logs archiveIRC Archive / Oftc / #tor / 2010 / January / 21 / 1
rudi_s
arma: Yes.
arma
rudi_s: just sent the 0.2.2.7-alpha mail
Sebastian
arma: no, it isn't updating, that's the old installation. I just updated it manually once, so you can point people
arma
sebastian: what's the new one?
Sebastian
the new one will be gitweb.torproject.org once it is ready
I need to fight my way through weasel's scripts first.
arma
ah. so, that's the old one, which is the current one, which is not being updated. soon there will be one that gets updated. great.
rudi_s
arma: Thanks, got it.
Sebastian
arma: yes. Old urls will continue to work on the new one.
arma
rudi_s: the 0.2.1.22 announce i'll send later today. it's basically a tiny subset of the 0.2.2.7-alpha changelog.
         

rudi_s
arma: Ok. Thanks again.
Sebastian
arma: if you need anything before tomorrow night, send email please.
arma
rudi_s: http://gitweb.torproject.org/tor/tor.git/blob_plain/HEAD:/ChangeLog
rudi_s
Thanks.
BarkerJr
I got a Tor Software Error in the vidalia (really tor) logs
Jan 20 18:34:38.029 [Warning] router_orport_found_reachable(): Bug: ORPort found reachable, but I have no routerinfo yet. Failing to inform controller of success.
dr|z3d
(Action) lies in wait for Fandekasp
MoiraA
need to reboot after updates, back tomorrow
arma
BarkerJr: can you get this reliably? or did it just happen that once? do you have other logs to go with it?
dr|z3d
Fandekasp: I hope you've managed to sort your connection issues..
(if you haven't, we'll be implementing a temporary ban to save the channel from join/quit spam).
Fandekasp
ok dr|z3d, sorry for the disturb
dr|z3d
Fandekasp: No problem.. hope your connection's solid.. we all from time to time have issues, some more than others *hides*
Fandekasp
yes I hope too ^^
ccxCZ
hi, I've just read up on hidden services and I was suprised by shortness of the hash string. It has much less random values than md5 that is considered insecure. Is there some protection against possible colliding keys?
arma
well, the first 80 bits of sha1 are stronger than the first 80 bits of md5
ccxCZ
s/random/possible/ sorry
is that good enough, or is it simply because noone bothered to construct attack on partial sha1?
arma
well, it's not partial sha1. partial sha1 would be sha1 with fewer rounds.
this is full sha1, just not all the output.
we don't care about collision attacks. if you generate two public keys that hash to the same address, go you, nothing is hurt.
we only care about inverting attacks. and for that, 80 bits is still a lot of bits.
nickm
(also, you need to find a preimage that is a working RSA key, or else you can't actually do the hidden service impersonation attack.)
ccxCZ
nickm: yes, I guess that can be difficult, but is it enough protection? I'm not a cryptologist though I know fairly well how RSA works.
nickm
Well, if birthday attacks on SHA1 are non-doable because of the work needed, this should also be non-doable.
Of course, SHA1 is showing its age anyway, and using a better hash algorithm wouldn't be a terrible idea
ccxCZ
You can choose the exponent to be any coprime number to phi(pq)
         

nickm
Tor only generates keys with e=65537. We could check all hidden service keys to make sure that their e is right
This would annoy the people who generate keys to try to make their hidden service id end with "very133t.onion", of course.
arma
don't those people use our e anyway?
nickm
arma: I am pretty sure one of the programs that generates lots of keys does so by trying lots of e values, since that's easier than making lots of p and q.
arma: I am willing to break this, or at least warn loudly.
ccxCZ
note that birthday attack on half of sha1 should be about 2^80 simpler, if I'm not mistaken
nickm
worse; birthday attack on half-of-sha1 is 2^40 rather than 2^80. But that's irrelevant!
22:03 < arma> we don't care about collision attacks. if you generate two public keys that hash to the same address, go you, nothing is hurt.
ccxCZ
can't you generate key that hashes to same value as already used service? Is then the original service protected somehow?
arma
if you only get to pick one key, but not the other, it's not a birthday attack.
it's an inversion attack. which is way harder.
ccxCZ
that's true
keb
(Action) eyes topic
dr|z3d
Hmm, keb? New version(s) is/are upon us?
keb
hmm, maybe the message didnt go out on or-announce yet
arma
keb: yep. it's sitting in my queue
problem is, no stable tbb's available yet
i'm probably going to end up sending the mail anyway. the version is out. not my problem if you can't upgrade. :)
keb
http://archives.seul.org/or/talk/Jan-2010/msg00162.html
yeah it didnt
well the tbb with torbutton 1.2.4 was out for a few weeks before torbutton was available on mozilla add-ons
no one here's fault though
dr|z3d
amo take _ages_ to review new addons.
