here where the Torbutton author mentions how his Torbutton .xpi release was modified without his consent (and you, the users, download what's been modified AFTER he last modified it!):

http://archives.seul.org/or/talk/Jan-2010/msg00189.html

"Thus spake Paolo Palmieri (palmaway@xxxxxx):

> Sorry, but I have to point out that none of the proposed solution really
> works, and both are actually quite bad from the security point of view.
>
> "Fetch it over SSL" doesn't give the user any guarantee about the
> authenticity of the file. Actually it does little about security. It
> only verifies that the user is connected to the real Tor website, but if
> the file is corrupt or, worse, has been maliciously replaced by some
> malware version of it, you have no means of finding out. Since we are
> talking in this very thread about Tor servers being attacked, I consider
> this as a serious threat.
>
> "Check the git/gpg sig" is a little better, but from a quick look at the
> git repository I couldn't find the .xpi's on it (correct me if I'm wrong
> here). This means that only the sources are signed, thus requiring the
> user to recompile the package at every new release. This is time
> consuming, but it also add some additional requirements on the user,
> like having the right compilation environment on the box, having it
> properly configured etc. All this for no security benefit. Finally,
> checking the git's signature is not as easy as checking a simple .asc file.
>
> So, I have to join Jim's plea. Mike, could you please put the .xpi's
> .asc signature files on the TorButton website?

You're right. I was considering addons.mozilla.org as the canonical
source of the xpi, but still, that can be owned too. In fact, I just
got a message from them informing me that they modified my torbutton
1.2.3 xpi to prevent it from being listed as compatible with FF3.6. So
they see fit to randomly modify the xpis too. Wonder what would happen
if I did have a code signing cert..

I've posted the gpg sigs for 1.2.2, 1.2.3 and 1.2.4 at:
https://www.torproject.org/torbutton/releases/

> P.S. Are git connection to the Tor git's repository protected by TLS
> against a valid certificate?

No. The git:// protocol is not protected. You need to rely on the tag
signatures.

--
Mike Perry
Mad Computer Scientist
fscked.org evil labs"

    Technically, it can't be. But since most of the exit points are pretty well known, it's not all that hard.

There is a list of TOR exit points in case you want to black- or white-list them.

If more people made themselves exit points, rather than just taking advantage of the network, that problem would go away.

Last time I looked at it, I concluded that most of the traffic on TOR was child pornography and shared music/films. I didn't want to risk the police thinking I was responsible.

(But, I only have ADSL so it's not much of a loss.)

I wish the holier than thous behind the Tor movement would stop with their outrageous and indefensible claims about the protections Tor allegedly provides.

I tried to have this discussion with, among others, people who've made "names for themselves" traveling from conference to conference blustering about how Tor is making the Internet safe for unpopular opinions in places where an unpopular opinion can get you disappeared right quick (hello China)... shouted down every time because it's not a POPULAR point of view.

I see that I'm not the only one in this discussion with concerns. Thank god things are changing.

Whoever these people you have met traveling from conference to conference are not the authors of tor:

# tor --help
Jan 21 22:48:35.191 [notice] Tor v0.2.1.22. This is experimental software. Do not rely on it for strong anonymity. (Running on Linux x86_64)
Copyright (c) 2001-2004, Roger Dingledine
Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson
Copyright (c) 2007-2009, The Tor Project, Inc.

tor -f [args]
See man page for options, or https://www.torproject.org/ for documentation.

Wait... Anyone can be a TOR node and it's still secure.

TOR data is very encrypted.

It doesn't matter if the hardware or software is compromised, it's still secure because a TOR node is just one node in a chain of encrypted nodes. You encrypt your data 5 times if you're sending it through 5 nodes.

Each node takes off one layer of encryption and forwards the still encrypted data to the next node. If any intermediate nodes (2 3 4 in our 5 node example) are compromised (in software or hardware), they can not see the message in plain text, or determine the originating IP or destination IP of the traffic.

If the first node is compromised it can see your source IP, but not the destination IP or any part of the message (it's still encrypted.)

If the exit node is compromised it can see the destination IP, and clear text message, but not the source IP.

These multiple layers of encryption mean that if any one node is compromised the system is still very secure.

Taking off a layer of encryption at each router is like peeling an onion... hence, "The Onion Router".

(this is an oversimplified explanaion -- if you're talking compromised code repositories, viruses and trojans are usually not delivered as source code, the tampering would be evident.)