Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - astor

Pages: 1 ... 7 8 [9] 10 11 ... 208
121
Security / Re: Feds Beg Not To Reveal That They've Inserted Backdoors Into Internet Encryption
« on: September 08, 2013, 11:29 pm »
Quote from: Jack N Hoff on September 07, 2013, 12:01 am
The newest version of TOR scares me. :(  The idea of a development version of TOR is scary. :-\

Right now it's at the "release candidate" stage, meaning it's almost ready to be released as a stable version. They are 96% of the way to a final release:

https://trac.torproject.org/projects/tor/milestone/Tor%3A%200.2.4.x-final

This isn't like alpha software that we're talking about.

The Tor Browser in TBB 2.4 is based on the same Firefox 17 that is bundled in TBB 2.3, so your safety (or danger) with regard to browser exploits is exactly the same.

122
Security / Re: Majority of Tor crypto keys COULD be broken
« on: September 08, 2013, 11:19 pm »
Quote from: Bazille on September 08, 2013, 09:57 am
Tor 0.2.4.x uses the Curve25519 method for elliptical curve cryptography. That seems to be safe against side-channel attacks by the NSA.

I believe that was rransom's idea. Probably the smartest and most crypto knowledgeable guy to ever be involved with the Tor Project.

123
Security / Re: Feds Beg Not To Reveal That They've Inserted Backdoors Into Internet Encryption
« on: September 07, 2013, 05:08 pm »
Quote from: SuckDick4Weed on September 07, 2013, 11:06 am
This is what worries me. Everybody always yells 'update, update, update!' How do we know that open-source project we trusted has suddenly been infiltrated and had a backdoor inserted?? Updates may not always be a good thing lol

You can audit it for backdoors and build the browser bundle yourself.

https://gitweb.torproject.org/tor.git/tree/refs/heads/release-0.2.4:/src/or

https://gitweb.torproject.org/vidalia.git/tree/refs/heads/master:/src/vidalia

http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/17.0.8esr/source/

https://gitweb.torproject.org/torbrowser.git/tree/refs/heads/maint-2.4:/src/current-patches/firefox

124
Security / Re: Schneier: How to remain secure against NSA surveillance
« on: September 07, 2013, 12:12 am »
For anyone interested in the hosting-at-home idea, check out the FreedomBox mailing list archives. They were discussing innovative things to do with home hosting years ago. For example, you could use an open source, federated social networking platform like Diaspora to connect with your friends. They don't even have to be IRL friends, they could be anonymous people you meet on the internet, because your pods would be hidden services. You could offer each other distributed, encrypted, version controlled back ups. So I offer 10 GB of space to each of 10 friends, and they offer the same, and I get 100 GB of distributed backup space from them. If my box dies, I get a new one and download my back ups.

They even discussed backing up PGP private keys that way. In an anonymous community, your PGP key is your identity. So what happens when you lose it? They suggested breaking it into pieces and distributing them to your friends. Choose people who are in different social circles, so they don't all know each other and can't collude to reconstruct your private key (although it's symmetrically encrypted anyway with a strong password). Then if you lose your key, download the pieces from your friends and reconstruct it. In the best setup, they wouldn't know they are hosting a piece of your key, and only you would know the full set of people who have the pieces.

Plus, home hosting is the cheapest hosting you'll ever get that isn't advertising based. A nettop box or plug computer are sufficient to do everything described above. That costs at most $300 and might last 5 years, so you're essentially getting a low end dedicated server for $5 a month, less than the cost of most web hosting, and you can run all kinds of cool shit on it: social networks, game servers, email servers, other messaging clients, xmpp servers, Tor, Bitcoin clients, etc, etc.

125
Security / Re: Dissent: accountable anonymous group communication
« on: September 06, 2013, 11:59 pm »
This may be the first thread I've ever seen get rescued from a bunch of politics and trolling to something useful and informative. Really enjoying reading this.

