Re: [tor-talk] Is this a practical vulnerability?
In principle this is (as they write) very similar to earlier papers. The
major catch to their plan may be that if a hidden service already has
chosen its entry guards, and the "modified Tor nodes" are put out there
later - they ("malicious nodes") will therefore not be a part of the
path. But if they already have trusted entry nodes out there and the
client/hidden service selects by default Tor method - their attack (and
earlier ones) should be quite realistic.
Meaning that a hidden service should be very careful of which nodes it
selects as the entry node(s). Maybe Tor should *not* allow new entry
nodes (by default) to be added for hidden services upon unavailability
of old entry nodes because of this? Another option may be separation of
not trusting/adding new entry nodes for hidden services, but still do so
for the Tor client? (There is (was?) an option for StrictEntryNodes in
torrc which should be considered, but I seriously hope critical sites
are not hosted without deep knowledge of how the hidden services are
vulnerable.)
Be safe!
- Lasse
On 19. okt. 2012 05:12, Lee Whitney wrote:
> I was reading a paper on discovering hidden service locations, and couldn't
> find any reason it shouldn't work in principle.
>
> However being that I'm a Tor novice, I wanted ask here.
>
> In a nutshell they propose throwing some modified Tor nodes out there that
> modify the protocol enough to track down the location. It does take some
> time, but it doesn't seem like years.
>
> Any comment appreciated, here's a link to the paper:
>
> http://www.cs.uml.edu/~xinwenfu/paper/HiddenServer.pdf
>
> ___
> tor-talk mailing list
> tor-talk@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Review request: TorVM implementation in Qubes OS
intrigeri: > Hi, > > adrelanos wrote (16 Oct 2012 18:28:19 GMT) : >> Abel Luck: > >>> I need to do more research into what it would take to protect the >>> localtime. For example, what are the consequences (technically and >>> UX-wise) of changing the local timezone to, presumably, UTC? > >> UTC is fine. Afaik Tails, Liberte Linux and Whonix are using UTC. > > Since the initial question was about UX too, I feel like I should add > that many Tails users don't think "UTC is fine". Quite unsurprisingly, > they are confused when they are shown a clock that is off by a few > hours, compared to their own idea of what time it is in their current > location. > > It looks like *displaying* UTC for everybody is a UX failure. That's exactly what I was worried about. Qubes might be lucky here, in that the system tray is in dom0 (the VM host), so the VMs can use their own time and the user's systray applet will still be in their localtime. Of course the time as displayed inside apps, browsers, email clients, will be UTC. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Is this a practical vulnerability?
On 19/10/2012 04:12, Lee Whitney wrote: I was reading a paper on discovering hidden service locations, and couldn't find any reason it shouldn't work in principle. However being that I'm a Tor novice, I wanted ask here. In a nutshell they propose throwing some modified Tor nodes out there that modify the protocol enough to track down the location. It does take some time, but it doesn't seem like years. My experience is that there s already an easy method of identifying Tor hidden service nodes and this takes little time to do. Let me explain why I come to that opinion. Having a static IP net connection, I set up a test web site as a Tor service on a Tor middleman server. That server had been a middleman server for about a year, no problems, no attempts to hack it in all that time. Within 24hrs of making that Tor hidden service live I could see, in my firewall logs, hundreds of repeated attempts trying to hack my server, directly from the internet, not via my hidden Tot service. All were attempting to access various types of services/permissions which were mainly focused on attempting to gain control of a "web page server". All attacks were from US based places of higher education (colleges and universities), most from establishments where Tor servers were situated but not from Tor servers themselves. Now bearing in mind that I had only EVER requested 1 web page (a blank test page - requested about 4 times) from my own Torrified web browser (out and back so to speak), and no OTHER (external) page requests were EVER received via the Tor hidden service, as shown by its log. Then someone must have been able to immediately see the service enter and track its source, who then attempted to hack the web server itself and it appeared to be a group of about 3 or 4 persons, each trying different attack strategy over a 12 hour period. Hundreds of commands were sent, many in quick succession as if they were in some sort of script file, but some were live, at one point I even watched them live as they were coming in as I countered their hack attempts. As a