Tor Open Hack Day in Berlin (for everyone)

by ailanthus | September 30, 2015

Hello!

We are very happy to tell you that the Tor meeting in Berlin is currently underway!

During the past days we've been busy discussing the future of Tor as an organization and designing the protocols and features that we want to see in the future.

We would like to inform you that tomorrow (Thursday, October 1st) we will be
having an open day where everyone is welcome to come and discuss Tor
with us. People interested in Tor are welcome regardless of their
background or skills.

The meeting is taking place at Betahaus in Berlin all day, and you can find more information in the wiki.

Looking forward to see you here!

Thank you!

Comments

Please note that the comment area below has been archived.

October 01, 2015

Permalink

that 's great but tor is a local American app.
is tor a democracy test or a weapon/tool:argument for rogues states ?
************************************************************
how could we help each other as tor users _ tor relay, free dns server, tip & tricks traveling abroad, mesh network, free secure spot wifi, hidden service, library-project outside of america (both) etc. ?
************************************************************
stack exchange is full of stupid & intolerant & absurd q/r. _ like the right answer is never accepted so it is monitored ...
it seems that updating pgpkey through tor brings some problem (desktop-app_parcimonie).
ricochet has not yet been audited.
hidden service must be more opened at underground project_ we need to know how to do a lot of things ... and create our own privacy building our project without to be concerned by the idea of 'illegal:prohibited etc".
************************************************************
about the 49 amelioration whom spoke sir snowden, what will you add on it about tor ?
a web mail has never been a conception with the idea of privacy or anonymity in mind , and free pgp support are too rare (except startmail-not audited _ i do not know another) : do you intend on help at this implementation for our free tor web mail ?
************************************************************
does exist a special tor router:isp:phone company ?
where are the boss and the elected people in this battle ?
************************************************************
thx.

October 01, 2015

Permalink

People who work as cyberspooks at sites like Dagger Complex are at high risk for health problems, including depression, brought on by the unethical nature of work which frequently results in the death of innocent persons including children in places like Syria. News stories such as the following two recent examples offer some hint of toll dragnet surveillance exacts upon USIC employees.

https://theintercept.com/2015/09/28/death-athens-rogue-nsa-operation/
Did a Rogue NSA Operation Cause the Death of a Greek Telecom Employee?
James Bamford
29 Sep 2015

https://theintercept.com/2015/09/25/gchq-radio-porn-spies-track-web-use…
From Radio to Porn, British Spies Track Web Users’ Online Identities
Ryan Gallagher
25 Sep 2015

Fortunately, help is at hand. A new initiative based in Darmstadt called IntelExit hopes to help spooks exit the agencies and find productive employment doing truly good deeds such as helping to resettle Syrian refugees, or using their spook skills to organize freedom highways to havens which have proven unwilling to accept their fair share. See

http://www.slate.com/blogs/future_tense/2015/09/30/intelexit_for_nsa_su…
“Listen to Your Heart, Not Private Phone Calls.”
Andy Greenberg
30 Sep 2015

"Support groups help cult and gang members break free of their former lives. Alcoholics and Narcotics Anonymous help addicts overcome their dependencies. And now one group of privacy campaigners wants to offer its target audience an escape route for what it sees as a equally insidious trap: Their jobs working for intelligence agencies like the National Security Agency."

October 01, 2015

Permalink

An interesting recent exchange at Tor StackExchange appears to suggest that

* a former high level NSA official, a 41 year veteran who now writes opinion pieces defending NSA surveillance, is using Tor (Orbot)
* UK's National Crime Agency is spying on said official

https://tor.stackexchange.com/users/9376/richard-george
http://www.ists.dartmouth.edu/events/careernsajuly2011.html
http://www.rsaconference.com/events/us13/agenda/sessions/290/life-as-a-…

Note

* similar interests in "information assurance" and Tor
* very different writeprints

@ Stylometrists (Rachel?): do you concur?

@ Pranksters: points for effort, but can you make a better Markov model of the real Richard George?

The StackExchange link is not to an exchange, but rather a user. Looking at that user's content, it looks like a person who knows nothing, and it appears to suggest nothing.

And who is this person I keep hearing about on these blog comments, and why is that person continually being called out by name?

October 02, 2015

Permalink

Here are some article that seem to support the notion that the Internet may soon be limited / regulated / censored, or even shutdown!

Microsoft Proposes Government Licensing Internet Access
Rockefeller Wants Government to Shut Down Fox and MSNBC
Rockefeller: Internet is "Number One National Hazard"
Censoring the Internet: A Collection of Essential Links
The 19 Senators Who Voted To Censor The Internet
Lieberman Has Power To Shut Down Websites With A Phone Call
FCC Push to Sovietize Broadcast Media in America
Wave goodbye to Internet freedom
AT&T´s broadband data caps start today
EU signs ACTA, global internet censorship treaty
March 1st (2012) Google & You Tube Changes Affect YOU
ACTA is worse than SOPA, here´s what you need to know
Senate cybersecurity bill mirrors Russian Internet agenda
Is Obama´s Cybersecurity Executive Order Imminent
Tech Guru Warns Of Internet "Disaster"
DARPA Wants a Searchable Database of All Your Conversations
Russian Cyberspace Head Calls For Internet Kill Switch

It's worse.

Driver’s licenses for the Internet
http://business.time.com/2010/01/30/drivers-licenses-for-the-internet/

"I can hear the worldwide scream go up: “But we’re entitled to anonymity on the Internet!” Really? Are you? Why do you think that?"