126
Security / Re: Feds Beg Not To Reveal That They've Inserted Backdoors Into Internet Encryption
« on: September 06, 2013, 11:53 pm »
BTW, TBB 2.4, the newest version of which includes patches that should make your Tor circuits faster against the botnet load on the network, includes a built in PDF reader that should be nicely contained by Tor Browser's proxy settings.

https://blog.torproject.org/blog/new-tor-02417-rc-packages

Or just run Whonix already. :)

127
Security / Re: Feds Beg Not To Reveal That They've Inserted Backdoors Into Internet Encryption
« on: September 06, 2013, 11:49 pm »
Quote from: Jack N Hoff on September 06, 2013, 11:32 pm
Care to copy and paste the rest of the people funding TOR?  I don't open PDFs. :-[

If you can't trust a PDF produced and hosted by the Tor Project, then you shouldn't be running Tor. ;)

128
Security / Re: New research paper: Content and popularity analysis of Tor hidden services
« on: September 06, 2013, 11:43 pm »
Quote from: Bazille on September 06, 2013, 01:48 pm
@astor
Yes, but they can hide that they are using Tor and make traffic analysis harder. For that they could connect to a VPN where the cables inside the VPN country are not getting sniffed by the NSA.

But the connection between the user and the VPN server could still be sniffed. Let's say I live in Boulder, CO, and there's an IXP in Denver. Due to the hierarchical nature of the internet topology, my ISP's upstream link goes through that IXP. Every connection from every subscriber of my ISP goes through that IXP. So it doesn't matter if I'm using a bridge that the NSA doesn't recognize as a Tor entry point, or the obfs3 protocol which they can't DPI, or a VPN server in Argentina. If they control SR's HSDir and the IXP, then when I fetch the SR descriptor, they can include a traffic signature that is detected by the IXP, which sees the IP address that the packets are headed to, which is me. It doesn't matter how many layers of encryption I add, or how many VPNs or proxy hops I add, as long as the IXP is between me and the first hop. Theoretically the NSA could inject a traffic signature that is detectable by the IXP through all those hops and layers of encryption.

Quote
To make traffic analysis even harder they can download copyrighted torents over the clearnet through the VPN at the same time. Or even better, keep down and uploading copyrighted/porn torrents at low speed all day long through the VPN, or at least some time before you start using Tor and after you stopped using Tor through the VPN.

Yes, I think this could help. When the Chaos Computer Club published their results of Tor circuit fingerprinting, I read that it could be trivially defeated by loading pages in another tab.


129
Security / Re: Are you Paralyzed by PGP? Fear no more! Join PGP Club :)
« on: September 06, 2013, 11:24 pm »
Quote from: twistedheart on September 06, 2013, 02:57 pm
Presumably I need to import a key and securely communicate with somebody as a test run.  Can anyone help?

Sure. Import this key and send me a message. Also, post your key or post the link to your key in that thread so I don't have to search for it.

