logs archiveIRC Archive / Oftc / #tor / 2010 / March / 16 / 1
nsa
or: [tor/maint-0.2.1] 2010-03-15 22:08:29 Roger Dingledine <arma@torproject.org>: bump to 0.2.1.25
arma
tord 5422 13.8 13.2 964376 794516 pts/14 RNl+ Mar11 832:48 ../git/src/or/tor -f moria1-orrc
ilter
Sebastian: Yes i saw it. Thanks nickm.
x0x80
hello?
Sebastian
patience, you lack it.
dun
lol
Sanata
loal
nsa
or: pootle committed revision 21975 (/translation/trunk/projects/website/nb): Commit from The Tor Translation Portal by user bleakgadfly. 19 of 23 messages translated (2 fuzzy).
frazzydee
how to I block a specific port using tor? (mac version)
         

Sebastian
frazzydee: please explain what you mean?
pedrib
hey guys
Sebastian
do you mean running an exit node?
frazzydee
Sebastian: yes
pedrib
im reading the 0.2.1.22 announce at http://archives.seul.org/or/announce/Jan-2010/msg00000.html
Sebastian
frazzydee: how are you running it? From Vidalia, or configured via torrc?
frazzydee
Sebastian: I need more ports blocked when I disable IRC
Sebastian: Vidalia.
pedrib
where it says "Bugfix on 0.2.1.6-alpha." does it mean that only 0.2.1.6-alpha and up are affected?
Sebastian
frazzydee: ok, so unfortunately Vidalia only allows coarse control. You could try asking in #vidalia how to get your custom torrc modifications working with your Vidalia setup. Be patient, though
pedrib: yes
pedrib
thanks Sebastian
just to confirm, this means that 0.2.0.x are not affected?
Sebastian
you should check the release notes for the last version of 0.2.0.x
maybe that was affected because something from 0.2.1.x got backported to the 0.2.0.x tree
but you shouldn't run 0.2.0.x anymore
;)
pedrib
i know... but unfortunately it is supported in Debian lenny
so we have to keep up with it
Sebastian
frazzydee
I have already unchecked IRC from the exit policies section, but rizon won't let me connect unless I also block ports 7000-7001
Sebastian
frazzydee: yes, see my answer above
pedrib
thanks Sebastian but I'm actually working for the security team! I use tor from unstable :)
frazzydee
sorry, missed that, thanks :)
Sebastian
pedrib: ah :)
heh
pedrib: I'm pretty sure weasel would've bugged you
pedrib: what's the exact issue? I can double-check
pedrib
Sebastian, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0385
Sebastian, the the last version is the same as the tor 2.0.35 plus commit a89f51c936f8bd3c2aef3e9472d5310c83dc8fa7
so i guess it should not be affected
Sebastian
pedrib: right. It isn't affected. Also, there's exactly one Tor instance running as bridge authority. That may or may not factor into your decision, I don't know.
(or would, if it were affected)
         

pedrib
Sebastian, im not sure what you mean?
Sebastian
let me explain the issue
Some Tor relays have special relevance to the network
there are the directory authorities, that make a consensus of who is a relay and who isn't
and there's one bridge authority that stores bridges and gives them out a few at a time to people seeking to use bridges.
Both the directory authorities and the bridge authority are hardcoded into Tor's source
This vulnerability only affects the bridge authority. It could be used to learn more about the bridges that are stored by the bridge authority than intended
pedrib
oh ok
so basically only one server is affected?
a low risk vulnerability then
i had no idea how tor worked
Sebastian
yes, only one server is affected. We patched it before releasing the code change into the wild
pedrib
ok thanks a lot Sebastian
im going to close the vulnerabilities
you help is much appreciated
waltman
Sebastian: thanks for your help last night. I changed Address to my IP address and the error went away.
Sebastian
pedrib: thanks for doing an awesome job
waltman: awesome, thanks for running a relay
waltman
a bridge, but you're welcome
Sebastian
almost as well :)
frazzydee
By the way, bridge is like a relay, but can only function as an intermediary node, right?
rudi_s_
frazzydee: Yes. It's an entry node for people living in a country which blocks the regular tor nodes.
frazzydee
so then, why is it not the default setting?
rudi_s_
frazzydee: There was/is much discussion about it, I'm not sure about the last "official" answers. Please check the mailing list archives.
Sebastian
frazzydee: default as in everyone is a bridge?
frazzydee
I'll browse the mailing lists when I have a minute then, I guess. Sebastian, yes, as a default setting. I mean most p2p software will upload by default, right?