The National Strategy for Trusted Identities in Cyberspace
https://www.whitehouse.gov/sites/default/files/rss_viewer/NSTICstrategy…

"The public and private sector will use awareness and education programs to encourage demand for the Identity Ecosystem"

"Objective 3.2: Identify other means to drive widespread adoption of the Identity Ecosystem.

All levels of government can assist the private sector by helping to jumpstart the adoption of the Identity Ecosystem, ensuring that it becomes widespread enough to be self-sustaining In order to provide this jumpstart, all levels of government should work with the private sector to help identify economic incentives to encourage private-sector adoption of the Identity Ecosystem The Federal Government will also align identity solution requirements in existing programs against the Identity Ecosystem Finally, the Federal Government will evaluate regulatory changes as necessary."

Your Internet Driver's License
http://blog.codinghorror.com/your-internet-drivers-license/

"Personally, I prefer to be the change I want to see. So for us, on Stack Overflow and the Stack Exchange network, that means aggressively promoting the concept of the Internet Driver's License. Including educating users as necessary."

Call It Your Online Driver’s License
http://www.nytimes.com/2011/09/18/business/online-id-verification-plan-…

"The Open Identity Exchange, a group of companies including AT&T, Google, Paypal, Symantec and Verizon, is helping to develop certification standards for online identity authentication; it believes that industry can address privacy issues through self-regulation."

The White House Wants to Issue You an Online ID
http://motherboard.vice.com/read/the-white-house-wants-to-issue-you-an-…

"you have to wonder how much longer people are going to put up with standing in line at the DMV for four hours to hand a teller (with a taxpayer-paid salary) a copy of your birth certificate and piece of mail to prove you are you."

Are You Ready for a Driver’s License for the Internet?
http://www.govtech.com/security/Drivers-License-for-the-Internet.html

Rob Enderle said, "There have to be some penalties involved for not doing it. I think after a couple major breaches where the liability is passed to the organization that didn’t properly assure the identities of the people that were accessing it, that motivation will probably drop into place."

"Proposed legislation in the United Kingdom shows that the market is demanding better authentication online, not just to curtail fraud, but to restrict access to certain content."

US Government Begins Rollout Of Its 'Driver's License For The Internet'
https://www.techdirt.com/articles/20140503/04264427106/us-government-be…

"Unlike corporations, citizens won't be allowed the luxury of opting out. This "internet driver's license" may be the only option the public has to do things like renew actual driver's licenses or file taxes or complete paperwork that keeps them on the right side of federal law."

There is definitely a push on to strip the last vestiges of internet anonymity from us.

Creepy Facebook is one of the organisations at the forefront of this assault on our privacy.

Anti-privacy Facebook demands 'Real ID'. You will also find that more and more sites are using Facebook for on-line 'verification'. On some sites you don't register with the site; you register through Facebook.

It's is amazing that anyone is still using Facebook - as creepy as it comes!

October 02, 2015

Permalink

Please help! How can i open an facebook account without phone nr. over the TOR-Browser? Best Regards, John

October 04, 2015

Permalink

Would love to see work done toward's making Tor easier for people in first world nations to use. Then hopefully popularity would rise, then infastructure would soon also increase.

Also would love to see implementations on creating bridges between the Tor network and other anonymity networks like I2P.

October 04, 2015

Permalink

The Tor Project should have a plan on what to due in the event of new legislation banning traddional tool that pirates use, occurs. This action would end up creating a flood of new Tor users using the service for torrenting. Torrenting cannot be banned by Tor for various reasons like how for some activists that's the only way they can share and receive content, so maybe some new system inside the Toe protocals should be setup for more resource intensive Tor usage?

BitTorrent isn't anonymous over Tor because the BitTorrent protocol announces users' IP addresses.

If things got to the point where peer-to-peer networks were criminalized, that would be a sign that he people no longer had anything resembling political freedom.

October 05, 2015

Permalink

> People who work as cyberspooks at sites like Dagger Complex are at high risk for health problems, including depression, brought on by the unethical nature of work which frequently results in the death of innocent persons including children in places like Syria.

In a tragic but not unexpected development, the USG has dramatically underscored its increasing antipathy for human rights work and medical aid work in impoverished war-torn regions by bombing a MSF (DWB) charity hospital in Kunduz, Afghanistan, killing 7 patients, including 3 children and 5 patients in the ICU who were burned alive in their beds. The strike also killed 9 medical staff and injured 19 (five critically), and injured 18 patients and visiting family members.

http://www.msf.org.uk/article/afghanistan-msf-staff-killed-and-hospital…
Afghanistan: MSF staff killed and hospital partially destroyed in Kunduz

http://www.slate.com/blogs/the_slatest/2015/10/03/u_s_airstrike_on_afgh…
U.S. Airstrike on Doctors Without Borders Hospital in Afghanistan Kills at Least 19
Daniel Politi
3 Oct 2015

https://theintercept.com/2015/10/03/one-day-after-warning-russia-of-civ…
One Day After Warning Russia of Civilian Casualties, the U.S. Bombs a Hospital in Afghanistan
Glenn Greenwald
3 Oct 2015

http://www.slate.com/blogs/the_slatest/2015/10/04/doctors_without_borde…
Doctors Without Borders Says U.S. May Have Committed War Crime
Daniel Politi
4 Oct 2015

http://www.reuters.com/article/2015/10/04/us-afghanistan-attack
U.S. investigating air strike near Afghan hospital that killed 19
Hamid Shalizi and Andrew MacAskill
3 Oct 2015

Perhaps the most tragic consequence in the short term is that MSF has been forced to close what remains of this hospital, depriving residents of the only advanced medical facility in the area.

