logs archiveIRC Archive / Oftc / #tor / 2010 / January / 14 / 1
calwig
hmm, i can reach you all thru non-tor, but tor conn banns me
reason?
jr_
the server may block the exit node
calwig
so? gotta keep trying?
jr_
that might work
:-/
calwig
till a new exit node isnt on the blocked list
ok i try
talk about privacy
anonymisierungsdienst.foebud.org (Banned)
jr_
?
calwig
trying to go thru tor but they ban my tries
jr_
:(
calwig
its ok, ijust need some info here
but im looking for it
on the web
         

BarkerJr
are v2 directory mirrors still any use?
Plug
$address (Plug,1)
nsa
or: mikeperry committed revision 21411 (/torflow/trunk/NetworkScanners):
or: Add code to dump stats on ratios for guard, middle, and exit
or: nodes.
yafrank
hi all,
Does anyone succeed installing tor in Ubuntu Jaunty following http://www.torproject.org/docs/tor-doc-unix.html.en?
Since torproject.org is blocked here, I had to proxy the apt operation through another box with a working tor. But the new installed couldn't connect any relay node.
Fred_
i gotta belive that tor on ubuntu works
QPrime
yafrank: the relay nodes are publicly published so they are likely blocked by the GFWC. you will likely have to get a few bridge nodes and connect manually to those. once they get you onto the tor network you should be good to go with connecting to other peers.
from the tor docs... "Another way to find public bridge addresses is to send mail to bridges@torproject.org with the line "get bridges" by itself in the body of the mail. You'll need to send this request from a gmail account, though otherwise we make it too easy for an attacker to make a lot of email addresses and learn about all the bridges."
yafrank
I guess it should work on Jaunty, since I haven't found much related complain from google.
QPrime
it should work fine on jaunty.
yafrank
The other working tor is a Ubuntu Hardy.
QPrime
http://tinyvid.tv/show/3uiwckrlqynqv <--- video info about bridges,
yafrank
The setup is relatively smooth except the apt proxy part.
Thanks, I'll check it right way.
QPrime
no problem. good luck.
Fred_
why gmail?
well i officially think requiring a gmail acct to get bridges sucks
QPrime
I would guess that it allows the tor admins to offload the fake account phishing to gmail and lowers the number of possible abuse vectors to find out all the bridge relays. and gmail uses https so at least your mail requests are (somewhat) pivate.
Fred_
everyone uses ssl
hotmail uses ssl
QPrime
not everyone.
phobos
may providers use ssl for login only
err, many
j_r
up until recently gmail was the only one to allow always on https
QPrime
phobos is correct.
Fred_
u can always actually set up an IMAP or POP client
and force it all thru ssl
         

j_r
but the issue is account creation
Fred_
afaik with hotmail and yahoo too
j_r
in this case
google tends to be a bit more picky
Fred_
yeah, doesnt allow tor users for example
:)
they're nothing but trouble
j_r
I've had trouble with it, but Sebastian hasn't
so its hit or miss
QPrime
Fred_: well then you have no need to use gmail to request bridges ;)
Fred_
i dont currently
at all
QPrime
Fred_: yeah, doesnt allow tor users for example <-- ref for my comment.
Fred_
what was the other way to get one?
ah
yafrank
well, I don't think it's caused by the ISP block so we need a bridge to bypass it, as the working tor in my Hardy is in the same lan of the corperate network.
QPrime
yafrank: is the working hardy node making use of bridges at all? and remember, the blocks we are talking about are tor node IP's not the public isp ip at the edge of your corp network.
*remote tor node IPs
yafrank
I don't know, It's the default one from Hardy,
QPrime
then prolly not (and if its hardy then its an ancient version of tor)
Fred_
if you run a relay with several ips, can you make one public and the rest bridge ips
yafrank
And the box was setup maybe 2 years ago, shouldn't use the torproject.org repo.
QPrime
Fred_: would not surprise me if the general ISP FW rules simply block a /29 or /28 when they find a tor node - just to be safe.
Fred_
:(
yafrank
I don't remember I ever put any bridge ips to the 0.2.0.34-1~hardy+1.
Does that mean the new version 0.2.1.21-1~jaunty+1 uses different tor nodes which is blocked here?
