To Connect People Securely, Tor Project Seeks New Bridges

An anonymous reader links to an article at Ars explaining the dropping inventory of bridges available to users of the Tor project's encrypted messaging system. They're looking for more bridges, but that doesn't necessarily mean buying new hardware per se. From the article: "After campaigning successfully last year to get more volunteers to run obfuscated Tor bridges to support users in Iran trying to evade state monitoring, the network has lost most of those bridges, according to a message to the Tor relays mailing list by Tor volunteer George Kadiankakis. 'Most of those bridges are down, and fresh ones are needed more than ever,' [Tor volunteer George] Kadiankakis wrote in an e-mail, 'since obfuscated bridges are the only way for people to access Tor in some areas of the world (like China, Iran, and Syria).' For those who want to donate bridges to the Tor network, the easiest route is to use Tor Cloud, an Amazon Web Service Elastic Compute Cloud image created by the Tor Project that allows people to leverage Amazon's free usage tier to deploy a bridge."

Maybe

[fustakrakich]

It turns out that a bridge makes a lousy hiding place

Re:Maybe

[fustakrakich]

Why would this be modded offtopic? A Tor bridge is no different from a physical one, both with easily traceable paths. The simple fact is that under its present configuration the internet cannot be made secure. It's not even very robust. My old POTS line is still more reliable.

Re:Maybe

[Nethead]

Troll hiding under a bridge? Get it?

Re:Maybe

No wonder my torrents over Tor have been a bit slower. Oh well, just have to do all of my torrenting when I am asleep.

Re:Maybe

Because most people don't want to understand that if the information travels over the internet it can eventually be read?

Or simply because they did not understand the post?

Can money be donated?

I don't have the technical chops or resources to help them out with obfuscated bridges, but I might be willing to donate a few bucks to a worthy cause.

Re:Can money be donated?

[larry+bagina]

Can you afford a raspberry pi? That and a 24-7 internet connection is all you need.

Re:Can money be donated?

[negRo_slim]

This is what I was just wondering. I saw the article linked that talked of cloud-based bridges and I'm wondering if I just goto the tor project homepage can I count on some of that donation helping with this issue?

Re:Can money be donated?

https://www.torproject.org/donate/donate.html.en

Re:Can money be donated?

[randomErr]

Relevant Link: http://www.instructables.com/id/Raspberry-Pi-Tor-relay/

Re:Can money be donated?

[bill_mcgonigle]

Have a read here:

http://www.torservers.net/donate.html

Re:Can money be donated?

[PhamNguyen]

Sure, you can donate here. They take paypal.

Re:Can money be donated?

Enjoy your jail time!

Re:Can money be donated?

[davester666]

I volunteer to be a Tor bridge, but just redirect all the traffic to another bridge so I don't get into trouble.

Re:Can money be donated?

[AlphaWolf_HK]

The main concern for me is security. I don't trust anonymous entry into my private network. Perhaps if I had a proper DMZ I would do so, but that requires more equipment and features than my router and ISP permits.

(For those confused: No, that DMZ feature on your linksys router isn't a true DMZ, it's just a static NAT with PAT, and you really shouldn't be using it if you care anything about security. If it is using the same public IP and same subnet and vlan as everything else inside of your network, it is by definition not a DMZ, and is just needlessly enabling the chance of additional attack vectors.)

Re:Can money be donated?

[Vrtigo1]

That's a great and technically accurate description of what the DMZ feature is on most routers and why you shouldn't expect it to work like an actual DMZ does. Kudos to you.

It's not very hard to block AWS IPs

seriously guys... how long will this take until they just ban AWS IPs? and what use would be 1000 people signing up all to get similiar amazon IPs anyway

Re:It's not very hard to block AWS IPs

Yeah, but how hard is it to ban the right ones? It depends on how much a country cares about false positives. You could easily block all tor nodes, just pull the plug, but there may be a few things you want to be able to connect to after all. And that is the difficulty and why using a popular platform to host your bridge may be a good choice.

And the risks ?

[b100dian]

Let's say I'd be 'in' to help Tor. What are the risks for me, in a eastern country - like Romania ?

Re:And the risks ?

That thugs will come along and bust your kneecaps.

Re:And the risks ?