The Dagger Complex is deeply involved in aerial targeting by the US military and its allies, although it is not yet clear whether analysts there played any role in the Kunduz hospital strike.

In the context of the Congressional debate over "information sharing", a key point about this event is that MSF did everything in its power to inform the US military about the precise location of its hospital, but either this information was not shared with the person who ordered the strike (reinforcing the impression that information sharing is designed only to harm ordinary people, never to help them), or else the USAF knowingly bombed an active hospital.

Retired USAF Gen. Dunlop has rushed to attack MSF supporters who have characterized the bombing as war crime, which it certainly is. Two choices: war crime by criminal negligence, or war crime by intentional targeting of a fully functioning hospital. But it is easy to guess that no US court martials will result from this tragedy. Perhaps it is time for the Hague to contemplate a little extraordinary rendition of its own?

http://thehill.com/blogs/pundits-blog/defense/255927-lets-get-facts-on-…
October 05, 2015, 12:01 pm
Let's get facts on Afghan hospital incident before declaring a war crime
Charles J. Dunlap Jr.

Dunlop should have used his bully pulpit in The Hill to acknowledge that only TRUE heroes in the early twenty-first century are the medical aid workers and human rights workers who put their own lives at great risk in order to assist trapped populations in some of the most dangerous regions of the world. They receive neither praise nor medals nor injury compensation from their governments--- those perks are reserved for the bombers and targeters.

Meanwhile Pres. Putin, Pres. Assad, and ISIL all appear to be vying with Pres. Obama for the title of "Leader of the GWOP" (Global War on People):

http://www.theguardian.com/world/2015/oct/02/people-are-angry-and-boili…
'People are angry and boiling': Syrians tell of Russian airstrikes
Terrorised for years by crude barrel bombs launched by Assad regime, those in rebel-held territories now face more precise, but destructive Russian weapons
Kareem Shaheen
2 Oct 2015

As suitable artistic commentary, we suggest Prokofiev's bitter Sixth Symphony.

October 05, 2015

Permalink

> Senate cybersecurity bill mirrors Russian Internet agenda

It is instructive to compare SORM and CISA in detail. They might have been authored by the same people. And in a sense they were. CISA was written by corporate lobbyists who recently benefited (think USBs stuffed with cryptocurrency) from the recent visit of a huge Chinese delegation.

The current global conflict is between People everywhere and the spooks who have captured governments everywhere, or rather the point oh oh one per cent whose interests are served by the spooks.

The concept of "nation-state" and "rule of law" only applies to the 99%: the people who write the laws work for the point oh oh one per cent, who recognize neither nations nor laws.

Back in June, the AP confirmed what privacy advocates have long alleged: that the FBI operates a huge fleet of spy planes throughout the US, which sometimes carry DRT boxes (those are NSA's supercharged IMSI catchers, Stingrays on steroids). And the Hacking Team leak revealed that Boeing subsidiary Insitu is planning to sell to US police a new generation of surveillance and targeting drones equipped with similar malware-serving capabilities to NSA drones used in countries such as Norway, Syria and Afghanistan to infect the phones of virtually every citizen.

As a striking illustration of the utter corruption of governments everywhere, with USG blessing, it has been quietly announced that China is now outfitting its own fleet of spy planes in the USA. It is not clear where these will be used, but the Chinese government already operates SIGINT planes based in US civilian airports, apparently with the blessing of the USG.

There could be no better illustration of the fact that US spooks are continuing to turn a blind eye to Chinese snooping, in order to divert the attention of the People from the fact that they are busy doing exactly the same things. The true nature of the recent US-China "cybersecurity agreement": you spy on your dissidents wherever you can find them, and we'll do the same. The only beneficiaries: the one percent, who are terrified by dissent. whether the one percenters formally hold Chinese or US citizenship is immaterial.

Listen for the latest buzzword: "resiliency". This is a code word for an issue of great concern to the one percent: how to convert the restless masses into happy serfs content with their subservient and degraded status. DARPA is even speculating about genetic modifications to attain this goal.

It is becoming increasingly difficult to deny the essential truth of the stark warning issued some years ago by ethicist T. J. Kaczynski (the only American philospher of any importance): technology will be the death of us.

> Microsoft Proposes Government Licensing Internet Access

Also exactly what Russia and China have done.

> DARPA Wants a Searchable Database of All Your Conversations

This is a typical illustration of the inappropriateness of the Tor Project accepting funds tied to DARPA.

See also GCHQ's "SAMUEL PEPYS" database, which has been operational for years. That focuses on "diarizing" all internet activity by anyone who ever ventures online, but DARPA is working hard to extend this to all conversations, including conversations conducted in the "privacy" of our homes.

Own or rent a set-top cable box? Digital Signal Technologies, the NSA company which makes the DRT box, also makes an extensive range of equipment which can silently turn many set-top cable boxes into in home audio-video surveillance bugs. They are hard at work on traducing the Internet of Things for similar applications. Google and friends are not happy about this, but recent experience strongly suggests they will be unable to foil the latest spookery.

The long cherished spook dream of completely eradicating privacy, even inside American homes, may be close to realization. Thanks to NSA.

A warning from the American Founding Fathers, which has long since been forgotten by the US political leadership: a Constitution is only as good as the strength and determination with which citizens defend it.

October 05, 2015

Permalink

A company called Norse, with a Viking themed product line, might be expected to promote piracy and cyber-raids on defenseless civilians, but it seems they actually try to oppose such actions. And they have hired former Tor Project director Andrew Lewman.