Sebastian
frazzydee: we're working on that. It's not as trivial as it is with p2p apps, because we want to support clients that cannot be bridges
well, it's not trivial with p2p software ;)
rudi_s_
Sebastian: I'm curious though, why not just (after asking the user of course) check reachability and bandwidth and if enough if is available start a bridge (20KiB or so)? This wouldn't work for NAT/etc. but for others it should.
pipe
are there any other steps where the user is asked questions?
Sebastian
pipe: nope
pipe
there you go
rudi_s_
But in Vidalia it should be relatively simple to implement a startup question.
pipe
yeah
rudi_s_
(And I think "most" people use Vidalia.)
frazzydee
rudi_s_: I thought vidalia speaks UPNP, and can automatically open ports on most routers?
Sebastian
frazzydee: upnp is very brittle
pipe
unless the user cares even the slightest about security and have disabled upnp
Sebastian
I recommend that you disable it if you haven't
frazzydee
Yeah, I'm just saying it would work in a lot of cases, not all
phobos
most routers ahve upnp enabled
frazzydee
enough have upnp enabled that setting as a bridge by default will create a LOT more nodes. It's my understanding that this should make the network noticeably faster
pipe
Unless there is some overhead
frazzydee
I mean, I understand not setting as an exit node by default (possible criminal implications for users), but automatically setting as a low-bandwidth bridge seems harmless enough
pipe
frazzydee: But with that logic, wouldn't it be better to set them up as low-bandwidth relays too?
Sebastian
pipe: not necessarily
Tor cannot handle large amounts of relays
phobos
these are both proposals in progress
Sebastian
Most home routers can't handle that many connections
pipe
ah
Sebastian
That's one of the most common problems relay operators face
pipe
It's the same problem with p2p applications
Most people still use them :)
Sebastian
"I'd run a non-exit relay, but my home router just burst." "I'd run a relay on my vserver, but they only give me 2k connections"
most people? No, most people don't use them.
pipe
ok then, slight exaggeration
frazzydee
Sebastian: Most people within the subset of people who want to download music use them ;)
Sebastian
frazzydee: right. I don't think they are the typical Tor users.
pipe
Actually I think they are, but I don't want them to be
frazzydee
Sebastian: No, but people who want to stay anonymous are, and they usually use proxies
Sebastian
frazzydee: then I'm missing your point entirely.
frazzydee
Actually I don't even know what my point is, I should really shut up now.
danieldg
it might be nice if there was a way for a relay to advertise limited connectivity (like a list of 20 neighbors) to solve the nat-overwhelm problem. I would guess this would seriously complicate building a route though
Sebastian
danieldg: yes, it would. Also think about the overhead if 5000 relays need to get that list to clients
danieldg
right, that too
Sebastian
danieldg: also, there's an anonymity problem here
If there's a small cluster than can only connect to itself, and you start with any node from that cluster, your entire circuit is in that cluster. Too bad if that's an adversary
danieldg
perhaps some deterministic way of determining which peers you should neighbor with, given a number you are willing to neighbor with
the client would have to consider this problem and possibly build longer chains when members of the chain have too low a limit
Sebastian
that's brittle again. It makes it less likely that there'll be such a cluster, but now you made it so that every client needs up-to-date directory information all the time
danieldg
hmm, why does that force clients to have up-to-date information?
Sebastian
So the relay has a list of nodes, and there's some mechanism that marks some of those as possible connection targets
and the client has a list of nodes, and does the same calculation
only there are different relays in the list
danieldg
make the can-peer(x,y) function only depend on size(x), size(y), id(x), and id(y)
hmm, size() would need to be a fraction of the total size, not an absolute number, but that's fine
Sebastian
it still wouldn't work
the clients choose the path
not the relays
danieldg
yes, the client would have to choose a path that is allowed
Sebastian
So how does the client know size(x) if it doesn't have up-to-date information?
danieldg
it's published with x's descriptor
Sebastian
which is valid for a few days or so
danieldg
right
that's how the client found out about x in the first place, yes?
Sebastian
yes
So I'm x
and I change my size(x)
and that takes a few hours to propagate to you, the client.
During that time, oops
danieldg
making it larger or smaller?