result of this I did some serious thinking about Tor and came to the conclusion that someone out there and I believe it is THE global adversary (USA mil/sec) is able see with perfect transparency all Tor traffic. Consider.: Most Tor users see the Tor connections as merely a set of 3 or 4 connected nodes over which their traffic is routed, e.g. Tor1 - US, Tor 2 - Germany, Tor 3 France - EXIT. But in reality then internet is not like that, this is only the UPPER structure level. At the lower level the packets are routed over many dozens of sub-nodes, these nodes are invisible to the Tor map of your traffic. You can find out this info yourself if you wish to test out a single ROUTE to another IP address just by doing a traceroute url (tracert url for windows) command from a command line prompt window. As you will see this is about a dozen hops to the average local url. But this is not the end of the problem, as some hops are hidden and they report only a virtual hop back to you. e.g. lets say a node is in a server in an IBM/US telecoms company based in France, then that server will almost certainly be routing ALL its traffic through the USA and back to itself (or another node in the same company) before sending it on to the next external node. This diversion is NEVER reported as ONLY a single "virtual node ip" is quoted. The only way you can ever tell its been done is by looking at the time delay, however this is also often difficult/impossible to spot because these routes are often the fastest on the internet. OK - I know this goes on for certain because there are internal tools used within these companies to trace the TRUE route and I have seen such servers send their traffic in this manner 24/7 - 365. Having discussed this as "wasted effort" with a network engineer I was told there is a "payment" made somewhere to compensate. At the same time all of this is camouflaged in apparently nice and legitimate reasons for it being that way, but when you pull it apart you see the lie, but you can't PROVE it. As about 70% of Europe's internet traffic passes through an IBM/US telco's servers then it almost certain that in any one of these Tor node to Tor node connections there is at least one sub-nodes that passes the traffic through the USA, who is the global adversary using Total Traffic Timing Tracking. You should be able to work the rest out for yourself. Any comment appreciated, here's a link to the paper: http://www.cs.uml.edu/~xinwenfu/paper/HiddenServer.pdf ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Review request: TorVM implementation in Qubes OS
adrelanos: > Abel Luck: >> adrelanos: >>> Hi, >>> >>> Is it Amnesic or can it be made Amnesic? >>> >>> Or in other words Can you be sure, that after deleting (or wiping) >>> the torified AppVM no activity can not be reconstructed with local disk >>> forensics? Could the torified AppVM be securely wiped without any >>> leftovers? (Leftovers such as swap, or what else?) >> >> Regarding deletion of the VM: I was under the impression secure deletion >> was not possible on modern SSDs. >> >> On the other hand, it should be possible to create an AppVM whose >> writeable diskspace lies in enitrely in RAM. I'll investigate this. >> >>> >>> Is Tor's data directory persistent, i.e. does it use Entry Guards? >>> >> I've not configured this explicitly, do you have any suggestions? > > Tor Browser Bundle users are using persistent Entry Guards. > > Final goal should be to share the same fingerprint with them (web > fingerprint, traffic fingerprint for local observer). If you manage to > use Tor Browser in the AppVM and Entry Guards in the TorVM, the > fingerprint should be the same. Except, that you added strong security > by isolation for the case of a browser exploit. > > Whonix uses persistent Entry Guards and Tor Browser. > > Persistent Entry Guards are planed for Tails. > https://tails.boum.org/todo/persistence_preset_-_tor/ > https://tails.boum.org/todo/persistence_preset_-_bridges/ > > Tor Browser is planed for Tails. > https://tails.boum.org/todo/replace_iceweasel_with_Torbrowser/ > > Persistent Entry Guards are considered for Liberte Linux: > Please see recent thread "[tor-talk] Location-aware persistent guards". > > So the answer is yes, I in most cases I recommend persistence for Entry > Guards and Tor's data dir. The same goes for Vidalia, since it can be > used to configure Tor and bridges. > > Some further thoughts on persistent Entry Guards: > On the other hand, non-persistent Entry Guards are more amnesic. So if > you decide to add a amnesic feature, that should be also possible to do > with the TorVM. > > There is also in the thread "[tor-talk] Location-aware persistent > guards" or in the linked ticket > https://trac.torproject.org/projects/tor/ticket/2653 are though, that > non-persistent Entry Guards are better suited for people who travel a > lot / Live CDs. > Hm, interesting. I definitely need to implement persistent entry guards then, but