One can only hope that in his new position, Lewman will somehow be able to help combat bad torrents while not tearing down Tor.

> A company called Norse, with a Viking themed product line, might be expected to promote piracy and cyber-raids on defenseless civilians

No, nobody would expect such a thing.

October 05, 2015

Permalink

somebody told me that using a tor browser is illegal in the USA and that just by connecting to TOR your ISP can potentially flag you to authorities. I believe this to be false, however, nothing is shocking. i am a casual user that values privacy and believes in an uncensored network.

actually, the net (will be ?) is divided in 5 or 6 pieces :
a for maintenance (1% ? automatic ?),
b for security (5 ? military infrastructure).
c for users (7% ? uncensored/privacy),
d for survey( 15% in/out ?) ,
e for commercial purpose (70% ?),
f for (unknown )

No using TOR is definitely not illegal in the USA. However, your ISP can detect if you're using TOR, if you want to prevent this, enable a VPN connection before connecting to TOR. That way your ISP can only detect that you're using VPN traffic.

This is ridiculous! They are trying to brainwash you to get you on their surveillance agenda. There is nothing illegal as long as you do not injure or harm someone. Unless you are licensed, which you have to abide by the rules set forth by the license guidelines.

October 06, 2015

Permalink

The Guardian Project hasn’t steered us wrong yet, so it’s hard not to go back to it for a web browser solution like Orweb. Available for Android, Orweb claims to be the “most private and anonymous web browser,” and we have no reason to doubt them. In case you do, though, the app does have the Electronic Frontier Foundation (EFF) stamp of approval. The app circumvents network restrictions, defeats censorship attempts, and encrypts your activity while sending it through computers across the world rather than connecting directly or through a proxy. There’s a near endless amount of options for disguising your browsing with Orweb, as you can do everything from mask the device you’re using and trick a site into thinking your visiting via a different platform, to taking control over cookies. Orweb blocks Flash threats, and keeps no history, among other security measures.
OnionBrowser

To accompany Orweb, you’ll need to also install Orbot. The importance behind this app is that it empowers Orweb to use Tor, the free network for online anonymity. Tor can occasionally be associated with some negative things thanks to what can occur on the hidden web that Tor unlocks, but it’s quite possibly the most important tool for creating privacy on the web.

Orfox is coming...

October 06, 2015

Permalink

> somebody told me that using a tor browser is illegal in the USA

Because the USG has (unconstitutionally) implemented numerous secret laws, it is impossible to be sure, but on the basis of openly published laws, as of 6 Oct 2015, I believe that this is false. Should CISA pass both houses of the US Congress (it is expected to come up for a vote in the Senata early next week), this may change.

Generally, it appears that the secret laws are mainly invoked to gather evidence against someone the government dislikes, after which they can be charged under published laws and prosecuted in open court without undue fear of revealing the secret laws. Such "fishing" would be rigorously proscribed by any government which is sincerely respectful of the Rule of Law.

One point to bear in mind, which has been emphasized by privacy-minded cryptographers such as Bruce Schneier, is that the "Western democracies" are increasingly using a nasty repression stratagem which was formerly restricted to the worst authoritarian regimes, in which someone the government dislikes is arrested and confronted with evidence of previous activity which was not illegal or even seen as particularly "suspicious" at the time, but which later became illegal or came to be considered dangerously "deviant".

For example, unforeseen shifts in the US political winds might lead to future prosecution of members of the Unitarian Church who are currently involved in (currently legal) assistance to undocumented aliens, or people performing human rights monitoring in a country which is currently regarded as friendly or neutral, but next year might be under ISIL control. The USG interpretation of very broadly worded laws is also subject to change without notice. In particular, human rights and medical aid workers in Syria, Iraq, and Afghanistan must accept the risk that a local social services group they work with today might next month be unexpectedly designated as a "terror group".

A related issue involves "mission creep", in which terms such as "terrorist group", "material assistance", "cyberattack" and "weapon of mass destruction" have been steadily extended by US federal prosecutors, often to the point of absurdity. For example, Congress clearly intended that "WMD" denote things like nuclear weapons, but in the past five years this term has been steadily degraded to include such things as hand grenades and sawed-off shotguns. For example, it seems quite possible that hobbyist drone operators doing sketchy things which are legal today (but probably shouldn't be) may be retrospectively prosecuted using novel interpretations of current laws, especially in the event of such foreseeable tragedies as careless operation of a hobby drone resulting in a mid-air collision and causing the crash of a wildfire-fighting aircraft.

Schneier and friends are not of course suggesting that anyone engaged in relief work cease their humanitarian activities out of an abundance of caution, but are rather attempting to explain why the "collect it all and store it forever" mentality of agencies like NSA is so poisonous for any democratic society.

