On Thu, Mar 20, 2014 at 3:32 AM, Soul Plane <[email protected]> wrote: > On Wed, Mar 19, 2014 at 6:01 PM, Runa A. Sandvik > <[email protected]>wrote: > >> On Wed, Mar 19, 2014 at 9:05 PM, Soul Plane <[email protected]> wrote: >> > More questions: >> > >> > Why is the only region available for the Tor images us-east virginia? I >> > thought I could use the free tier in other places. Wouldn't it be better >> to >> > vary the regions instead of sticking them all in one place? >> >> We initially had images in all regions, but due to a bug/issue (see >> https://trac.torproject.org/projects/tor/ticket/10318) I decided to >> temporarily remove all images except the ones in us-east-1. The goal >> is to bring back images for the other regions at some point. >> > > Thanks, I read the bug and the AWS thread and it looks like there is > something wrong with the image copy process. If I wanted to setup in a > location other than Virginia would I be able to use your build script to do > that or would I run into the same image copy problem?
The copy problem may have been fixed, but I have yet to try it out myself. If you want to set up a bridge in a location other than Virginia, spin up an Ubuntu instance and go through the steps in ec2-prep.sh. > Also I noticed in > ec2-prep.sh you have: > curl -m 5 http://169.254.169.254/latest/meta-data/reservation-id > That address is invalid, what is the reservation id for? >> > I read in Tor Weekly News today that the obfs3 protocol is vulnerable to >> > active probing attacks and there is a replacement ScrambleSuit. If I >> setup >> > the AWS Obfsproxy image now does that mean the Chinese can detect it and >> > block it? Is that image obfs2 or 3 or both? Should I just wait until >> > ScrambleSuit is supported, or can I modify the config file to only use >> > ScrambleSuit, or is that not a good idea at this point? I don't want to >> run >> > something that nobody is going to be able to use because governments can >> > just detect it and block it. >> >> The current image is a "standard" bridge, an obfs2 bridge, and an >> obfs3 bridge. ScrambleSuit is not included. If you create an SSH key >> when setting up the instance, you can log on and change whatever you >> want. The Great Firewall of China blocks "standard" bridges and obfs2, >> but I believe it has yet to block obfs3. >> > > Ok so after I do a build if I want scramblesuit I change this line: > ServerTransportPlugin obfs2,obfs3 exec /usr/bin/obfsproxy --managed > to this: > ServerTransportPlugin scramblesuit exec /usr/bin/obfsproxy --managed If you want your bridge to just support the scramblesuit transport, yes. > According to this here I need to update obfsproxy first? Is that relevant > here? > https://lists.torproject.org/pipermail/tor-relays/2014-February/003886.html Yes. The ec2-prep.sh script will only pull packages from the Ubuntu repository. >> > Is Tor obfuscation specifically more likely to come under attack from >> > repressive governments? >> >> More likely than what? >> > > Than regular tor bridges. Are obfs3 bridges special bridges that users in > repressive countries are more likely to use because other bridges are > blocked? Maybe I don't understand. Yes. >> > How is security handled. For example suppose there's a known >> vulnerability >> > in Tor or Ubuntu does the server shut down until it's fixed and an update >> > is available or does the server stay up and risk being hacked? Is there >> any >> > notification sent to the AWS administrator in these cases? I would >> imagine >> > even a small window is gold for some state run group to break in. >> >> The server stays up and checks for regular package updates from >> Ubuntu. If someone were to break in, they would not learn anything >> more than if they had set up a bridge themselves. >> > > Ok. Let's say there was a security vulnerability being exploited in Tor > bridges. Is there any warning from Tor staff? Like when there is one in > Flash or Microsoft etc I will get a CERT or a security advisory saying "xxx > is being actively exploited", view such and such a page for more > information. In those cases I will just turn off flash or run the fix it. There will be emails on the tor-talk mailing list and posts on the blog. >> > How can I determine the integrity of the server and do I have any >> > responsibility to do that? Do you guys who are running these instances in >> > the Tor Cloud just set it and forget it or is there some oversight >> required? >> >> The Ubuntu image the Tor Cloud image is based off of is verified when >> the image is built. The Tor package is verified as it is installed >> (which happens within the first five minutes you boot the server for >> the very first time). >> > > Thanks I took a look at the script. > > >> >> > I would take an active role in securing the instance if necessary but I >> > need to know what to do. What do you guys do? >> >> The image has been configured to automatically check for package >> updates. In addition, it is recommended that you only open certain >> ports in the firewall (22 for SSH, plus 443, 40872 and 52176 for Tor). >> > > Is there any obfuscation benefit to using random ports, like changing > 40872 to 1234 etc. Some, yes, you can change the ports if you want. -- Runa A. Sandvik -- tor-talk mailing list - [email protected] To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