QPrime
yafrank: try telnetting to 62.40.184.106 on port 9001 - its a public tor relay see if you get a connect
yafrank
Connection closed by foreign host.
QPrime
then its blocked.
its possible that your old tor node knows about a public relay that is not currently blocked and is using it.
just to be safe... you ARE doing this from a nice (reasonably annon corp environment) right?
yafrank
OK, I guess I'll have to try the bridge as my new box is too new for Hardy. Is it possible to set it without vidalia?
QPrime
yafrank: yes... you can hand config everything in the /etc/tor/torrc file
yafrank
Thanks, gonna test it right now.
QPrime
good luck and be safe
Fred_
is there any benefit to multi ip relay then?
QPrime
Fred_: not *really* sure... if I were trying to stop tor I would be pretty liberal in my use of at least /29's on known tor hosts. the devs (and a few others) might have more info on the usefulness of same subnet multi-ip tor nodes.
rieo
can anybody write the question to 1208 bug: "did subdirs of datadir was deleted for sure"?
QPrime
Fred_: and once you know the ip addy of a tor node its pretty easy to remotely find the entire subnet. if its an allocated /28... then block it outright (because its usually under the control of a single person/organization.
Fred_
yeah, doesnt look good for me
QPrime
Fred_: and thats why Bridge nodes are pretty important for people living in countries where tor might get you a bullet in the head :(
like I said before, I'd run a few bridges - but my subnets are already 'dirty' *sigh*
j_r
will v6 help any in terms of supplying "clean" subnets?
QPrime
j_r: by sheer volume possibly - ipv6 has a few other goodies that might make things easier as well.
j_r
yes I was referring to the volume
I have friends who have been given class Cs that were "dirty" in other respects
QPrime
dnsbl's and other such horrors... yeah thats always an issue.
j_r
was a big botnet or something
got some very weird traffic
had to tweak the settings at the gateway
to block certain subnets
QPrime
ouch... hope they got the upstream provider to help them sort it out.
nothing quite like getting handed an entire /24 thats blacklisted to hell and back.
j_r
yup
does Tor have many v6 visible relays?
any v6 only?
(assuming it supports v6 at all)
QPrime
not sure... atm I'd say that 2.1.x is ipv4 only (at least in production) I've never seen an IPv6 relay.
j_r
ok
does that ever come up?
adding v6
QPrime
any IPv6 testing that might have been done has prolly been done with v4 to v6 tunneling
j_r
yup
I don't have any sense for how useful it would be
some places are serious about v6
QPrime
I'm sure it has (but I dont troll the channel enough)
j_r
but the US has so much of v4, that there isn't much push
QPrime
I wish my provider would - I currently get v6 subnets via a tunnel broker.
j_r
I know some people in CA (state) who do it without a tunnel broker, but I don't think its common
QPrime
v6 is gonna get important pretty quickly (next 2 years or so I would guess) there is quite a bit that can be done to put off the pain of a transition, but its a big train heading for most providers.
and (to get back on tor topic) it should be pretty easy to make tor fully ipv6 ready. everything is already there in most major os platforms.
and the abstraction between the transport and the address layer should already be there in tor
j_r
ok
well v6 deployment levels are relevant
tor has limited dev resources
only want to think about it if it would be widely beneficial in the next year or two
Fred_
i h8 ajax
j_r
now that's #nottor
:D
QPrime
lol yup it is.
MoiraA
hello could I please check basic tor settings for irc?
it is 9001 as the port?
xchat has a different way of asking for stuff than mirc
is address to bind to localhost? 127.0.0.1?
err 9050 sorry
Fred_
9050 is socks
MoiraA
proxy server has me puzzled
address to bind to is 127.0.0.1
port socks5
erm 9050
proxy server?
Fred_
sounds good
MoiraA
got nothing to put in proxy server though
leave it blank?
there is no other info I can find
Fred_
localhost
MoiraA
same as address to bind to?
that is also localhost
Fred_
i guess
MoiraA
xchat aqua has some dumb features
thx :)
well it seemed to work :))
Mitar
how many hops do tor circuits have?
Fred_
3
bnadland
hi, is git.torproject.org up and running? I get timeout errors for about 2 weeks now
j_r
phobos: who is the admin there?