> and that just by connecting to TOR your ISP can potentially flag you to authorities

Published Snowden leaks confirm that NSA attempts to use its global surveillance machine to record every connection to the Tor network, or more precisely to the Tor Directory Authorities. This means the bad guys know that someone using a computer with a certain external IP address was using Tor on a certain date, give or take about 60 minutes. They also confirm that NSA attempts to save indefinitely any encrypted packets, which would include all Tor data streams because Tor uses TLS. The so-far published leaks also show that NSA attempts to record any attempt to obtain the IP of a bridge (a special node which helps people in places like Iran, China, and Australia evade government blocking of normal access to the Tor network). See

https://blog.torproject.org/blog/being-targeted-nsa
phobos
3 July 2014

> Tor's anonymity is based on distributed trust, so observing traffic at one place in the Tor network, even a directory authority, isn't enough to break it. Tor has gone mainstream in the past few years, and its wide diversity of users -- from civic-minded individuals and ordinary consumers to activists, law enforcement, and companies -- is part of its security. Just learning that somebody visited the Tor or Tails website does not't tell you whether that person is a journalist source, someone concerned that her Internet Service Provider will learn about her health conditions, or just someone irked that cat videos are blocked in her location.
>
> Trying to make a list of Tor's millions of daily users certainly counts as widescale collection. Their attack on the bridge address distribution service shows their "collect all the things" mentality -- it's worth emphasizing that we designed bridges for users in countries like China and Iran, and here we are finding out about attacks by our own country. Does reading the contents of those mails violate the wiretap act? Now I understand how the Google engineers felt when they learned about the attacks on their infrastructure.

One crucial role which Directory Authorities play is in eliminating from the network any nodes which are "known bad", typically because they have been seized by police. For example, in autumn 2014, Europol seized numerous Tor nodes in connection with an attempt to take down some hidden services. See

https://blog.torproject.org/blog/thoughts-and-concerns-about-operation-…
Thoughts and Concerns about Operation Onymous
phobos
9 Nov 2014

> If your relay was seized, please also tell us its identity so that we can request that the directory authorities reject it from the network.

It is widely suspected that NSA or another intelligence agency may have been behind an incident in which someone compromised some Directory Authorities, fortunately narrowly missing their presumed goal of compromising enough to take over the entire Tor network. See

https://blog.torproject.org/blog/tor-project-infrastructure-updates
phobos
22 Jan 2010

> In early January we discovered that two of the seven servers that run directory authorities were compromised (moria1 and gabelmoo), along with metrics.torproject.org, a new server we'd recently set up to serve metrics data and graphs. The three servers have since been reinstalled with service migrated to other servers.

Ironically, the Snowden leaks reveal that JTRIG (the "effects" unit of GCHQ which attacks dissidents with malware and psyops) itself uses Tor and operates its own hidden services. It is virtually certain that NSA does the same. Because the cyberspooks mostly understand that breaking into networks always creates opportunities for other attackers (because breaking into networks always carries the risk of unforeseen consequences), it seems implausible that FVEY would attack a resource it relies upon for daily operations. If so, heavy-handed operations like Operation Onymous which seize Tor nodes, or cyberwar actions which attempt to compromise Directory Authorities, may suggest conflict between police agencies like Europol/FBI and intelligence agencies like NSA/GCHQ/CIA and military partners which use Tor for their own purposes, and need the rest of us so that they can "hide in the noise" our own Tor use provides.

October 07, 2015

Permalink

@ Tor devs: comments?

http://www.theregister.co.uk/2015/10/06/fast_wireless_access_to_tor_jus…
Fast, wireless access to Tor? Just maybe
Watch blocked programs while recharging your phone – is this for real?
Kieren McCarthy
6 Oct 2015

> the Invizbox Go offers:

> Faster Tor access through a "premium pricing" model that connects you to fast, private bridges (and so, presumably, relays not run by the NSA) for a monthly fee: €4 ($5) a month
> WiFi extender – spread your signal a little further
> USB charging – when your phone is low
> Proxy selection – so you can decide which country's IP address you want to appear to come from
> An ad blocker
> A Tor/VPN combination so you can use one or the other or both
>
> It also claims a five-hour battery life based on continuous use. As for size, it is roughly the same of the iPhone 6

One thing which worries me: if AdBlock Plus is the adblocker, some ads will get through--- and those will be targeted by spooks worldwide when they want to infect Tor users via malicious adware vectors.

October 24, 2015

In reply to by Anonymous (not verified)

Permalink

I'm not a core Tor dev, although I have contributed to the software. I would highly, highly recommend you do NOT buy this Invizbox thing. A few reasons:

- "Anonymizing hardware" is utterly infamous for security holes. The only one which I would have even an ounce of faith in is Grugq's design, based on OpenWrt and configured pretty well. However, even it has problems.

- Using "private bridges" is actually damaging to your anonymity, because it reduces your anonymity set. Basically, it reduces the crowd you are hiding in. In fact, selecting bridges randomly is far better, especially if you get a large bridge used by many people. The truth is, bridges do nothing for your anonymity, and can actually harm it. The only reason bridges are useful is to evade ISPs that block Tor in places like China.

- Having an anonymizing device uses the same Tor circuit for everything, meaning that if you connect to one site, then another, it will use the same exit node. This is bad for anonymity, and makes tracking and targeted malware deployment far easier.

- Selecting from different proxies reduces your anonymity set considerably.

TL;DR anonymizing hardware is BAD. It is rarely designed well. I would bet a considerable sum of money that if I bought that device, I would find a way to break it. And that's saying something, because I'm not even clever enough to exploit firefox. :P

Seriously, if you just want to watch blocked TV programs, use a simple VPN. VPNs are good for anonymity if your adversary is the MPAA or something similar, so in this case, it'd be perfect for your needs.

As for the "one thing that worries you", you shouldn't be worried about that. :P It is incredibly easy to break your browser even if ads are blocked. Put it this way: there is already a reliable exploit which works against TBB which does not require javascript (uses HTML/CSS) and is highly reliable. I don't know if it has been patched yet. (yet another of the fun 0days Gorlob drops over at ##security on Freenode). So yeah, ads should not be part of your threat model. (Just since it wouldn't be fair to mention this with no mitigations, one way to limit the damage is to use Tails, which sandboxes the browser). And Tails is significantly more solid than any anonymizing hardware!

