logs archiveIRC Archive / Oftc / #tor / 2010 / May / 7 / 1
krit
i find that strict exitnodes doesn't work sometimes, and searched and found that it should always
Lademord
Hey guys, my computer is on ~10 hours a day, and my upload speed is 512 Kb/s. Should I consider running a relay, or does that require total uptime?
ln5
one of my relays is still pushing ~9Mbps but only uses ~1k of tcp connections
usually i see ~7k connections.
Lademord
Was that a yes or no?
ln5
i do see about twice as many mbuf clusters in use (it's a bsd machine) which indicates that each of these connections have more to do.
Lademord: neither. i don't know if a relay with <50% uptime will attract traffic or not. try?
Lademord
hm. okay then
Or, wait, I can't get Vidalia to work, so maybe I'll just wait a bit
and donate my bandwidth to BitTorrent until then :)
ln5
krit: by strict exitnode, do you mean when your client demands exit through one specific node?
BarkerJr
if your relay is up more than a few hours at a time, it can contribute
https://www.torproject.us/faq.html.en#RelayFlexible
pi11
Hello. I'am using tor as client. I need maximum speed, and minimum anonymity. Is there some torrc options to set minimum relays through which traffic passes?
         

arma
pi11: no. you might consider a much weaker system that's faster, like relakks.
pi11
arma: thanks, i will try it
bary
to shorten the path to an exit node has no point
i can understanding wanting to shorten the path to a hidden service
Lilith_
hi
how do i get to tor channels?
i meat
mean
to hidden channels?
nogul
what is tor hidden channel?
Kal
Hi guys.
bridges@torproject.org just gave me 3 bridges, but I still can't reach the network. Anybody got other ones?
(And I wonder how the GFW has not blocked this IRC network yet.)
keb
Kal did you check your Tor log, maybe something else is wrong
Kal
keb: I get lines like this: May 07 11:19:52.098 [Warning] Problem bootstrapping. Stuck at 10%: Finishing handshake with directory server. (Socket is not connected [WSAENOTCONN ]; NOROUTE; count 13; recommendation warn)
I presume it's caused by invalidated/blocked bridges.
keb
is it safe to try connecting without a bridge? do you get the same
Kal
same
keb
maybe someone can privately /msg you a bridge ip
krit1
how to ensure strictexit nodes works
i see it not work many times
or atleast create many paths that don't and some that do
keb
https://trac.torproject.org/projects/tor/ticket/601
hmm im sure there was a newer bug involving that
formalist
wth...
mfwitten
Hello. Does Tor access the same domain using a different circuits for different pids?
In other words, if processes A and B access example.com, do they both use the same circuit or do they both get different circuits (or possibly the same circuit)?
keb
mfwitten do you mena two different tor pids or two processes using the same tor
*mean
mfwitten
two different Tor clients accessing the network through one Tor daemon
keb
so there is only one Tor process running on the machine
mfwitten
yes
keb
then i think they will reuse the circuit, if they access the destination at the same time
         

mfwitten
hmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm
In my opinion, that's not a good idea
keb
do you think info will leak between client processes
mfwitten
Consider wanting to have two different accounts for some service.
I wouldn't want accounts A and B always to access the service from the same IP
Tryst
what if accessing the service dfft times? would that be less complicated mfwitten?
mfwitten
Tryst: It would be; I could even restart Tor when switching between them. However, then someone could note the fact that accounts A and B never access the service at the same time. That's a coupling
keb
if the destination machine has a Tor exit enclave leading to it you may end up always going through the same exit node
mfwitten
Tor exit enclave?
Also, restarting Tor frequently would be unnecessarily slow, as new circuits would have to be built.
keb
https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TorFAQ
Tryst
will keepibg the other account access alive while B accessing its account on difft time not doable? but then again it depens on what kind of service.
keb
you dont have to restart Tor to get a new circuit
you can send the newnym control message
Tryst
keb where and hows that newnym function?
keb
why would you want to access any real service with two accounts at the same time from the same machine, except a pathological testing case
Tryst vidalia does it by pressing the New Identity button
or you can check the control spec
Tryst
ah.vidalia. :) no wonder im not familiar.
mfwitten
keb: That's still slow; the slowness is in the circuit creation, not the startup.
keb
http://gitweb.torproject.org/tor.git?a=blob_plain;hb=HEAD;f=doc/spec/control-spec.txt
section 3.7
yeah
mfwitten then run two Tors each on a different port
mfwitten
keb: That's such a hack
keb
*listening on
why
it tries to minimize use of precious network resources
mfwitten
For one, one Tor daemon ought to be able to listen on two different ports.