providing an amnesiac option will be difficult. When would the user choose such an option, and where? >> Here's the tor config: >> >> https://github.com/abeluck/qubes-addons/blob/master/qubes-tor/start_tor_proxy.sh >> >>> Are hardware serials, such as BIOS DMI information, hdd serials etc. >>> hidden? (For a more comprehensive list of hardware serials and how to >>> test if them are visible, you could check Whonix less important >>> protected identifies as reference. [1]) >>> >> I'm fairly certain this is the case, seeing as how these are all VMs >> (xen is the hypervisor), but I've not verifier the hunch so I can't make >> this claim >> >> Hm, if you use the Qubes feature that lets you assign PCI (or USB) >> devices to a VM, then obviously, no. >> >> Thanks for the link, I'll investigate some more. >> >>> Cheers, >>> adrelanos >>> >>> [1] >>> https://sourceforge.net/p/whonix/wiki/Security/#less-important-identifies >>> ___ >>> tor-talk mailing list >>> tor-talk@lists.torproject.org >>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk >>> >> >> ___ >> tor-talk mailing list >> tor-talk@lists.torproject.org >> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk >> > > ___ > tor-talk mailing list > tor-talk@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk > ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Review request: TorVM implementation in Qubes OS
Abel Luck: > adrelanos: >> Hi, >> >> Is it Amnesic or can it be made Amnesic? >> >> Or in other words Can you be sure, that after deleting (or wiping) >> the torified AppVM no activity can not be reconstructed with local disk >> forensics? Could the torified AppVM be securely wiped without any >> leftovers? (Leftovers such as swap, or what else?) > > Regarding deletion of the VM: I was under the impression secure deletion > was not possible on modern SSDs. > > On the other hand, it should be possible to create an AppVM whose > writeable diskspace lies in enitrely in RAM. I'll investigate this. This already exists! In Qubes the DisposableVM is RAM only by default. > >> >> Is Tor's data directory persistent, i.e. does it use Entry Guards? >> > I've not configured this explicitly, do you have any suggestions? > Here's the tor config: > > https://github.com/abeluck/qubes-addons/blob/master/qubes-tor/start_tor_proxy.sh > >> Are hardware serials, such as BIOS DMI information, hdd serials etc. >> hidden? (For a more comprehensive list of hardware serials and how to >> test if them are visible, you could check Whonix less important >> protected identifies as reference. [1]) >> > I'm fairly certain this is the case, seeing as how these are all VMs > (xen is the hypervisor), but I've not verifier the hunch so I can't make > this claim > > Hm, if you use the Qubes feature that lets you assign PCI (or USB) > devices to a VM, then obviously, no. > > Thanks for the link, I'll investigate some more. > >> Cheers, >> adrelanos >> >> [1] >> https://sourceforge.net/p/whonix/wiki/Security/#less-important-identifies >> ___ >> tor-talk mailing list >> tor-talk@lists.torproject.org >> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk >> > > ___ > tor-talk mailing list > tor-talk@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk > ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Review request: TorVM implementation in Qubes OS: Vidalia
adrelanos: >> Future Work Integrate Vidalia > > About Vidalia again... I was quickly reading my dev ticket again ( > https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/Dev#SHELLSCRIPTSVidaliabydefaultGraphicalGatewayWAITINGFORVIDALIA0.3.x > ), why it's not yet integrated into Whonix. > > Summary: > > "One drawback with Vidalia 0.2.15 remains... As soon as you edit torrc > with Vidalia (i.e. add non-obfuscated bridges, all comments in torrc get > lost, i.e. comments how to add obfuscated bridges get lost.). > > Solved in 0.3.2-alpha. I am waiting for 0.3.2." > > Another issue was, that Vidalia is explicitly not designed to manage a > system wide installed Tor. Vidalia can not start/stop a Tor instance, it > has not started itself. > > Vidalia will also not be able to edit /etc/tor/torrc out of the box, > because Vialia gets started as user, while /etc/tor/torrc is owned by root. > > I am not sure how to solve it best... > > Running Tor/Vidalia as user is also not the best option, that would > prevent "sudo service restart tor" (probable also the Fedora > equivalent). Breaking "sudo service restart tor" and running Tor as user > is bad, since it can not be updated with by the system apt-get (or the > Fedora equivalent). (Imagine long running servers.) > > I guess the best might be to have Tor managed by the system (apt-get...) > and to start Vidalia as a user. To edit /etc/tor/torrc, Vidalia needs an > exception to have write rights on that file. Vidalia's start/stop Tor > feature will break, I don't know how that could be solved. You still had > a Tor which is partially managed by gui and partially managed