headers
Juliusz Chroboczek | 1 Jun 2009 20:52
Picon

Re: TOR and HADOPI

>> While HADOPI mandates massive surveillance of Internet users, the total
>> budget voted for enforcing it is a mere 6.7 M¤ per annum, which implies
>> that enforcement will be entirely from the ISPs' pockets.  I'm sure
>> they'll love it.

> The ISPs' pockets?  I'd guess they'll all quickly raise their rates an
> amount generous enough to cover those additional costs. Heh..... only
> people pay taxes and fees. :-)

Fortunately, the ISP market in France has been fairly healthy since
Proxad/Free.fr successfully challenged France Telecom's monopoly.  There
are at least 5 major players competing in the mass market on razor-thin
margins, plus a number of higher-priced professional offers, plus at
least one non-profit organisation that manages to actually provide ADSL
to peoples' homes (fdn.fr).

I really don't see how an ISP could significantly increase the costs
without losing a significant part of the French market share.

                                        Juliusz
Permalink | Reply | 0 comments |
headers
Juliusz Chroboczek | 1 Jun 2009 20:57
Picon

Re: SoC Project: Improving Hidden Service Security and Usability

>> Specifically, I will be creating a how-to guide for securing standard
>> LAMP servers as well as a script that will help Linux users set them up.
>> I have a few ideas for locking down apache, php, etc. but I would
>> appreciate any other ideas admins of hidden services have as well as
>> suggestions on how to implement them.

> Interesting. I've always been conflicted about whether it's possible to
> distill enough how-to advice that novices can actually safely set up a
> complex (i.e. more than just static html) website.

Not to get into a « my Emacs is better than your vi » discussion, but
I've had excellent experiences with Lighttpd.  I've also found the code
to be much cleaner than that of thttpd.

Whatever the web server, PHP is a security disaster, and I wouldn't
dream of putting it on a hidden service.

                                        Juliusz

P.S. « PHP is a minor evil perpetrated and created by incompetent amateurs,
       whereas Perl is a great and insidious evil, perpetrated by skilled
       but perverted professionals. » — Jon Ribbens
Permalink | Reply | 0 comments |
headers
Juliusz Chroboczek | 1 Jun 2009 21:01
Picon

Re: GSoC Introduction! (TorButton)

> I will also point out functionality Privoxy has as an option.  When you
> come from another site, it spoofs the referrer as the root of the site
> being visited as indicated above.  But as you move around within a site
> it reports the referrer accurately.  Some sites require this for proper
> functioning.

Just for the record, this feature first appeared in Polipo:

    http://archives.seul.org/or/talk/Aug-2006/msg00191.html

                                        Juliusz
Permalink | Reply | 1 comment |
headers
Praedor Atrebates | 1 Jun 2009 21:20
X-Face
Picon
Favicon
Gravatar

Re: Tor 0.2.1.15-rc is out

I don't get it.  Apparently there is no such things as libevent-devel for 
Mandriva so I cannot build tor.  Mandriva has libevent2 (but there is no 
libevent2-devel) and it has libevent-devel for 1.4.8 but it conflicts with 
libevent2.  It also have libevent0.9_0-devel but tor doesn't care.

What libevent is tor requiring?

On Sunday 31 May 2009 16:37:34 Roger Dingledine wrote:
> Tor 0.2.1.15-rc marks the second release candidate for the 0.2.1.x
> series. It fixes a major bug on fast exit relays, as well as a variety
> of more minor bugs.
>
> This is a release candidate! That means that we don't know of any
> remaining show-stopping bugs, and this will become the new stable if
> there are no problems. Please test it, and tell us about any problems
> that you find.
>
> https://www.torproject.org/download.html.en
>
> Changes in version 0.2.1.15-rc - 2009-05-25
>   o Major bugfixes (on 0.2.0.x):
>     - Fix a timing-dependent, allocator-dependent, DNS-related crash bug
>       that would occur on some exit nodes when DNS failures and timeouts
>       occurred in certain patterns. Fix for bug 957.
>
>   o Minor bugfixes (on 0.2.0.x):
>     - Actually return -1 in the error case for read_bandwidth_usage().
>       Harmless bug, since we currently don't care about the return value
>       anywhere. Bugfix on 0.2.0.9-alpha.
>     - Provide a more useful log message if bug 977 (related to buffer
(Continue reading)

Permalink | Reply | 1 comment |
headers
Chuck Filson | 1 Jun 2009 22:37
Favicon

Re: Tor 0.2.1.15-rc is out

On Monday 01 June 2009 15:20:50 Praedor Atrebates wrote:
> I don't get it.  Apparently there is no such things as libevent-devel for
> Mandriva so I cannot build tor.  Mandriva has libevent2 (but there is no
> libevent2-devel) and it has libevent-devel for 1.4.8 but it conflicts with
> libevent2.  It also have libevent0.9_0-devel but tor doesn't care.
>
> What libevent is tor requiring?
>

	On Mandriva 2009 spring 'libevent2-1.4.8-2mdv2009.1.i586' was already 
installed, so I installed 'libevent-devel-1.4.8-2mdv2009.1.i586' and 
'tor-0.2.1.15-rc' configure and make were successful.

	You may have to make sure your versions match to prevent the conflicts.