For two, I think that Tor should isolate different processes (or perhaps process groups).
keb
SocksListenAddress can be specified multiple times
mfwitten
Perhaps Tor could be configured to do such isolation only for certain destinations
keb
not sure if you get different circuits though
mfwitten
yeah
keb
with the AllowDotExit 1 set, you can force use of two different exit nodes
mfwitten
Nah
That's too error prone
Specifically, it's not much better than just restarting Tor
One day you'll forget
keb
mfwitten the end server might suspect accounts A and B are from the same client machine, but it still wont know where or when that machine is
yeah the .exit notation is a hack too that is deprecated
maybe you can file a bug/feature request for this
mfwitten
keb: Then if one account becomes compromised, so does the other.
keb
compromised in what way
mfwitten
Well, let's say I slip up and do provide identifying information for account A. If A and B are suspected of being linked, then I've compromised B as well.
The problem here is operator error; I think Tor could keep the operator from shooting himself.
(or make it harder, anyway)
formalist
yeap. that feature is a must remove.
actually...
keb
mfwitten i guess thats a good reason not to share one Tor proxy for a bunch of computers on a LAN
formalist
you might want to use polipo to guard yourself from the exploit.
keb
formalist the .exit exploit?
formalist
yes.
krit
tor is not honoring strict exit nodes
any fixes for it ?
formalist
well...
i don't know if specifying .exit overrides strict exit nodes.
there are two ways to use it. one of the ways is going to be deprecated.
mapaddress is the natual and secure way.
but you can also just make a socks request involving .exit, which really means any webpage that you load can do the same.
you don't necessarily want a webpage controlling which exit node is to be used to access it.
Kal
I wonder if it is also possible get past GFW by manually updating the list of authorities.
nsa
or: [ernie/master] 2010-05-07 07:26:34 Karsten Loesing <karsten.loesing@gmx.net>: April 2010 relay descriptors are available.
Kal
nsa: what's that?
SwissTorExit
where look about you :) no i kidding, it's the commit bot
who*
karsten
Kal: nsa is our friendly commit bot who, coincidentally, answers your question: even if you'd manually update the list of authorities, the list of relays would still be public and blockable.
SwissTorExit
hi karsten :P
karsten
hey SwissTorExit
Kal
How many times per day am I allowed to harass bridges@torproject.org before my e-mail address gets banned? :P
karsten
i think your address won't get banned, but you won't get new bridge addresses.
Kal
so I'm ****ed for the day?
karsten
are all your bridges blocked? or is this a general question?
so, yes, you're screwed for the day. but this also means the adversary cannot easily enumerate bridges.
if this is a specific case, we're already thinking about whether 3 is the right number of bridges to give out.
Kal
I doubt giving out more bridges would solve the problem at all. :P
karsten
well, it would reduce the prob that all your bridges are blocked.
but then, the adversary would learn about bridges faster, too.
Kal
exactly
I'm sure the CCP is employing hundreds of people just to leech the complete list of bridges everyday.
karsten
there's a thread on or-dev about this question: http://archives.seul.org/or/dev/Apr-2010/msg00002.html
Kal
or they just write a bot and use hundreds of different e-mail addresses.
karsten
gosh, is it 1 month ago that mike sent a mail i wanted to reply to...
you're right in that they might automate this. but we're only giving out a fraction of bridges via email. so they might enumerate all those bridges. but they'll have to come up with a new way to enumerate the others.
Kal
And how does the legitimate user learn about the other bridges (not distributed via e-mail)?
karsten
https://bridges.torproject.org/ gives out bridges, too.
Kal
karsten: that's still chicken and the egg for users behind GFW.
karsten
true.
there are other ways to give out bridges (under development or already deployed? can't say), and we'd like to have more distribution channels for bridges.
https://www.torproject.org/volunteer.html.en#Projects has some items that might be interesting if you're willing to spend some time on this.
and http://freehaven.net/anonbib/cache/wpes09-bridge-attack.pdf is a recent paper that you might find interesting.