October 07, 2015

Permalink

Question about Tor Browser Bundle:

When I surf to certain websites, a tiny green icon appears in the search pane. As far as I can tell, this has something to do with the default search engine, and I guess it indicates that my websurfing is somehow being copied to the default search engine company, or to a large adware company. That sounds dangerous for users who do not want to be tracked. Especially because our most lethal enemies are known to abuse both search logs and cookies.

Does anyone know what is going on?

Tor Browser recognizes a potential search "engine" on the website and is offering you to import that one. E.g. if you visit our bugtracker you'll see such a green "+". If you click on it Tor Browser lets you add a search plugin for trac on the fly to your search engines already installed. There is no copying of your websurfing to anybody involved.

October 07, 2015

Permalink

Is this part of NSA's strategy to partially placate FBI's insane demand for easy warrant-less back-door access to every smart phone?

http://arstechnica.com/security/2015/10/verizons-zombie-cookie-gets-new…
Verizon’s zombie cookie gets new life
Verizon's tracking supercookie joins up with AOL’s ad tracking network.
Julia Angwin and Jeff Larson
7 Oct 2015

> Verizon said in a little-noticed announcement that it will soon begin sharing the profiles with AOL's ad network, which in turn monitors users across a large swath of the Internet.
>
> That means AOL's ad network will be able to match millions of Internet users to their real-world details gathered by Verizon, including "your gender, age range and interests." AOL's network is on 40 percent of websites, including on ProPublica.

Could TBB and Tails users be infected if they surf to ProPublica? People who read ProPublica are precisely the kind of people whom agencies like FBI wish to monitor.

This detail is probably yet another example of how NSA "shapes" the internet to make things absurdly easy for its snooping:

> Privacy advocates say that Verizon and AOL's use of the identifier is problematic for two reasons: not only is the invasive tracking enabled by default, but it also sends the information unencrypted, so that it can easily be intercepted.

> Verizon, which has 135 million wireless customers, says it will share the identifier with "a very limited number of other partners and they will only be able to use it for Verizon and AOL purposes," said Karen Zacharia, chief privacy officer at Verizon.

But it is un-encrypted! Who do these clowns think they are fooling?

Just about everyone who doesn't read Ars Technica, I suppose. Censorship and propaganda, unfortunately, work.

> In order for the tracking to work, Verizon needs to repeatedly insert the identifier into users' Internet traffic. The identifier can't be inserted when the traffic is encrypted, such as when a user logs into their bank account.

China and Russia make extensive use of such packet insertion. Yet another illustration of how the "Western democracies" are moving closer and closer to Asian authoritarianism.

October 07, 2015

Permalink

Tails is a modified version of Debian stable. Which now yields control of the computer to systemd. Which was developed under the influence of Red Hat Enterprise Linux. Whose biggest customer is the USIC. This may be cause for concern. Open source code is in principle examinable, but we lack sufficiently many experts to examine all that code. And the drivers we need to make our computers actually work are often NOT open source or easily examined or updated, and we know maliciously altered drivers are extensively exploited by our enemies to harm us.

http://thehill.com/policy/cybersecurity/256020-snowden-us-uk-spies-want…
Snowden: US, UK spies 'want to own your phone'
Cory Bennett
6 Oct 2015

> "Nosey Smurf is the 'hot mic' tool,” he continued. “For example if it's in your pocket, [GCHQ] can turn the microphone on and listen to everything that's going on around you — even if your phone is switched off because they've got the other tools for turning it on.”

Current Tails includes pulseaudio, which is seemingly inextricably entwined with systemd and which appears to establish three 65M files in /dev/shm which appear to contain a short identifying string. Is this cause for concern? Could the fact that pulseaudio uses shared memory be exploited by our enemies?

Same question for TBB running under any other Linux distro which has adopted systemd (all the major distros have done so, I believe).

October 10, 2015

Permalink

How to verify Tor....there is an explanation on the Tor site, GPG, I tried it and could not do it, please write a much better instruction, including pics or better vids. Otherwise one can easily install a fake Tor.

October 10, 2015

Permalink

Three points PZ should have made more clearly:

* thanks to NSA policies, EVERYONE everywhere in the world is now a target; no life is too boring, no target too small, no child too innocent, no protocol too obscure, no information too private, no politics too friendly (towards the USA); even high level NSA retirees like Richard George now admit this,

* one consequence of NSA "crossing the Rubicon" (as Michael Hayden put it) is that all other nations/actors now feel entitled to attempt similar feats of cyberespionage, cyberattacks, and "collect it all" global surveillance; devices like BlackPhone probably offer excellent protection against these second and third tier threats, and may be more effective than we fear even against the Fort Meade axis of evil, particularly if widely adopted,

* telecoms, smart phone vendors, managed medical care providers, and other over-empowered corporations have adopted the same "collect it all" mentality as NSA; they insist that consumer "data exhaust" is theirs for the taking; unlike the US government, companies like Google, Verizon, AOL might not kill you or imprison you if they dislike the way you want to lead your life, but they will discriminate against you, harass you, spy on you, and oppress you in less obvious ways; these corporations consider consumers to be the "data-prey" that powers their business model, but devices like BlackPhone can help us to partially redress the balance of power between the corporate oligarchs and their data-prey.

October 10, 2015

Permalink

Shin Bet and Mossad can and do trace and capture originating ip addresses anywhere and anytime throughout the TOR network

October 11, 2015

Permalink

Почему не приходят мосты? неоднократно посылал запрос на получение мостов и не получил никакого ответа!