by cli. > Relaxing permission on Tor's data dir further for Vidalia broke Tor. > > However, in qubes-os that all might be simpler to solve. Tor/Vidalia get > updated from dom0? No, no, nothing is updated from dom0. All these problems still apply to Qubes. A further problem is at tor runtime I need to detect the IP address of the internal interface, so a static torrc doesn't work. Moreover, wrt the New Identity button. With several client VMs, multiple apps using different SOCKSPorts, the behavior of New Identity is confusing. Does pushing it tear down and construct new circuits for everything? Only the TransPort? Only X? Vidalia is extremely useful however, so I need to find some way to include it. I wonder if the "best" solution isn't to scrap Vidalia and make something new? Look at the NetworkManager architecture. It lets the user control system settings through a client app and daemon. In our case Tor == the daemon and Vidalia the client. Of course Vidalia needs permissions to start/stop Tor, which is problematic. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Review request: TorVM implementation in Qubes OS
Abel Luck: > Abel Luck: >> adrelanos: >>> Hi, >>> >>> Is it Amnesic or can it be made Amnesic? >>> >>> Or in other words Can you be sure, that after deleting (or wiping) >>> the torified AppVM no activity can not be reconstructed with local disk >>> forensics? Could the torified AppVM be securely wiped without any >>> leftovers? (Leftovers such as swap, or what else?) >> >> Regarding deletion of the VM: I was under the impression secure deletion >> was not possible on modern SSDs. >> >> On the other hand, it should be possible to create an AppVM whose >> writeable diskspace lies in enitrely in RAM. I'll investigate this. > > This already exists! In Qubes the DisposableVM is RAM only by default. Nice, can you add this to the docs please? I think that is quite a remarkable feature. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Review request: TorVM implementation in Qubes OS: Vidalia
Abel Luck: > adrelanos: >>> Future Work Integrate Vidalia >> >> About Vidalia again... I was quickly reading my dev ticket again ( >> https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/Dev#SHELLSCRIPTSVidaliabydefaultGraphicalGatewayWAITINGFORVIDALIA0.3.x >> ), why it's not yet integrated into Whonix. >> >> Summary: >> >> "One drawback with Vidalia 0.2.15 remains... As soon as you edit torrc >> with Vidalia (i.e. add non-obfuscated bridges, all comments in torrc get >> lost, i.e. comments how to add obfuscated bridges get lost.). >> >> Solved in 0.3.2-alpha. I am waiting for 0.3.2." >> >> Another issue was, that Vidalia is explicitly not designed to manage a >> system wide installed Tor. Vidalia can not start/stop a Tor instance, it >> has not started itself. >> >> Vidalia will also not be able to edit /etc/tor/torrc out of the box, >> because Vialia gets started as user, while /etc/tor/torrc is owned by root. >> >> I am not sure how to solve it best... >> >> Running Tor/Vidalia as user is also not the best option, that would >> prevent "sudo service restart tor" (probable also the Fedora >> equivalent). Breaking "sudo service restart tor" and running Tor as user >> is bad, since it can not be updated with by the system apt-get (or the >> Fedora equivalent). (Imagine long running servers.) >> >> I guess the best might be to have Tor managed by the system (apt-get...) >> and to start Vidalia as a user. To edit /etc/tor/torrc, Vidalia needs an >> exception to have write rights on that file. Vidalia's start/stop Tor >> feature will break, I don't know how that could be solved. You still had >> a Tor which is partially managed by gui and partially managed by cli. >> Relaxing permission on Tor's data dir further for Vidalia broke Tor. >> >> However, in qubes-os that all might be simpler to solve. Tor/Vidalia get >> updated from dom0? > > No, no, nothing is updated from dom0. All these problems still apply to > Qubes. A further problem is at tor runtime I need to detect the IP > address of the internal interface, so a static torrc doesn't work. > > Moreover, wrt the New Identity button. With several client VMs, multiple > apps using different SOCKSPorts, the behavior of New Identity is confusing. > Does pushing it tear down and construct new circuits for > everything? Only the TransPort? Only X? > > Vidalia is extremely useful however, so I need to find some way to > include it. I wonder if the "best" solution isn't to scrap Vidalia and > make something new? Unless you feel, that the Vidalia code base is bad and you better start fresh, I think it's better to improve Vidalia rather than starting fresh and it's quite difficult and time consuming to develop such as thing. https://www.torproject.org/projects/arm.html.en https://trac.torproject.org/projects/tor/wiki/doc/stem https://trac.torproject.org/projects/tor/query?component=Vidalia&col=id&col=summary&col=type&col=status&col=priority&col=milestone&col=component&order=priority https://trac.torproject.org/projects/tor/query?component=arm&col=id&col=summary&col=component&col=type&col=status&col=priority&col=milestone&order=priority Look quite scary. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Review request: TorVM implementation in Qubes OS