keb
at least 5 generations of fruitflies
dr|z3d
Haha, yeah, something like that *chuckle*
arma
heh
http://edition.cnn.com/2010/BUSINESS/01/20/china.media.google.ft/
"woo"
keb
i'm getting a lot of messages in my logs lately like this: unexpected RCODE (SERVFAIL) resolving 'ns3.mAJORDOmO.rU/AAAA/IN': [ip]#53
used to seeing that sort of thing when running email services, but this box does not do any emailing
arma
i think the funny capitalization is done by tor
keb
yeah
also the connections by tortunnel mechanism have continued
heh. also an ssh login attempt every hour or two. but now i only allow ssh from certain static ips
when i go to http://www.torproject.org it no longer redirects to https://www.torproject.org
arma
i think it never did
i think http://torproject.org/ did
keb
ah
arma
(and still does)
there more detail for or-talk than most people probably want
keb: there, or-announce mail sent
time for the flood of unsubscribes from or-announce
G-Lo
Hi. How to force Tor to use a network controler that is not my default one, on windows? I tried OutboundBindAddress, but it's still using the parameters of my other network
(wich is a VPN)
dr|z3d
G-Lo: Just make the listening address for the control port not localhost, and then connect to it with your alternative controller.
yafrank
Hi, does anyone succeed in hook up to tor network from Ubuntu Jaunty x64 using torproject.org repo?
I still can't even with brides got from gmail
The version is tor-0.2.1.21-1~jaunty+1 and privoxy-3.0.9-1.
I've tried the vidalia, put in bridges from gmail, and still no go. Vidalia even ask me to put in the control password which I don't set any.
StrangeCharm__
so, the attack on moira1: it involved someone getting a user-level ssh logon, then using some privilidge-escalation trick to get root on the box? are there shell logs of what the attacker(s) did?
SwissTorExit
morning to everyone :P
i am on testing Torbutton on the new Firefox from this morning but it's write about polipo, i have privoxy runing and it seem that's work
my question are , it is now the same port for polipo and privoxy ?
i mean 8118 et 9050 if i am on "polipo" option as proxy by défault
weasel
arma: I think I'll prepare a 0.2.0.35-2 package with new fingerprints
arma: wasn't there some other patch we wanted to backport too?
arma: exit node DoS?
adam44
Hello. I'm running a Tor relay and a Tor client on two different machines that are connected to the Internet through a NAT router. Could there be any conflicts in this setup security wise? Thank you.
SwissTorExit
i have a problem with Torbutton, i can't login in a couple site who i need a cookie , a couple work and other not ? it is someone with a idea ?
nsa
or: pootle committed revision 21459 (/translation/trunk/projects/website/zh_CN/vidalia): commit any updated files from pootle
or: runa committed revision 21460 (/translation/trunk/projects/website): updated po files to make pootle happy
Runa
arma: the .po files now match the english .wml files (so, no duplicate lines in documentation.po, for example) :)
arma: the solution was just to update the .po files again. I guess it's been a while since I last did it.
calwig
Hello, Good Day, About the encryption of Tor
If you are on the end node (that is where I'm checking my email) how can I get to see the encrypted data? Would I be able to sniff encr or decr packets if I sniff them on the same end?
You people in the US, always sleeping :)
Runa
calwig: to be honest, I don't think that anyone is going to tell you how you can see the encrypted data at an exit node.
SwissTorExit
hi Runa, yes , sure thing
Runa
SwissTorExit: did I trigger your highlight? :)
SwissTorExit
i don't get what do you mean , i will transalte wait
lol
adam44
Hello. I'm running a Tor relay and a Tor client on two different machines that are connected to the Internet through a NAT router. Could there be any conflicts in this setup security wise? Thank you.
uSuRa
runa: tor is not a security thing, so ppl need to be aware of m-i-t-m attacks especially when using crypto
adam44
uSuRa: why mitm attacks are more likely to succeed when crypto is in use??
uSuRa
'I use crypto therefore I'm safe' (= not true)
BarkerJr
arma, I just restarted tor and vidalia and it gave me the warning again
where can I find more logs?
adam44
uSuRa: what would be the best position in the Tor chain for an mitm attacker in your opinion?
uSuRa
the only option would be the exit node
adam44
but at the exit there's no information available that points to the source
Question: I'm running a Tor relay and a Tor client on two different machines that are connected to the Internet through a NAT router. Could there be any conflicts in this setup security wise? Comments ar e appreciated.
BarkerJr
no, you're fine
your client will not use your relay, because it's on the same subnet as you
adam44
I thought it was the case. Thanks anyway.
BarkerJr
np, I hope I'm right :)
adam44
Another question: does the Tor client do any communication with the entry/relay/exit nodes while building a circuit?