While I am not a lawyer nor do I life in Romania and therefore are not familiar with the Romanian laws I am also pretty sure you will not be hunted for filesharing or similar as you, as a bridge, are always the first node in the tor circuit and therefore nobody sees your ip besides the ones who use your bridge.

Re:And the risks ?

[slashmydots]

Now someone correct me if I'm wrong but there's entry node (which doesn't know if it's an entry or not) and a bridge then an exit node. The exit node, if the target website isn't using SSL, is vulnerable to looking like it's accessing whatever website/server the original viewer is on. So exit nodes are a bad idea. But bridges don't know the end target or whether it's an entry or intermediary bridge so basically it's just routing SSL traffic from one point to another and adding 1 more layer of encryption with zero ability for anyone to snoop at the content.

Re:And the risks ?

[slashmydots]

Lol okay, I'll correct me. I just researched it and bridges reside outside the "onion" part. They're allegedly still fully encrypted but you'll probably look suspicious to someone somewhere running encrypted connections to Iran constantly.

Re:And the risks ?

The ISP and the websites know the IP address of the Tor bridge if I am not mistaken.

Re:And the risks ?

You are correct, as long as you configure your node as non exit, you are pretty much safe in nearly every european country and plenty of others.

No traffic leaves the tor network through your node and thus nothing should point to you (if the network works, if it doesn't, there are a lot of problems for a lot of people).

Depending on your country this can be very different. In some countries that do not have certain liberties simply having tor may be an issue, while tor does it best to hide everything and itself, it will likely stand out simply by being an encrypted connection, it may lead to you and lead to some questioning or worse.

For the sake of all users in such situation, stop making encrypted connections stand out and make them the norm. There really isn't any reason that everybody should be able to know what you do. Not in a "free" country and not in a non free one. Use SSH wherever you can, just that will be helpful for tor since it can then hide between those connections a bit better. Force encryption on your bittorrent, it may even lead to speedup. And if you believe your country is fine, do host a tor relay, it doesn't have to be an exit node to help the network, although there is a shortage of those as well as non exit nodes. Maybe once upon a time everything everywhere will go through a tor like service, once we get pissed off by all the people being able to see what you do.

Re:And the risks ?

The ISP knows your IP indeed, they likely wont know for certain its a tor node you host. At least, Tor attempts to make sure they don't.
Tor bridges can be configured in certain ways to be known by certain parties, you can simply host one and only give the link to people you trust or you could have it added to the database tor has automatically.

In the end, what the above poster said is true, tor bridges should really only be known by the person using them. With the exception of possibly whoever you used to help distribute the bridge address (automated tor distribution systems and so on).

Re:And the risks ?

[Dekker3D]

As far as I know, a bridge is a hidden entry node. Unlike regular ones, they're not published on a huge list.. you can only request a few via a certain url at a time.

Look for the Cupcake project

[ptaff]

Cupcake allows you via a browser extension to run a bridge if you won't/can't install the whole Tor suite.

Currently available for Chrome / Chromium, Firefox is in the works.

Please help Tor!

Re:Look for the Cupcake project

[PopeRatzo]

Cupcake allows you via a browser extension to run a bridge if you won't/can't install the whole Tor suite.

That is very helpful, thank you.

I know of a company that might be willing to set up a bunch of these bridges as long as they don't find out about them. If you catch my drift.

wait, what? why?

[slashmydots]

How about someone with a fiber connection that I keep hearing about on slashdot just opens vidalia and configures it to run as an intermediary node. Isn't that functioning as a bridge? I have a 10MB connection but the upload is 1MB and my computer doesn't run anywhere near 24/7 or I'd run an intermediate node that way. Why the hell is anyone bother with amazon web services? Just for the bandwidth? Because I think my i5-2400 could encrypt thousands of people's SSL traffic on the fly easily so that just leaves bandwidth. So is there something else I'm missing or can people with massive bandwidth easily self host a bridge?

Re:wait, what? why?

[raxx7]

You're not missing anything, running a bridge at your home is fine.
But since you're not willing to spare your scarce bandwidth, then AWS instance is an easy and cheap way to contribute.

Re:wait, what? why?

Bridges and normal nodes are not exactly the same. I don't know how to set up bridges specifically, but I am sure vidalia has an easy way to do it.

Also, I believe they like to use aws because of uptime and bandwidth. Peers will look for stable and fast connections usually (with some limitations for safety of the network). Thus an aws node that is up 24/7 will be of more use than a node that is down every evening.