Abel Luck: > adrelanos: >> Abel Luck: >>> adrelanos: Hi, Is it Amnesic or can it be made Amnesic? Or in other words Can you be sure, that after deleting (or wiping) the torified AppVM no activity can not be reconstructed with local disk forensics? Could the torified AppVM be securely wiped without any leftovers? (Leftovers such as swap, or what else?) >>> >>> Regarding deletion of the VM: I was under the impression secure deletion >>> was not possible on modern SSDs. >>> >>> On the other hand, it should be possible to create an AppVM whose >>> writeable diskspace lies in enitrely in RAM. I'll investigate this. >>> Is Tor's data directory persistent, i.e. does it use Entry Guards? >>> I've not configured this explicitly, do you have any suggestions? >> >> Tor Browser Bundle users are using persistent Entry Guards. >> >> Final goal should be to share the same fingerprint with them (web >> fingerprint, traffic fingerprint for local observer). If you manage to >> use Tor Browser in the AppVM and Entry Guards in the TorVM, the >> fingerprint should be the same. Except, that you added strong security >> by isolation for the case of a browser exploit. >> >> Whonix uses persistent Entry Guards and Tor Browser. >> >> Persistent Entry Guards are planed for Tails. >> https://tails.boum.org/todo/persistence_preset_-_tor/ >> https://tails.boum.org/todo/persistence_preset_-_bridges/ >> >> Tor Browser is planed for Tails. >> https://tails.boum.org/todo/replace_iceweasel_with_Torbrowser/ >> >> Persistent Entry Guards are considered for Liberte Linux: >> Please see recent thread "[tor-talk] Location-aware persistent guards". >> >> So the answer is yes, I in most cases I recommend persistence for Entry >> Guards and Tor's data dir. The same goes for Vidalia, since it can be >> used to configure Tor and bridges. >> >> Some further thoughts on persistent Entry Guards: >> On the other hand, non-persistent Entry Guards are more amnesic. So if >> you decide to add a amnesic feature, that should be also possible to do >> with the TorVM. >> >> There is also in the thread "[tor-talk] Location-aware persistent >> guards" or in the linked ticket >> https://trac.torproject.org/projects/tor/ticket/2653 are though, that >> non-persistent Entry Guards are better suited for people who travel a >> lot / Live CDs. >> > > Hm, interesting. I definitely need to implement persistent entry guards > then, but providing an amnesiac option will be difficult. When would the > user choose such an option, and where? Difficult question, I don't know. For a quick research on any topic up would be useful to securely erase all local traces. For other tasks, IM and such, maybe once in a while and never for long term stuff such as hidden services. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Review request: TorVM implementation in Qubes OS
Abel Luck: >>> Future Work Use local DNS cache to speedup queries (pdnsd) >> >> That could make users more fingerprintable. >> >>> Future Work Support arbitrary DNS queries >> >> That could make users more fingerprintable. >> > > Yup, I'm aware. Really I've no plans to move forward here until > something more concrete develops. (I'm looking at who Tails and > Whonix, who've discussed this issue extensively). > > >> What is it needed for anyway? Which things do not work without >> arbitrary DNS queries? >> > XMPP SRV lookups for one. Not a pressing issue of course. If you need any "special" DNS features, I don't see why they should be implemented on the Gateway. They can equally easy more and safely implemented on the Workstation(s) were needed. Things I tested: DNSSEC over Tor, DNSCrypt by OpenDNS, httpsdnsd by JonDos. [1] There is no reason why ttdnsd or dns cache wouldn't work on the Workstation/AppVM. >>> Future Work Optionally route TorVM traffic through Tor >> >> What is the motivation behind it? > There is no good reason I can think of yet, I'm just concerened a > user misunderstanding what a TorVM does (provides torified > networking to other AppVms), and opening firefox on it or > something. I see. Not sure, if possible, but could you remove all such unnecessary applications? Maybe make it very clear as desktop background or automatically opening text file? Whonix as a optional configuration "Hide the fact that you are using Tor/Whonix". [2] Not sure if the TorVM use can be easily hidden. Users would have to download the templates over Tor. [1] http://sourceforge.net/p/whonix/wiki/OptionalConfigurations/ [2] http://sourceforge.net/p/whonix/wiki/OptionalConfigurations/#hide-the-fact-that-you-are-using-torwhonix ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Is this a practical vulnerability?