Sebastian
yes
danieldg
if you make it larger, it will be fine
if you make it smaller, people will try to connect to some peers that you no longer neighbor with
Sebastian
oh, so you want to guarantee that can-peer(x,y1) > can-peer(x,y2) iff y1 > y2?
danieldg
yeah
Sebastian
while at the same time everything from can-peer(x,y2) is an element of can-peer(x,y1)?
danieldg
I was thinking can-peer = hash(x || y) > size(x)*size(y)
force x < y inside the hash to make it symmetric
er, that would be hash(x || y) < size(x)*size(y)
size(x) is the fraction you're willing to peer with. The fraction you can peer with is lower when multiple people use this option
but it will still produce a randomly-connected network, unless people start selecting their IDs to make this non-random
Sebastian
yes. They totally can do that.
it's cheap, even
danieldg
right. You can defend against that by changing the hash based on time or something, but that would break long-lived connections
Sebastian
that doesn't mean we'll have a balanced network, though, where nodes are loaded to their capacity
danieldg
if you have a significant number of peers with full connectivity, that should still be possible
Sebastian
So there's more constraints
Tor picks a few relays as entry guards
it uses those and only those for the first hop
sometimes, it also needs a special last hop. Finding a path is now neither cheap nor always possible
danieldg
hmm. path-finding would get very complex if you need multiple nodes that are partially-peered, yeah
atagar
dun: your panel issue was permissions ("... sie sollten Root sein"), also didn't work with old versions (tried 1.3.3)
nsa
or: [tor/maint-0.2.1] 2010-03-16 04:44:30 Roger Dingledine <arma@torproject.org>: give us a blurb; add stanza to the releasenotes
arma
should i tag 0.2.1.25 and move on? or will that result in a 0.2.1.26 once phobos tries to build it
questions of the universe
phobos
just do it already
you know you want to
arma
i do want to. ok. tagging. btw, it's a new tarball, with the added changelog.
phobos
i never trust your test tarballs
arma
phobos: mailed you the official tarball url
well, an unofficial url for the official tarball
xUSSR
Tor 0.2.0.34 (r18423). Too many warnings in log file "Not enough good signatures on networkstatus consensus. Unable to load consensus directory downloaded from server '94.76.192.48:443'".
tor-0.2.1.24. Too many warnings in log file "Problem bootstrapping. Stuck at 85%: Finishing handshake with first hop. (DONE; DONE; count 392; recommendation warn)"
arma
xussr: 0.2.0.34 is pretty much obsolete. it probably won't work.
xussr: what country are you in?
xUSSR
arma: 0.2.1.24 look like pretty much unstable. ukraine
arma
xussr: what OS?
tgnb
hi there, i seem to be unable to access yelp.com since around the same time i became a tor exit node
http://www.yelp.com/ - Forbidden - You don't have permission to access / on this server.
coincidence or are they blocking Tor exit node IP's?
xtoaster
tgnb: possibly blocked
as tor exit
tgnb
I can't think of any other websites that i can't access, and I'm online all day long. I'm not even certain that the inability to access yelp.com has anything to do with tor, i just remember that this started around the same time i became an exit node
I figured i'd ask here to see if any other exit node operators are experiencing the same thing
Tas
hm. this is strange. I run Tor 0.2.2.10-alpha as client and for a few hidden services, and suddenly, a few hours ago, Tor started to use 100% CPU. now I looked a bit what might be the reason, and found out that it's the state file in Tor's data directory which somehow got corrupted, as it seems. if I stop tor and delete that file, Tor starts normally again. should I do anything with the state file to debug this further?
OS is OpenBSD 4.7
I mean, do with the broken state file, of course. I still have the original
pipe
Most people are seemingly asleep, or your question is too hightech. I suggest attaching it to a bug report in the bug tracker.
Tas
I'll wait a bit, the right people will read the backlog :-)
xtoaster
Tas: that never happens here before. i only know the stat file keeps your guardian nodes. and some merit info of those nodes.
Tas
well, I can replicate it, if I copy the old file back, I get 100% CPU load right after Tor's start, and Tor takes seconds to start at all
something's wrong with that file, and it broke on it's own
maybe a developer wants to debug further
jiso
why dont torproject run their own irc server?
arma
tgnb: sounds like a plausible reason. sorry for the inconvenience. :(
tas: neat. can you start your tor with the broken state file, let it chew for a bit, and then gdb attach and see where it is?
xtoaster
hi arma. morning.:)
Tas
arma: I've no experience with gdb, but with instructions I can do that
are there secrets in that file?
arma
your guards are in the fil
e
Tas
my former guards, I think
arma
to gdb attach, you find the pid and do 'gdb attach <pid>'
then you treat it like you have a coredump. 'where' is the first step.
Tas
hehe, that's all new to me
but I can try, of course
or I could publish the file :-)
« prev 1 2 3 4 next »