Re:wait, what? why?

A node and a bridge aren't the same thing. Nodes are used to mask your IP, while bridges are run to disguise the fact you're using Tor to an observer between you and the first node. You can't run both from the same connection, unless the IP is used for non-Tor purposes as well (e.g. an Amazon IP).

Re:wait, what? why?

How about someone with a fiber connection that I keep hearing about on slashdot just opens vidalia and configures it to run as an intermediary node. Isn't that functioning as a bridge? I have a 10MB connection but the upload is 1MB and my computer doesn't run anywhere near 24/7 or I'd run an intermediate node that way. Why the hell is anyone bother with amazon web services? Just for the bandwidth? Because I think my i5-2400 could encrypt thousands of people's SSL traffic on the fly easily so that just leaves bandwidth. So is there something else I'm missing or can people with massive bandwidth easily self host a bridge?

you answered yourself ;). Of course there are solutions (using a pi, etc.), but not everyone wants to invest like that, and some people may be afraid of liability through their isp.

I think not!

[techno-vampire]

AC gets modded down all the time.

silkroad should pay

[purnima]

Tor is totally decentrlized. But surely there has to be a decetralized system that incentives people to bridge in the network. Presently, we're asked to do this out of the goodness of our hearts, like a charity. "Think of the poor Iranian freedom lover's," meh, when we know fully well that much of the traffic is silkroad related and what ever other illegal crap has found a home in the Tor space.

Whoever is running the apparently lucrative silkroad can make small bitcoin donations to "bridging" volunteers. It's cheaper than paying their taxes to a real government. You wanna distribute the north east Iranian goodies? pay for the network!

Re:silkroad should pay

Yeah, that's the answer. Somehow force the criminals into adopting a half-assed currency to send you donations in. And you fucktards have the audacity to blame the big banks for your fucking stupid ideas.

Re:silkroad should pay

[purnima]

Yes sure.

Take bitcoin for example. Why is it valued at all? It has built in incentives but also its value probably comes from its use for money laundering and other illegal activities.

Re:silkroad should pay

You missed his point. Non-criminals aren't too keen to donating, you shouldn't expect criminals to be better.

Re:silkroad should pay

You do know that the Silk Road is and has always been 100 percent run in Bitcoin, right? That and Tor are the two key enabling technologies for their whole business model. So I'm not thinking it'll take a lot to force them to use it.

Of course, whether they feel like donating it is another question. And, if they did, they'd be dumb to do so under the Silk Road name, because that would just create heat for the recipients.

Re:silkroad should pay

[purnima]

Isn't the whole idea of Tor-bitcoin is to make an anarchist-nirvana where there is no such thing as criminal and non-criminal.

Re:silkroad should pay

The GP is arguing that it is in Silkroad's economic self-interest to pay for bridges, not that they "should be forced".

But you seem to have a serious problem with understanding markets. People will do whatever makes economic sense based on whatever motivates them (usually, greed, but in the case of many politicians, vanity or avarice). That's true for Bitcoin, banks, politicians, and drug dealers.

Re:silkroad should pay

Isn't the whole idea of Tor-bitcoin is to make an anarchist-nirvana where there is no such thing as criminal and non-criminal.

Even in an anarchy, there is still such as thing as crimnial and non-criminal.
The only difference is, your shotgun toting neighbors get to decide exactly what is illegal at the moment.
But don't worry, if you can build or steal a shotgun of your own, you too can have a voice in the 'legal' system.

Re:silkroad should pay

[Sigg3.net]

Mixing money into it is sure to invoke govt attention.

Who writes these headlines?!?

[reboot246]

This is atrocious:
To Connect People Securely, Tor Project Seeks New Bridges

Better:
Tor Project Seeks New Bridges To Connect People Securely

Did they write this too?
Somebody set up us the bomb.

Re:Who writes these headlines?!?

[jblb]

To gain respectability, Slashdot copies New York Times?

Re:Who writes these headlines?!?

[ArchieBunker]

Poorly worded headlines are the least of your worries here. We still have to deal with advertisements disguised as stories and summaries that contradict what the article really says.

Re:first!

[Cwix]

With an attitude like that, I would predict many more!

Slashdot editors.