On Fri, 19 Oct 2012 11:25:34 +, Anon Mus wrote: ... > Within 24hrs of making that Tor hidden service live I could see, in my > firewall logs, hundreds of repeated attempts trying to hack my server, > directly from the internet, not via my hidden Tot service. Welcome to the internet. Have an open web server, and it will get accessed by scum that tries known vulnerabilities: /memberlist.php, /index.php, /user/soapCaller.bs, thats normal. > All were > attempting to access various types of services/permissions which were > mainly focused on attempting to gain control of a "web page server". How can you tell that from firewall logs? If it just blocks the access you will only see the source address, but not the actual HTTP request. ... > attack strategy over a 12 hour period. Hundreds of commands were sent, > many in quick succession as if they were in some sort of script file, Can you be any more detailed about those attacks? What commands, on what service, and why do you even get to know the commands if there is no such service on your computer? Andreas -- "Totally trivial. Famous last words." From: Linus Torvalds Date: Fri, 22 Jan 2010 07:29:21 -0800 ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] New Identity button for multiple TorPorts? - was: Review request: TorVM implementation in Qubes OS: Vidalia
Abel Luck:
> Moreover, wrt the New Identity button. With several client VMs, multiple
> apps using different SOCKSPorts, the behavior of New Identity is confusing.
> Does pushing it tear down and construct new circuits for
> everything? Only the TransPort? Only X?
Maybe the Tor developers could elaborate on that?
>From my observations...
The whole stream isolation and switch identity works very well.
You can open "100" SocksPorts (or TranPorts etc.). When you look into
arm, no matter if you have "100" or "1" SocksPort, Tor will not create
any more circuits.
One SocksPort with two different socks auths is actually (internally)
two TorPorts (circuits).
Or one TransPort with three different client addresses is actually three
different TorPorts.
Only if you have "100" SocksPorts and "100" client applications actually
using them at the same time, Tor will open "100" circuits.
All (dirty?) circuits are changed every 10 minutes.
I think Tor has some logic to remember, which circuits were recently
used and are now dirty. From testing: if you issue new identity, this
will switch circuits for all internal TorPorts, which are considered
dirty. Maybe also the idle one (clean) circuits get switched.
The ones, which were not actively needed recently ("100" SocksPorts) are
neither created nor switched.
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Is this a practical vulnerability?
There are actually two possible explanations for what you saw: 1) Tor was compromised 2) Your IP was discovered Maybe the test request you made logged your IP and then it could be anywhere. Also as you know people are constantly scanning subnets for servers. I don't discount government snooping, it just seems a little crude for them to be tripping alarm bells on a small unknown target. On 10/19/12 5:25 AM, "Anon Mus" wrote: >Having a static IP net connection, I set up a test web site as a Tor >service on a Tor middleman server. That server had been a middleman >server for about a year, no problems, no attempts to hack it in all that >time. > >Within 24hrs of making that Tor hidden service live I could see, in my >firewall logs, hundreds of repeated attempts trying to hack my server, >directly from the internet, not via my hidden Tot service. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Is this a practical vulnerability?
Thanks for your comment Lasse, that makes sense.
On 10/19/12 3:23 AM, "Lasse Øverlier" wrote:
>
>In principle this is (as they write) very similar to earlier papers. The
>major catch to their plan may be that if a hidden service already has
>chosen its entry guards, and the "modified Tor nodes" are put out there
>later - they ("malicious nodes") will therefore not be a part of the
>path. But if they already have trusted entry nodes out there and the
>client/hidden service selects by default Tor method - their attack (and
>earlier ones) should be quite realistic.
>
>Meaning that a hidden service should be very careful of which nodes it
>selects as the entry node(s). Maybe Tor should *not* allow new entry
>nodes (by default) to be added for hidden services upon unavailability
>of old entry nodes because of this? Another option may be separation of
>not trusting/adding new entry nodes for hidden services, but still do so
>for the Tor client? (There is (was?) an option for StrictEntryNodes in
>torrc which should be considered, but I seriously hope critical sites
>are not hosted without deep knowledge of how the hidden services are
>vulnerable.)
>
>Be safe!
>
> - Lasse
>
>
>
>On 19. okt. 2012 05:12, Lee Whitney wrote:
>> I was reading a paper on discovering hidden service locations, and
>>couldn't find any reason it shouldn't work in principle.