Chuck Filson
Permalink | Reply | 0 comments |
headers
Sambuddho Chakravarty | 1 Jun 2009 23:38
Favicon

Re: Issue about selection of Tor relays when using the default torrc configuration

Hello all
 I am running tor-0.2.1.15-rc ; source downloaded from the tor website 
.  For my purpose I am tapping into the function 
circuituse.c:circuit_has_opened()  to determine which relays are being 
used in a stream (assuming only one stream is using Tor). However the IP 
address of the relays I see here don't match the list of relays for the 
stream when I determine them using
'get_info stream-status'. Which one should I rely upon to determine 
which circuit is being used ? Common sense tells me to rely on 'get_info 
stream_status'. However , I see the client crash at times when I connect 
to the control port .

Thanks
Sambuddho

> On Sun, May 31, 2009 at 02:59:01AM -0400, Sambuddho Chakravarty wrote:
>   
>> Thanks for you help. However , is there no way that I can cause tor 
>> client to reload a new set of entry guard nodes  ?  I have tried both 
>> NEWNYM and HUP signals through *nc* to communicate to tor controller . 
>> However , in both cases only a small set of (infact 3) entry guards are 
>> selected.
>>     
>
> Yes, that's a feature. Otherwise you'll open yourself up to a variety
> of attacks:
> https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#EntryGuards
>
> If you want to turn off that defense, set "UseEntryGuards 0" in your
> torrc.
(Continue reading)

Permalink | Reply | 1 comment |
headers
Sambuddho Chakravarty | 2 Jun 2009 00:57
Favicon

GETINFO argument to dertermine OR IP addresses

Hello All
 Can you please tell me if there is any argument to GETINFO which can be 
used to determine the IP address of ORs ? If there is none then what is 
the possible way to determine IP address of ORs ?

Thanks
Sambuddho
Permalink | Reply | 2 comments |
headers
Alexander Cherepanov | 2 Jun 2009 12:52
Picon
Favicon

Banners injected in web pages at exit nodes TRHCourtney*

Hello!

Just stumbled upon a banner injected in html at tor exit node.
Nodes in question:

  router TRHCourtney01 94.76.246.74 443 0 9030
  router TRHCourtney02 94.76.247.136 443 0 9030
  router TRHCourtney03 94.76.247.137 443 0 9030
  router TRHCourtney04 94.76.247.138 443 0 9030
  router TRHCourtney05 94.76.247.139 443 0 9030
  router TRHCourtney06 94.76.247.140 443 0 9030
  router TRHCourtney07 94.76.247.141 443 0 9030
  router TRHCourtney08 94.76.247.142 443 0 9030
  router TRHCourtney09 94.76.247.143 443 0 9030
  router TRHCourtney10 92.48.84.113 443 0 9030
  contact Courtney TRH <courtney <at> nullroute.net>

All of them inject a piece of html at end of web pages. Text under 
banner reads:

  Courtney TOR/VPN & Wifi Exit Node :: Usage subject to Terms and 
  Conditions/Acceptable Use Policy :: Want to advertise here? Contact 
  us

Check for yourself: http://www.torproject.org.TRHCourtney01.exit/ .

Some more concerns. Page http://courtney.nullroute.net/ contains:

  WARNING: The TOR Exit Node must *not* be used for illegal means. 
  Connection and session logs are kept and *will* be forwarded onto
(Continue reading)

Permalink | Reply | 9 comments |
headers
Freemor | 2 Jun 2009 13:52
Face
Picon
Gravatar

Re: Banners injected in web pages at exit nodes TRHCourtney*

On Tue, 02 Jun 2009 14:52:18 +0400
"Alexander Cherepanov" <cherepan <at> mccme.ru> wrote:

> Hello!
> 
> Just stumbled upon a banner injected in html at tor exit node.
> Nodes in question:
> 
Thanks for the heads up.. I wasn't getting the injected banners on the
link you provided but when I tried:

https://torcheck.xenobite.eu.trhcourtney01.exit/

I got an invalid certificate error.. Definitely man-in-the-middle stuff
going on here.. Certificate I received for the above belonged to:

Issued to
Common Name (CN) 		*.krauscomputer.de
Organization (O)		Manuel Kraus
Organizational Unit (OU)	StartCom Verified Certificate Member
Serial Number			00:de

Issued By
Common Name (CN)		StartCom Class 2 Primary Intermediate
Server CA
Organization (O)		StartCom Ltd.
Organizational Unit (OU)	Secure Digital Certificate Signing

Validity
Issued On 			08-06-25
(Continue reading)

Permalink | Reply | 1 comment |
headers
Freemor | 2 Jun 2009 14:01
Face
Picon
Gravatar

Re: Banners injected in web pages at exit nodes TRHCourtney*

On Tue, 02 Jun 2009 
"Freemor" <freemor <at> gamil.com> wrote:

Some rather silly stuff..

Appoligies for the proceeding post.. Certificate is correct.. The
.trhcourtney01.exit/ Was throwing the browser into complaining that the
certificate didn't match.

 I really must learn not to post before having my morning coffee.

I've tried a couple of other sites now and there definitely is banner
injection going on... looking into the html source now to see if there
are other exploits.

Strange the the provided link didn't have injection... Adaptation on
the nodes part?

--

-- 
freemor <at> gmail.com
freemor <at> yahoo.ca

This e-mail has been digitally signed with GnuPG - ( http://gnupg.org/ )
Permalink | Reply | 1 comment |

Gmane