Kal
I suggest stuffing moon cakes with pieces of paper with bridge addresses written on them (ref. http://en.wikipedia.org/wiki/Mooncake#Ming_revolution)
karsten
good idea, that's the spirit. now let's hope the bridges are around long enough until the moon cakes are delivered. :)
Kal
Hehe
Circulate a Powerpoint presentation for Moon Festival, with the Vidalia bundle installer attached inside the Powerpoint presentation. :P
Tryst
how come most exit nodes seldom change their ports?
i mean besides the usual ones
Kal
actually
A much more efficient idea is to write a virus that is actually runs a Tor service. Many Chinese users use outdated anti-virus with expired subscription, so you don't have to worry about the gov telling anti-virus companies to update virus definition against the Tor virus.
(of course, it's very wrong if one believes that the end does not justify the means)
rjcks
The GFW has just been upgraded - or so it seems - has any one got any newish bridges?
nsa
or: [ernie/master] 2010-05-07 08:13:34 Karsten Loesing <karsten.loesing@gmx.net>: Replace Scanner by more common BufferedReader.
BarkerJr
it seems to me that tor isn't using eth1 to transmit bandwidth even though it's binding to that ip... I'll look intothis more later
Malkovich
could some body give me bridge adress, my isp has block tor :(
SwissTorExit
Malkovich: try to use the vidalia controller for Tor, it can give you a list of Bridges
Malkovich
i can't
could you open your own relay like bridge for me?)
SwissTorExit
nope sorry, not possible for me
https://bridges.torproject.org/ gives out bridges, too.
Runa
Malkovich: you can also email bridges@torproject.org from a gmail or yahoo account (with "get bridges" in both subject and body)
Malkovich
Runa, thx!
Runa
np
Malkovich
Is it right: i put
#BridgeRelay 1
#ExitPolicy reject *:*
uncomment in my torrc
and my bridge will public by this emails?
Kal
The Tor client caches a new list of authorities once it manages to connect to the Tor network, right?
arma
malkovich: if you want it to be a bridge, you also need to set ORPort
kal: the list of authorities basically never changes. there are 7 of them.
Kal
I see.
arma
but it does cache a list of the other relays once it connects. but it's not very good about reusing them if you start your tor client a day later.
Kal
arma: why is that?
rjcks
the bridges I've just received from bridges@torproject.org are blocked by the GFW
arma
kal: why is which?
i suspect the answer is "because we haven't done that yet"
Kal
arma: "a day later" is the key, right?
(because it seems that I can safely remove the HTTP proxy and restart Tor as soon as I successfully connect to the Tor network for the first time.)
arma
yep.
Kal
rjcks: set up Tor to use an HTTPS proxy first
rjcks: then you won't even need to specify bridges.
try the proxies listed on this page until you successfully connect to the Tor network once: http://www.xroxy.com/proxylist.php?port=&type=All_http&ssl=ssl&country=&latency=&reliability=
rjcks
Kal: thanks - I've just been trying that but I get "Method not allowed" back from the proxy
Kal
rjcks: strange. I just successfully connected using one of those proxies about 20 minutes ago.
user123456789
can you put
rjcks
Kal success! thanks again
ioerror
If anyone is building from source, I'd love some help with some compiler time hardening stuff:
http://archives.seul.org/or/dev/May-2010/msg00006.html
I'm looking for FreeBSD, NetBSD, Mac OS X (all versions), Windows and other build environments.
user123456789
when using MapAddress, why can't you map domain names to the .exit/.onion address?
nsa
or: pootle committed revision 22291 (/projects/gettor/i18n/sr): updated files from pootle
or: pootle committed revision 22292 (/translation/trunk/projects/torbutton/sr): updated files from pootle
or: pootle committed revision 22293 (/translation/trunk/projects/torcheck/sr): updated files from pootle
or: pootle committed revision 22294 (/translation/trunk/projects/website): updated files from pootle
Kla
I see in Tor network map that i have 3 relay names in connection, that means im connected thru all of them?
me -> server1 -> server2 -> server3 -> web
?
OFFShare
"With Love to the B.K.A." http://paste.debian.net/72414/
arma
patches appreciated :)
(it is, alas, hard to write a good patch for this)
OFFShare
yes, i did a dirty hack, but not usefull to integrate...
nsa
or: [tor/master] 2009-11-06 23:45:27 Jacob Appelbaum <jacob@appelbaum.net>: Add support for gcc compiler/linker hardening flags.
or: [tor/master] 2010-05-07 16:05:26 Roger Dingledine <arma@torproject.org>: Merge commit 'ioerror/compileTimeHardening'
« prev 1 2 3 next »