October 15, 2015

Permalink

Whenever I get into tor, it doesn't matter which sites/services I visit the entry node will always be from the same country. This remains true even when setting a new identity or reinstalling tor browser. Excluding the country in question will only cause a new country to be the source of my entry nodes.

Is this the expected behavior?

Yes, that is expected. If you choose a different random entry relay every time, the odds of eventually hitting a collaborating entry and exit are quite high. When that happens, and you use that circuit to, say, log into an account, then anything you may have done with that account is now connected to you.

October 16, 2015

Permalink

What are some ways to detect & deter (hack) Pentium computer chips and the current model of products that are emitting signals 24hrs, even in their turned off state including removal of batteries?

This is from your average desktop to the iwatch and bluetooth.

Thank you all for your efforts.

Namaste,
imu

October 16, 2015

Permalink

Hello, I'm sorry I have to put this comment here:
Don't you have TOR for IOS users?
Sincerely

October 16, 2015

Permalink

> Shin Bet and Mossad can and do trace and capture originating ip addresses anywhere and anytime throughout the TOR network

There seem to be three claims here:

1."Shin Bet and Mossad can ... capture originating ip addresses [connecting to the Tor network]

Agreed, agencies which have created a national e-dragnet can fairly easily tell which IPs are connecting to Tor directory authorities

2. "capture ... anywhere and anytime"

It is well established that using its near-global e-dragnet, NSA can and does attempt to record hour by hour every IP which connects to the Tor network (and the Snowden leaks suggest how they constructed its e-dragnet), but if you think Israeli agencies can do the same, please explain!

The Snowden leaks do show that NSA shares certain "raw SIGINT" data feeds with Israeli agencies, so it is possible Shin Bet and Mossad are granted access to the NSA server which tracks IP addresses which have recently connected to a Directory Authority.

Is that what you meant?

3."Shin Bet and Mossad can and do trace ... ip addresses anywhere and anytime throughout the TOR network"

Conventional wisdom holds that tracing Tor data streams through the Tor network itself from source IP to destination IP is not possible in general for NSA, Shin Bet, or any other agency. (If they have planted surf-logging malware on the user's computer, they presumably would not need to try.)

It seems to be true, unfortunately, that traffic analysis can enable any agency controlling a near-global e-dragnet (and if NSA has one, we can be confident China, Russia, etc have or desire one too) to un-mask regular Tor users. People who operate or frequently use hidden services also face additional risks (from FBI malware attacks etc.). But you seem to be talking about a different mechanism.

Can you explain?

October 16, 2015

Permalink

refernce is made to open and presumably examinable source code in a number of places. how many people wonder about the compilation phase,could a compiler be engineered in such a way that on the surface,code complies correctly but small pockets of binary code are injected into the executable such that the resulting program when run. does other less honourable things?. Herein is the rub I think. unless you have a very good understanding of low level programming ( or assembler) not to mention plenty of time on your hands. the odds of finding very discrete harmfull modifications to compiled code are rather difficult at best. i'm speculating of course but, a oint worth exploring for those who dare to venture into the labyrinth of very low level programming!!

October 16, 2015

Permalink

TBB/Tails users please note: current versions are vulnerable to the Logjam attack! See:

https://www.eff.org/deeplinks/2015/10/how-to-protect-yourself-from-nsa-…
How to Protect Yourself from NSA Attacks on 1024-bit DH
Joseph Bonneau and Bill Budington
15 Oct 2015

The issue is easily fixed:

In about:config in Tor Browser, toggle these to "false"
"security.ssl3.dhe_rsa_aes_128_sha"
"security.ssl3.dhe_rsa_aes_256_sha"

Check at https://www.howsmyssl.com to see that your cipher suite no longer includes the lines
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA

See also:

http://arstechnica.com/security/2015/10/how-the-nsa-can-break-trillions…
How the NSA can break trillions of encrypted Web and VPN connections
Dan Goodin
15 Oct 2015

http://www.slate.com/blogs/future_tense/2015/10/16/researchers_say_the_…
This Common Cryptography Method Is Alarmingly Vulnerable
Josephine Wolff
16 Oct 2015

https://freedom-to-tinker.com/blog/haldermanheninger/how-is-nsa-breakin…
How is NSA breaking so much crypto?
Alex Halderman and Nadia Heninger
14 Oct 2015

This is serious! Tor Project userbase-assistants, please blog about this and make the change in next edition.

On the bright side, Tor Browser appears to offer protections against these issues:

uses TLS 1.2: good
uses Ephemeral key: good
no TLS compression: good
no BEAST attack: good
no insecure cipher suite: good

I recall when the Project painfully fixed BEAST vulnerability and upgraded from TLS 1.1, so thanks again for that.

October 18, 2015

Permalink

https://edri.org/data-retention-german-government-tries-again/
(couldn't find much in english to date)

Outrage!

The next german data retention law has just passed parliament. Despite jurisdiction of both the constitutional court of BRD in Karlsruhe and the EUGH members of the Bundestag did it again.

404 voted yes
148 voted no
7 abstained
Germany has a big coalition to date, so that big coalition can pass laws with ease. Very dangerous, a coalition this big can even change the german constitution, turn it into a pile of rubble if it so pleases. And yes, i know it isn't even a true constitution but that is another story.

Both courts ruled that data retention hurts human rights. In other words, data retention is illegal after laws of the BRD.

Such is the crime and the mind of members of the Bundestag.

October 22, 2015

Permalink

> The next german data retention law has just passed parliament.

