[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: AdvTor



On Sun, Oct 3, 2010 at 2:05 PM,  <kalitnikoff@xxxxxxxxxxxxxxxx> wrote:
> Hello everyone.
>
> I found a fork (?) of tor software with GUI named Advanced Tor. I was
> surprised of its features, but found just nothing about it in web,
> though it has opened source placed in sf.net.
>
> Have you people discussed it? Please give a link to discussion if yes.
> Otherwise you are welcome (if it won`t break any or-talk rules),
> especially I`d like to know if someone can get through the code to
> check it for backdoors or something like that.
>
> Description and source:
> http://nemesis.te-home.net/Projects/AdvTor.html
> http://sourceforge.net/projects/advtor/
>

It looks like they forked some older version of Tor.  It purports to
be a forked 0.2.1.26, but lots of the comment string typos and
copyright notices from the source code don't match up to that version,
and I suspect that it's actually based on a mixture of files from more
than one Tor version.  There are indeed bugfixes from 0.2.1.26 that
seem never to have made it into the source of this thing.  Frankly,
when I run into a programmer whose first instinct is to fork rather
than to contribute, I kind of assume that they're not too familiar
with how things are done in free software, which makes me a little
nervous.

Some of the stuff they added is possibly worth taking into mainstream
Tor, though we can't use their code to do it: their license says that
the changes they made in the Tor client are under the Creative Commons
Noncommercial Share-Alike license, so we wouldn't be able to use them
even if, on examination, we did like them.

The olla-podrida of different Tor source versions makes it hard to
actually tell what the changes *are*: when you run into a point where
there's a difference, you don't know whether it's just a fix from
0.2.1.26 that the author didn't feel like forward-porting, or whether

Some of the changes are downright gratuitous; It looks like they
changed the torrc comment character from # to ; because... well,
Windows, I guess.  It also looks like they ripped out a big pile of
code that wasn't built on windows because... well, it offended them or
something.

Some of the changes are good ideas, like trying to learn time skew
(rather than just reporting it) and better handling of HTTP.  I am
pretty sure there's a security hole in the time skew learning thing if
it works how I think it does, though, and all the string handling in
buffers.c is done with the kind of character-at-a-time,
who-needs-functions thing that is error-prone even when done by good
programmers with other programmers reviewing their stuff.

So yeah.  I would not recommend this software.  If the author wants to
participate in the wider world of Tor, I would recommend that he work
on figuring out what changes he wants in Tor itself, cleaning up the
implementation, speccing out the design for security review, and
getting them upstreamed to us.

yrs,
-- 
Nick
***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/