Just about anything wrong with this fucking travesty of a site can be explained with those two words.

eg. If you're wondering why the site keeps getting flooded with Bitcoin articles? Slashdot editors. Specifically, Slashdot editors who have made the mistake of investing real money in Bitcoin and are advertising the shit non-stop in the hopes of driving the price up.

Iran elections

[Okian+Warrior]

If memory serves, four years ago the Iran elections resulted in much oppression and general chaos. A global call went out for Tor nodes and other resources in order to help the Iranian people at the time.

The next Iranian elections will be in June of this year. Perhaps we should be forward-looking and set up a robust network ahead of time?

Anyone remember these Slashdot posts of note?

http://yro.slashdot.org/story/09/06/29/1230216/the-technology-keeping-information-flowing-in-iran

http://yro.slashdot.org/story/09/06/22/1347228/mass-arrests-of-journalists-follow-iran-elections

http://science.slashdot.org/story/09/06/16/2137203/statistical-suspicions-in-irans-election

Absolute offtopic but...

[Thor+Ablestar]

... While I always see 1-2 Chinese nodes in I2P NetDB, I have not seen any Iranian node. Why? Does it mean that anybody trying to connect is persistently looked for, or just the system is not popular? Or, maybe, TOR client is much less visible than I2P node and so is more secure?

Liability

[dargaud]

I feel a lot safer running an open wifi that logs all connection than running a tor node. After all I know who my neighbors are. But who knows what goes through TOR? After reading a few scare stories of TOR volunteers getting their door kicked in and their gear confiscated, that's the reason I'm not running a node, although I support the idea. But if it's to support untraceable spam, kiddie porn and DDOS operations, no thanks. Anyone has a breakdown of the kind of traffic that goes through TOR?

Re:Liability

[ickleberry]

I have run a tor exit node on my home DSL line for years. Never had a door kicked in. Only trouble I had was being blocked from boards.ie and geocaching.com

Tails - new unofficial project to nip the buds

Tails - new unofficial project to nip the buds

(Please see the .onion link at the bottom of this article for where to respond and help this project with your suggestions. Please do not post at the Tails forums, Tor mailing lists, or in IRC - we are only checking the existing thread at the .onion location below, which requires Tor to access.)

In a few areas of the Tails Forums, (one example below) Tails users have posted about certain âdata collection, logging, debugging, Whisperbackâ(TM), and other issues a distro such as Tails should not include!

I am working on a project which will stop this type of collection and it will be free and released with each new version of Tails (it wonâ(TM)t be included with the Tails distro or worked on by Tails/Tor developers) â" matching any changes the Tails team may make to try and obscure these data logging/collection activities between versions.

Here is one example post from a concerned user (post exists now, could be deleted later!):

Why does Tails log too much? .recently-used.xbel
https://tails.boum.org/forum/Why_does_Tails_log_too_much__63___.recently-used.xbel/

#

An example of this is this hidden file: .recently-used.xbel located in amnesia folder. To see, open Home/amnesia, press Cntrl+h, look for that file. The contents of that file logs recently used programs and files with names and timestamps.

There are many other logs for different activities and events, a simple look around can locate these.

Caching thumbnails, recent documents, terminal command history and the similar..

Why would Tails need to log all these things during the session?

Some are useful for bug reporting, but many other arent and are widely revealing of system activities.

Yes, a restart will wipe everything, but what about while in the session?

Can an option be made for Tails to be log free or normal where the user can choose between the two? Like run log free and if a problem occurs to re-run tails with logs to identify the problem.â

#

There are debugging scripts, Whisperback, a script to drop all firewall protection, and much more in Tails.

I need more information from Tails users (Tails developers and those pretending not to be Tails developers posting against this will be ignored) before the first release is announced.

Boot into Tails and examine every nook and cranny and post about any file(s) with full path, which contain anything related to logging (excluding /var/log directories â" those will be dealt with) and/or sending of individual personal data.

On their mailing list they even had the balls to discuss whether or not they should add the package âpopconâ(TM)!

This project will be developed by an anonymous user (not included in the annoying âAnonymousâ(TM) group). I will not reveal usernames from posters here, but I may credit this forum with each release with thanks for the help.

So boot into the most recent release of Tails, sniff around as much as possible, and post back juicy information to the thread in âNEWSâ(TM): http://clsvtzwzdgzkjda7.onion/

Thank you.

Amazon isn't free forever

Only the first year is free and you still pay for bandwidth after a certain amount.