Sebastian
bnadland: no, not yet. It should work again in a bit (the git server is restored, we need to point dns over and fix a few related services). This should all happen in the next 24hours.
j_r
Sebastian: what happened?
bad disk?
bnadland
thx, for reply. what happened?
Sebastian
http://209.85.129.132/search?q=cache:5eM9pUyaCC0J:www.mail-archive.com/or-talk%40freehaven.net/msg12331.html
j_r
so you just took it offline for 2 weeks because it *might* be vulnerable?
0.o
would have had the replacement set up first
Sebastian
Tarballs are still available. Having your source code repository compromised is not nice.
j_r
yup
as Fedora found out
heh
QPrime
Sebastian: in the case of an old (working) node and a new (non-working, unable to peer due to GFWoC) would a simple temp solution be as simple as grabbing the cached-* files from the working node and firing up the new node with these files? (assuming the file format is the same from v2.0.x to v2.1.x)
Sebastian
QPrime: yes, that's a good idea
QPrime
yafrank: see above ^^^^ as a possible option to try...
Sebastian: thanks, I was thinking about yafrank's issue a little more.
Sebastian
ah, I missed that I think.
rieo
can anybody write the question to 1208 bug: "did subdirs of datadir was deleted for sure"?
Sebastian
rieo: done
rieo
thanks
QPrime
Sebastian: in yafrank's case his old node might have a descriptor cached and active that is currently not blocked (thats how he was able to pull a new tor version to a new box), but he's unable to get a new node up (tried telnet to a public entry and got a tcp RST) does the state file track current active connections? and would that also be needed on the new box to get his new node up asap? (if of course this is the problem to begin
Sebastian
your last message didn't go through completely
the state file contains his guards, and these might well be valuable information if they aren't blocked.
Active connections aren't recorded in there, though.
QPrime
ok... understood. so a possible solution is to grab cached-* and state, copy over to a new install, fire it up and hope for the best (resorting to bridges if it fails totally). in his situation (assuming it worked) he'd also want to grab a few bridges as soon as possible as well to avoid possible issue sin the future. does that about sum it up?
Sebastian
yes
QPrime
I wonder how often this might happen... a node thats left on for some time manages to peer with an unblocked node eventually. might there be some option for automatic dissemination of bridge nodes to these "almost lost" nodes?
Sebastian
I don't really understand what you're proposing here.
QPrime
if a node has limited visibility of network peers it send a request to the ones that it can connect to. they hash the peer fingerprint and forward that to a directory server which stores the hash and dishes out (in a rate controlled way) possible bridges that are then forwarded to the node with limited visibility. requests from hashes that are seen too often (perhaps more than once a week) are discarded as bridge phishing attempts.
does this make any sense at all?
Sebastian
So you're saying that a relay uses bridges to connect to the network?
QPrime
no, the relay is used to gather bridges to populate the troubled node with bridge node info.
j_r
Does Snader's thesis on path selection contribute much?
i.e. should I add it to my to-read queue?
QPrime
basically looking for a way to have a node thats "in trouble" automatically ask for a limited number or bridge nodes (that may not be blocked)
Sebastian
where a node is a client
QPrime
yes
Sebastian
ah. that won't work, clients don't have identities
But we do have a bridge authority that clients with a somewhat working network can connect to, to refresh bridge descriptors.
QPrime
Hmm.. a non relay node has no identity?
dr|z3d
http://ixquick.com is worth a look. Seems to have the best privacy policy of _any_ engine.
QPrime
Sebastian: perhaps this has already been thought out and coded for... I'll have to use "the source" before I make pointless suggestions :P
"Clients with a somewhat working network" = clients that *are* able to make at least one peer connection to a tor node?
Sebastian
well, you shouldn't have to. But reading the bridges sec might be a good idea, http://gitweb.torproject.org/tor/tor.git/blob/HEAD:/doc/spec/bridges-spec.txt
QPrime
dr|z3d: I'm trying to make the switch from google now... been using ixquick for a week.
Sebastian: looking now thanks
Sebastian: what is the current action a client (not using bridges) that is able to connect to a single entry and nothing else? does that client basically sit there attempting connections to other possible (non-bridge) entries learned via directory?
Sebastian
yes, it will pick a few guards, and try to connect to them
« prev 1 2 next »