>>
>> However being that I'm a Tor novice, I wanted ask here.
>>
>> In a nutshell they propose throwing some modified Tor nodes out there
>>that modify the protocol enough to track down the location. It does
>>take some time, but it doesn't seem like years.
>>
>> Any comment appreciated, here's a link to the paper:
>>
>> http://www.cs.uml.edu/~xinwenfu/paper/HiddenServer.pdf
>>
>> ___
>> tor-talk mailing list
>> tor-talk@lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>
>___
>tor-talk mailing list
>tor-talk@lists.torproject.org
>https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Is this a practical vulnerability?
My question is, if you NEVER requested the 1 web page in the first place, would you have experienced the same attack? I mean if I were looking for new live Tor services I would probably periodically just roll through unknown IPs and check for a live node (or something) as one layer of attack. No live node, move on. Live node not already discovered? The fact that the node responds (in some manner I'm looking for) is enough information, it's possible I don't even care that it has anything to do with Tor. Just a thought, it should be clear I have no idea what I'm talking about. e.g. I don't know what your middleman server not getting attacked indicates. Anon Mus wrote: Within 24hrs of making that Tor hidden service live I could see, in my firewall logs, hundreds of repeated attempts trying to hack my server, directly from the internet, not via my hidden Tot service. [...] Now bearing in mind that I had only EVER requested 1 web page (a blank test page - requested about 4 times) from my own Torrified web browser (out and back so to speak), and no OTHER (external) ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Is this a practical vulnerability?
On Fri, Oct 19, 2012 at 11:25:34AM +0100, Anon Mus wrote: > e.g. lets say a node is in a server in an IBM/US telecoms company based > in France, then that server will almost certainly be routing ALL its > traffic through the USA and back to itself (or another node in the same > company) before sending it on to the next external node. This diversion While it is no secret that intercontinental fiber taps exist, you would not route the traffic itself over the Atlantic to an intercept and analysis point and then back (you would see that in giant added latency), but to tap the signal not too far from the fiber landing point, since you would need to analyze it in a somewhat big box probably not residing on the seabed. It is probably easier to local intelligence services to co-operate intensively, and intercept data close to exchange points, and share results of analysis (only sharing realtime communication taps on a very small set of high value targets). Such sharing can happen over dedicated channels, or over VPN tunnels over the public Internet. > is NEVER reported as ONLY a single "virtual node ip" is quoted. The only > way you can ever tell its been done is by looking at the time delay, > however this is also often difficult/impossible to spot because these > routes are often the fastest on the internet. OK - I know this goes on > for certain because there are internal tools used within these companies > to trace the TRUE route and I have seen such servers send their traffic > in this manner 24/7 - 365. Having discussed this as "wasted effort" with > a network engineer I was told there is a "payment" made somewhere to > compensate. At the same time all of this is camouflaged in apparently > nice and legitimate reasons for it being that way, but when you pull it > apart you see the lie, but you can't PROVE it. > > As about 70% of Europe's internet traffic passes through an IBM/US > telco's servers then it almost certain that in any one of these Tor node > to Tor node connections there is at least one sub-nodes that passes the > traffic through the USA, who is the global adversary using Total Traffic > Timing Tracking. Passive traffic analysis does not require being part of the Tor network (though operating a noticeable number of compromised Tor nodes would give you additional information which is not easily available with traffic analysis). > > You should be able to work the rest out for yourself. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Multiple servers with SAME hidden service
After trying to think of privacy flaws in hidden service (which i still don't like) I began to wonder What happens if you have MULTIPLE servers with the same hidden service? As in you have a small VPS which is getting busy and you'd like to share the load with another VPS. Assuming they know about eachother and works correctly when the two servers are under the same domain name. What happens if two servers try to advertise the same service? Will it not break anything? If might 4/5ths of users only access one server? Not that I think anyone needs multiple servers for one service. -- http://www.fastmail.fm - IMAP accessible web-mail ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Review request: TorVM implementation in Qubes OS