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBFDRF/8BEACv5LQiS92xKzjw91oDbwOYzNocIPsvRn5rZWf6e/ivSKcN6Wsb
U21UtQXitwst3bqm7oFGcxbwDgzhU+q4eGL3p1j4KqBV3Sg3c0SJ9AMGvernA9Pr
b8fbbeFCQ/geqFphaQO0GniYyJARrjcCHNpx3OfSZtDyP0TmhYgk8+rwx8mwJT1h
HZ+rLio9Ta1CSEPeRF+redUi3BnuEKLasEPi4iwBZ+wovZm23oHMCoOTP4u+x/GC
ItbaX84DUKmCslNADZqSarBLYc+uB5oU5cPvHu64eJYFMd2ZCTr+w8m7hTzwNYi6
oyVX8W0BNNFq1TO1XPhTLe8hMm4zDhFniq3rD8bCfuowK4J+R2hshFAi8DX5pbaA
2i5EdXjdytdpvo99CI+vH9smcjyQsJNE9gSkBcsooBhKXWRwY0GdXg56GIQyssNg
133NhXE3eJToOl+uRF8P6Mo+qmYVLd8NofV6X6VtKNR+H9N5JhXFQyapdfo5wa/d
pPZfFx1QUhAH5KP4UixdGUNpIuYeEqh+avbwaqszOgs0SBJ4I9SjoICGY1+FKNwT
DeCr519QuoczHsYHMX2fIO4Awvw8F6sXxpc0U3Jary8rTxd17e5yqMYrtXFjRrRC
1EIVzsDzkpXh9G2ZoYtEcbnZxNVHJAt9HVtnc7hrL9p1OOIqSPtdcZy1bwARAQAB
tBphc3RvciA8YXN0b3J4QHRvcm1haWwub3JnPokCQAQTAQIAKgUCUNEX/wIbAwsL
CQoNCAwHCwIDBAgVCgkICwMCAQUWAwIBAAIeAQIXgAAKCRDQHKKYcG7iBy3LD/9U
xJ28dbz4TPb0bIdbsrGQbvuem0npHHUOxC2IaR6p2WeT7Bs3pXjN+qJ2oxlS2sBG
fCDP+/qzcCcyVB0FciZXlMFFQHPu/J3eaDkMnjiyzQGc+PI5ik8xT7Bc2bxs2PIG
W6uB1U3LsC0S9qYtxHWZvOitW5+WWStz+BbJIb2VmMrcOyHcwF8jFUb/JIlV9Kw/
ZhVfWBOch7mhvIDPm0ze5CqrFVs2rQnTS10R62YpVs9RnySnFMH8m2a+q5wpUNN/
yaYdeADprA5hyOgTG/nBSfAzNaPnM8+DQ3sKCQf135QNF4xbcXAqFut5KvXl6o3X
LECHaMRL2LWUIyU4Sv2xydZjk6lxEAulUqMQ6LcABNRHVPyYMmEP76fIxW26Rzjz
nwwZWPsC2QAlJtEDAxjgYF82DeeLfEcd5JpptCTjOBI5LI85/1owWA6z6V12EUta
b660WWUvoE8PryUAa5k9tT+DTv8teLemGQiV0CNtDXd4p2GmhyUXmV9Srvw3AiDK
TcyT6j3pAfIlwy0GcytCrB04ZEBnyUCUiIRxErXh6GmT3uQ8E2jklow7EhSIsUdz
UZxfq1BUmBw92J97mA04MXcCjWibNFLd4+4OT7w589ah2U06XDo4SqhpIAtuuFwS
UX0v9Am7c3mIyFA0jzJgb4N7XLu2CgOQBKXe8DhdlLkCDQRQ0Rf/ARAAmX3jqm8V
FW/eYAHvpYHDrh0o8plKVBomgRRY7LUMVti6yM30UqI+Yh7AhJYdm9Twt9TzEe/u
+HXwtToyXje0dQOd63jJloXrek3V79JFd65o8BGUOIh4X9kc2e+KqWmqH9X/N/Ji
e47V6RwbbmLDNLiYRSwLPVrOp2M/nSs+Hn+pPviT0qztrohB+5iHMirSEaXMIWwK
DzmO3g40ttphAxX4OdvWAF4802BUgX5NIioZ924hivu9dG3WFPN5/Am6pUtOPR8L
SKuDefE4nWe+aQMZ8aDbMKY7YpiLO+hagwhKhGT3GVeX+D5noNj4r3HEuDmhvRGT
FD7VJJNA7agMrzIfyJGU25+/+sEAQPC1x+9B2Fghvq88R8tWbxmAu5ocreXqNOL9
qPNdphQMgY4x+0pyIrAkCgp0TYUkSqUTYDqTCsjb4F564UgPrhWbzlPjRLPVzeJX
+oQLi372sJIBgyKk/yqU2AjQCOZRuO7Al2unD4MjiwrSLrv0ISCZqRd7bTx6fpZp
J+yfB19lvlGF5IFozZ18vxooGiRp0r5B68O18gaXzCeSiEJf3ko9YAaOLM+F52lj
ruw0aH1ocsDwzD5Fjt+Vvr8dbY/G3WG7Od0cL0VdiqZXwh1ilVe5eijIG5oROMcM
KTbeSCk5xD23EuILKm/9CpKAxFBYZQ87K6kAEQEAAYkCHwQYAQIACQUCUNEX/wIb
DAAKCRDQHKKYcG7iB+bpD/4w7r8xJ6S7z0TUoZDo7/UsIvPtjGAlJdcsivxF0EkI
W/VTgg27VFc0vYn2ddsqvSxiVAy2fEuSXdF39vDzTwxKmfEuroXIEz73Sp0KH5Cy
j8XoGQuIG7oOVwY8egsIFsHIkfbuUPq1teUmEp3UgCdv0CGM3yV9nRK2BY1yN4F2
S7fgWluu9q/XVHQE4mugQV83ULsu63clcqlbFd3azhAd5b/S/VUBDDambRwXfOKE
950Dpm/Q8S9qLrsub7Axkqcv0WN3pfz45x5hzqCNaM2TWL7b0SxGL0ORYJPUKPTW
/pT8MXGCvmfws6yvBnzULm1fWgy5/xTZabnVKvWregPlzAweNRBXdVXBED9spxqJ
cRuGO5kVRtkH/Kf6E4qYi/VHIwA6JKZngXM2ZKHJv2DgcgWDDuxWclqpngX5mQ/5
J7UHmp/xIBTmOVqiSAOXtCcMqeWeG01CLwMj18g9AkRVaqwsobUOIgRP1hSEe2W+
JDsJHdsq+dTxecUnhg/m+ivfboJQbBeqsOvNZyyDa2Naa0NpfGD30ZUHITUzgxRA
6+qNqZ8a2qimTe4aZ3Wwp9exYLy91Sx/nOtuh5EUsVeCKmSrPAUrPkSsC5RTeQYp
4GdkPVR08lsBz0r54B6BSPKAD2ybfPl523XIK3YBczxVFW1h6bUsAQCUvBJsgabC
mw==
=i8Ra
-----END PGP PUBLIC KEY BLOCK-----