It would be useful for some civil liberties group to tabulate current metadata retention requirements like this:

DE USA UK
dialed-number 10 weeks 5-10 years ?
call-duration 10 weeks 5-7 years ?
email-headers 10 weeks 5-7 years ?
geolocation 4 weeks 10 years ?
encrypted-data ? eternity ?

The American numbers are not made up, but based upon the Snowden leaks, so in 2015 the current requirements are certainly different (and expected to change again in the next few months). The German numbers come from this article:

http://www.theregister.co.uk/2015/10/16/germany_ok_controversial_data_r…
Germany says Ja to data-slurp law 2.0
Controversial regulations approved
Jennifer Baker
16 Oct 2015

All the governments are racing each other for the prize of "leader of the cryptofacist world".

"And Germany takes a small lead... but here is Austria coming up fast on the outside:"

http://arstechnica.co.uk/tech-policy/2015/09/austria-plans-ten-new-spy-…
Austria plans 10 new spy agencies with vast surveillance powers
"Justified suspicion" enough to spy on citizens; no warrant needed, little oversight allowed.
Glyn Moody
10 Sep 2015

We must not forget that GCHQ is also trying to "buffer" (store for analysis at leisure) all content of all internet datastreams everywhere in the world in its TEMPORA system:

https://theintercept.com/gchq-appendix/

And NSA was storing the *content* of every phone call in numerous countries, apparently on the theory that everyone in the Bahamas is a potential dope-dealer, and thus a potential threat to the national security of the US [sic], a proposition which ordinary citizens in that nation might dispute:

https://theintercept.com/2014/05/19/data-pirates-caribbean-nsa-recordin…

All that was in 2013. According to an NSA saying, "opponents never become *less* capable over time", so we should expect that in 2015 the content storing ambitions/capabilty of NSA/GCHQ/... are even more frightful.

October 22, 2015

Permalink

While I think tor is a MUST for today's censored world, some people, either out of ignorance or due to specific mission, want to portray tor as evil and in many cases as a haven for child pornography which is today's buzz word for eliminating any dissent under the guise of fighting child pornography. The link below is given from a reputable and honest site that fights the censorship in Iran.

https://tech.khodnevis.org/article/65866

It has shown tor as what I described above. Since I have no way of giving good input to the site, please let them know how useful tor is for Iranians and I for one could not access their site if it were not for tor. This issue should be addressed strongly that tor is not for outlaws, it is for all the good people who want to live and speak freely.

It is the vested interests trying to bring down Tor by bringing it into disrepute who are responsible for the 'criminality' on the network: a three-letter agency was even busted uploading CP to the 'dark-web'.

October 27, 2015

Permalink

Been seeing this quite regularly whilst browsing with Tor:

"Access denied. Your IP address [77.247.181.165] is blacklisted. If you feel this is in error please contact your hosting providers abuse department."

Wonder who this 'hosting provider' is... ?

October 27, 2015

Permalink

CISA is about the pass the US Senate by a wide margin. What does this mean for Tor users? Nothing good. At a minimum, expect more and more doors to shut in real life because you have been identified as a Tor user or someone who advocates strong citizen cryptography (that's regarded as "suspicious"). At worst, over time, using Tor may be effectively outlawed in the US. The true effects of the bill will be shrouded in deep secrecy, and may only become apparent over time through an increasing number of anecdotal reports of retaliation against journalistic sources, activists, human rights workers, and privacy/anti-censorship advocates.

Here's why the bill is so awful:

http://www.slate.com/articles/technology/future_tense/2015/10/stopcisa_…
The Many, Many, Many Flaws of CISA
Mike Godwin
26 Oct 2015

In brief:

* a surveillance bill disguised as a cybersecurity bill
* does NOTHING to improve cybersecurity
* financial incentives for companies NOT to improve cybersecurity
* financial incentives for companies to "voluntarily" share info on their customers
* personal information will be widely shared, poorly protected
* info will be shared in bulk with DHS, NSA, NCTC, etc.
* can be used for purposes other than "cybersecurity"
* enshrines state-sponsored discrimination
* facilitates IRL retaliation against activists, whistle-blowers
* blanket immunity for companies to violate privacy regulations
* blanket exemptions allowing government to violate transparency laws
* blanket exemption from examination by regulatory agencies
* key terms such "cybersecurity threat", "personal info" undefined
* interpretation of bill by TLAs will be secret and aggressive

A minority of Senators, including Ron Wyden and Al Franken, tried hard to introduce amendments which would blunt the worst effects of CISA on US citizens:

https://cdt.org/blog/guide-to-cybersecurity-information-sharing-act-ame…
Guide To Cybersecurity Information Sharing Act Amendments
23 Oct 2015

One by one, the US Senate has voted them all down:

http://thehill.com/policy/cybersecurity/258189-senate-kills-privacy-adv…
Senate kills privacy advocates' bid to change cyber bill
Cory Bennett
27 Oct 2015

The mood of the enemies of privacy is triumphant:

http://thehill.com/policy/cybersecurity/258170-cyber-bill-to-sail-in-se…
Cyber bill to sail in Senate
Cory Bennett
27 Oct 2015

But our enemies are not satisfied and continue to call for future warrrantless dragnet surveillance/sharing "enhancements":

http://thehill.com/blogs/floor-action/senate/258200-reid-cyber-bill-bet…
Reid: Cyber bill 'too weak'
Jordain Carney
27 Oct 2015

Any comment from Tor Project on the likely impacts of CISA on the US Tor user community?

November 03, 2015

Permalink

where do i go for some good beginners knowledge on hacking i wanna arm myself to join the fight against isis and the kkk online!