BarkerJr
I believe that each hop picks the next hop
adam44
As far as I know, it is the client who decides which nodes to use.
karsten
the client picks the nodes and builds a circuit to the first hop, then tunneled over the first hop to the second, and so on.
meaning the client only talks to the first node (entry node) directly.
adam44
karsten: so there is not even an introductory communication between the clien and the relay/exit nodes
karsten
yup.
not a direct connection.
adam44
thank you
BarkerJr
ah, I misread the changelog I guess
adam44
karsten: is it right to deduct then, that an attacker who is able to monitor my client-ISP communication is not able to learn what the relay and exit nodes are in my circuit?
karsten
correct.
after all, that's part of the goal: separating who knows that you're talking (seen at the entry node) and what you're talking about (seen at the exit node).
adam44
it's ingeniously designed
BarkerJr
Jan 21 01:37:54.902 [warn] Failed to decode requested authority digest...
is that bad?
karsten
potentially. did you upgrade to 0.2.1.22 or 0.2.2.7-alpha?
adam44
Would someone be kind enough to download the current Vidalia Bundle for Windows and create the MD5 checksum for me? Thank you.
rieo
no, it's broken client's request. there are "%20" exist at the nondecoded string?
karsten
ah, that problem. it even has a flyspray number, i think?
BarkerJr
I upgraded to 0.2.2.7-alpha
but yes, there's a %20
several of them, actually
karsten
ah, it's not in flyspray, but on or-talk. subject "Failed to decode requested authority digest". does that look related?
good thing we have more than 1 bug-tracking system.. or wait, is that a bad thing?
misc
well, that's a good thing, since you can still find stuff when there is nothing in first one. Without it, most project are stuck to abadon research once th first one is done :)
dr|z3d
I think there's plans to migrate flyspray, no? Guess it's non-trivial.
karsten
there are plans to move to trac some time. i think weasel already wrote a migration script. not sure what the status is.
dr|z3d
"in progress" :)
karsten
but that's not going to solve the problem that some bug reports are sent to or-talk, only stated here, written to some hidden service that nobody knows, etc.
or maybe it solves some of those problems by allowing easier registration? don't know.
adam44
Would someone be kind enough to download the current Vidalia Bundle for Windows and create the MD5 checksum for me? Thank you. https://www.torproject.org/dist/vidalia-bundles/vidalia-bundle-0.2.1.22-0.2.6.exe
dr|z3d
adam44: One request is plenty. :)
adam44
sorry
dr|z3d
adam44: Likely phobos will fix your checksum issue before none too long.
adam44
Thanks.
dr|z3d
He's the one to badger ;)
Runa
uSuRa: yes, of course, but I feel there is a difference between knowing what might happen and knowing how to do it :)
BarkerJr
I don't subscribe to or-talk, cause it's way too busy
uSuRa
those that want, know :)
Runa
uSuRa: sure, but we don't have to tell people how to do it. If they want to know, they can figure it out on their own :)
adam44
dr|z3e: in yout mild moderator role, after how long do you think it's appropriate to repeat a humble request if there's no sign of reply at all?
calwig
Runa: on my end, if I want to see my own data
Runa
adam44: people usually wake up in ~4 hours or so
adam44
Very good, I'll be patient then.
dr|z3d
adam44: Every couple of hours, if you must. No more frequent than that. phobos will hopefully be around before you next SOS!
adam44
dr|z3d: it's just the feeling of uncertainity that anyone is going to deal with my request that dictates to repeat if from time to time
StrangeCharm__
adam44, have you tried the mailing list too?
adam44
StrangeCharm: about this MD5 request I'd find it more secure to get an online reply
Runa
adam44: you just want someone to download and check the md5sum?
adam44
yes
Runa
are you on windows?
(I'm guessing you are since you linked a .exe)
adam44
yes, WinXP
Runa
which program do you use to calculate the checksum?
adam44
TotalCommander has an MD5 feature
Runa
ok, thanks
:)
dr|z3d
adam44: phobos reliably informs me there's _never_ an md5 hash for Tbb.. he does sign the installer, however.
adam44: "gpg --verify works"
adam44
yes, I have done that md5 is just a doublecheck
dr|z3d
So why not download Tbb from 2 locations, create the hash yourself, and cross-validate?
2 locations or 2 circuits/proxies/endpoints/what have you..
adam44
dr|z3d: another chatter was kind enough to actually do it for me but anyway ... thanks for the tip
dr|z3d
adam44: Ah, a happy ending at last! Great!
calwig
So if I am the client using tor and I use wireshark to read packets, will it be possible to see them encrypted or because they are not yet encapsulated, I get to see them still in text mode?
adam44
calwig: I've tried this. In WireShark they're already encrypted.
calwig
ok good, I will try then.
adam44
What you see in WireShark is almost the same what goes in and out on the line.
except the lowest level ethernet stuff
dr|z3d
Your requests -> Tor client = unencrypted.
adam44
dr|z3d: not sure you sent it to me... what does it mean?
dr|z3d
adam44: Oh, sorry, no, was for calwig, who disappeared before I noticed.
It means monitoring your Tor requests over Wireshark should be fine, in essence.
adam44
I have done it myself.
weasel
is anybody here running debian lenny, with the tor that ships with lenny? (0.2.0.35-1~lenny1)
rudi_s_
weasel: Yes (as client, not as relay).
weasel
rudi_s_: want to give my packages a test-run before I upload them to debian lenny?
« prev 1 2 next »