130
Security / Re: Calling for a SR vendor to set up TOR relay fund
« on: September 06, 2013, 11:13 pm »
Quote from: kmfkewm on September 06, 2013, 12:26 pm
They already host 10% of the bandwidth of the entire Tor networ.

But that's sort of the problem. We need to diversify with more independent operators, who run relays and/or take donations.

131
Security / Re: Setting up Bitcoin mining rigs as Tor relays
« on: September 06, 2013, 11:02 pm »
hmm, I guess that's true. Depends on the coins you're mining. If you have a modern CPU with AES-NI, make sure to set

HardwareAccel 1

in your torrc for better performance, too.

132
Security / Re: Feds Beg Not To Reveal That They've Inserted Backdoors Into Internet Encryption
« on: September 06, 2013, 10:58 pm »
Quote from: Jack N Hoff on September 06, 2013, 08:50 am
The US government fully funds TOR to the tune of over a million dollars a year.

The Tor financials are publicly available:

https://www.torproject.org/about/financials.html.en

https://www.torproject.org/about/findoc/2012-TorProject-Annual-Report.pdf


As can be seen on page 8, the US government provides about 60% of the Tor Project's funding, so they don't "fully" fund it.

They are a significant contributor, but if you look at the details, those agencies include the National Science Foundation, as an example, which is dedicated to funding open research. There is no conspiracy by the US government to control the Tor Project, and anyway the code is open source, reviewed by thousands of researchers and hackers, and the relays are run by independent operators in over 70 countries, so there's little the US gov could do to control the Tor network.

133
Security / Re: Setting up Bitcoin mining rigs as Tor relays
« on: September 06, 2013, 10:32 pm »
Tor eats tons of CPU, especially as a relay. Why would you handicap your mining rigs with it?

134
Security / Re: New research paper: Content and popularity analysis of Tor hidden services
« on: September 06, 2013, 01:30 pm »
Quote from: Bazille on September 06, 2013, 12:19 pm
Instead of using obfs3 bridges you could use a VPN in a "safe" country where the internet cables,and the internet cables of the surrounding countries, are out of reach of the NSA/GCHQ.

Unfortunately for US, UK, Swedish, Chinese and Iranian citizens, and probably many others, there is no way to reach the wider internet without getting tapped. Only thing I can think of is to build an alternate, community-controlled network infrastructure. Something like a global meshnet that actually works.

135
Security / Re: Schneier: How to remain secure against NSA surveillance
« on: September 06, 2013, 01:24 pm »
I think there's an important point that he missed, which Richard Stallman has been warning about for at least 5 years: get off the cloud.

And Eben Moglen has been advocating a solution for at least 3 years: host your data at home.

The home is the best legally protected place in the modern world, and hidden services make it easy for anyone to host their data even behind NAT. Furthermore, that decentralizes data storage, making it much more expensive to go after data (when you can't just ask a handful of compliant tech companies for a billion people's info).

Yes, it's slow, but that's a trade off worth making for the safety of your data. The main problem is the server-client model popularized by the major tech companies, which influences the asymmetric upload-download rate, and slow residential speeds in general. We need to challenge the telecoms and their AUPs to allow us to run internet services like web and email servers from home. Add together the legal and logistical benefits of hosting at home with encryption and onion routing and the NSA's job will become orders of magnitude more difficult.

Pages: 1 ... 7 8 [9] 10 11 ... 208