adrelanos: Future Work Optionally route TorVM traffic through Tor >>> >>> What is the motivation behind it? >> There is no good reason I can think of yet, I'm just concerened a >> user misunderstanding what a TorVM does (provides torified >> networking to other AppVms), and opening firefox on it or >> something. > > I see. Not sure, if possible, but could you remove all such > unnecessary applications? Maybe make it very clear as desktop > background or automatically opening text file? > > Whonix as a optional configuration "Hide the fact that you are using > Tor/Whonix". [2] Not sure if the TorVM use can be easily hidden. Users > would have to download the templates over Tor. This might sound like a less important thing, but I don't think so. I except people living in censored areas will not be able to download TorVM rpm's or to download required software (Tor, Vidalia maybe) in the clear. (That's probable one point where the VM image distribution method has an advantage.) > [1] http://sourceforge.net/p/whonix/wiki/OptionalConfigurations/ > [2] > http://sourceforge.net/p/whonix/wiki/OptionalConfigurations/#hide-the-fact-that-you-are-using-torwhonix ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor on Bluestacks
When trying to run Tor on Bluestacks (Android App Player for PC), I get "unable to start Tor"... any idea?? ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Multiple servers with SAME hidden service
Can't you just use a load balancing proxy instead? On Oct 19, 2012 2:55 PM, "Daniel Dennis" wrote: > After trying to think of privacy flaws in hidden service (which i still > don't like) I began to wonder > > What happens if you have MULTIPLE servers with the same hidden service? > As in you have a small VPS which is getting busy and you'd like to share > the load with another VPS. Assuming they know about eachother and works > correctly when the two servers are under the same domain name. What > happens if two servers try to advertise the same service? Will it not > break anything? If might 4/5ths of users only access one server? > > Not that I think anyone needs multiple servers for one service. > > -- > http://www.fastmail.fm - IMAP accessible web-mail > > ___ > tor-talk mailing list > tor-talk@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk > ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Android / Tor on x86 - was: Re: Tor on Bluestacks
sy00963-...@yahoo.fr: > When trying to run Tor on Bluestacks (Android App Player for PC), I get > "unable to start Tor"... any idea?? This is a very esoteric problem. Bluestacks is Windows/Mac closed source software and I don't see how privacy is one of their goals. Even if you could get it to work you are one of the very few people using Tor on that platform. I think the right people to ask are the Bluestacks maintainers. What do you want to archive? Maybe something like http://www.android-x86.org/ will be the better way to go, but I guess that would require porting/recompiling Orbot for x86. Running Android applications on x86 could be quite interesting though. I read sometime ago android browsers are less vulnerable for browser fingerprinting, because of less features, but didn't check if that's true. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Multiple servers with SAME hidden service
Daniel Dennis: > After trying to think of privacy flaws in hidden service (which i still > don't like) I began to wonder > > What happens if you have MULTIPLE servers with the same hidden service? > As in you have a small VPS which is getting busy and you'd like to share > the load with another VPS. Assuming they know about eachother and works > correctly when the two servers are under the same domain name. What > happens if two servers try to advertise the same service? Will it not > break anything? If might 4/5ths of users only access one server? > > Not that I think anyone needs multiple servers for one service. > There was a discussion about hidden service scalability with useful outcome a while ago. Added the links here: https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO#Serversoftware ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor on Bluestacks
"sy00963-...@yahoo.fr" wrote: >When trying to run Tor on Bluestacks (Android App Player for PC), I get >"unable to start Tor"... any idea?? >___ >tor-talk mailing list >tor-talk@lists.torproject.org >https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk Orbot only supports ARM environments as it includes native code. -- Sent from Kaiten Mail. Please excuse my brevity. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] help us:Korean government started to fine netizen who download child pornography without child
Due to many sexual illegal behavior, Korean government started to block sexual video about under-18-old people(=underage video) > Nowadays, in south korea, they started to arrest people who download underage video due to child-teen law(in Korean, 아청법) However, there is big problem. If the title of underage sexual video include "teen"or "school uniform", although people in that video is adult, > Citizen who download that video can be arrest and they can be fine > ₩20,000,000(=$20,000) > > there is many people who download videos whose names include "teen" or > "school uniform" and which has only adult actors so they'll be fine > $20,000 although *50-year-old actor wear school uniform*!! > > I think there is *no freedom in south korea's Internet*. The problem > is they can search private message! Some people was arrested > because of they share that one with private message! > > Please consider referring this problem in your blog, website. We want free > internet. Please help us? > > Please read this article. > http://www.koreatimes.co.kr/www/news/nation/2012/10/113_122397.html > > Please help us. Child pornography without child is illegal in south > Korea. > > And there is a member of national congress. She has twitter account. > @motheryyy > > If you want to help us, please contact me, and her twitter. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
