[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: Library Defeats Tor Followup Addl Info
copy of bounced message to scott bennett, keep forgetting to not send
him mail.
On Mon, 15 Oct 2007 15:47:03 -0700, mark485anderson@xxxxxx said:
> welcome back, more inline below:
>
> On Sun, 14 Oct 2007 04:36:54 -0500 (CDT), "Scott Bennett"
> <bennett@xxxxxxxxxx> said:
> > On Sat, 13 Oct 2007 17:30:30 -0700 mark485anderson@xxxxxx wrote:
> >
> > >This group has not changed. I give information in good faith and then
> >
> > Well, at least *you* haven't changed: you're still top-posting.
> >
> > >nobody replies. Course in the beginning of this thread,
> > >watsonbladd@xxxxxxxxx and Scott Bennett" <bennett@xxxxxxxxxx were
> > >replying with uninformative answers, but then as soon as I give further
> >
> > Actually, we were responding primarily with questions, not answers
> > at all, in many cases in an attempt to get you to post the information
> > with which you should have begun the thread. I continue that effort
> > below.
> >
> > >information, my posts are ignored. Incidently, Scott Bennett care to
> > >tell me why posts to your address bounce (i dont have time for finding
> > >out now). This is why more people don't use Tor, it seems to be only the
> >
> > I'm not clairvoyant, so I can't read the error messages you got from
> > here unless you post them.
> > That having been said, however, I will mention that the
> > administrator
> > of this system graciously blocks most source addresses of massmail when
> > a) there is no functioning abuse or postmaster address at that source,
> > b) there is no valid MX RR for the source, or c) the source comes from
> > a part of the world that is currently a disaster area of massmail sources
> > for which reporting the massmail is nearly always a completely wasted
> > effort. Attempts to send mail to users on this system from addresses so
> > blocked normally result in some sort of error message being returned to
> > the sender that provides a clue as to why the mail is being rejected.
>
> don't know, no time to research that, all I know is it does not happen
> with anyone elses email address on this list so far.
>
> >
> > >domain of an elite group, who could care less if others join in.
> > >
> > At least some of the people on this list do not live according to
> > the same schedule you live by and may have different obligations upon
> > their time than you have.
>
> whatever, I researched the problem and gave a possible solution for
> those who might be similarily effected. seems the list the group could
> do is comment on my findings.
>
>
> > >
> > >On Sun, 07 Oct 2007 14:12:57 -0700, mark485anderson@xxxxxx said:
> > >> Ok, promised I would report back. My testing time has been limited so
> > >> this information is not complete, but will help I think. Here is what I
> > >> have found:
> > >>
> > >> 1) you cannot connect to any tor server until you connect first to a
> > >> library server, and accept the library TOS, else you get repeated error
> > >> messages from each tor server "will try again later..."
> >
> > Yes, that is typical. So either wait to start tor until after you
> > do
> > that, or ignore the messages that are issued up until your session is
> > authenticated via their web server. I generally do the latter in those
> > situations.
>
> prolly the quy running this library network is on this mailing list, no
> doubt.
> I am guessing they want the library IP sent out with all your traffic
> and that is why they are assigning a library ip to your outgoing
> requests. also, they probably want to track and profile your traffic,
> hence the dns requests made to the library lookup file. Also the mac
> address of the wireless connection I am using identifies the exact
> computer making all these requests. how's that for privacy invasion?
> guess I will have to start changing my mac address also.
>
> > >>
> > >> 2) Once you have accepted the TOS on their web page through a direct
> > >> browser connection, then all DNS requests are made through that library
> > >> server, subjecting you to profiling and tracking.
>
> >
> > The private network address of the ISP's name server is usually used
> > as a forwarder address, and that address gets passed to your computer in
> > the DHCP lease. I've forgotten exactly how to go about setting a
> > permanent
> > address under Windows XP, but it should be fairly easy to do. If you
> > haven't
> > figured it out by the next time I shut down my FreeBSD system and boot
> > WinXP,
> > I'll dig around in it to see what has to be changed.
>
> Who said XP? I never said XP. I said windows crap. the dhcp is assigning
> a library IP. I have no control over that I think as it is done by a
> library router or computer.
>
> > >>
> > >> Now the more interesting part:
> > >>
> > >> You can defeat #2 by not allowing dns/p53 requests in you firewall
> > >> ruleset-that way all dns requests will then go directly to tor servers
> > >> (as far as my fw logs seem to indicate). This slows down the web page
> > >> and other requests considerably. I will have to relookup how to fix
> > >> Microsuck OS to do it's dns lookups directly from the client as I recall
> > >> it does not do it simply by putting entries in the hosts file.
> >
> > The slowdown is most likely the wait for the six-second timeout (or
> > however long it may be these days) before trying the next name server in
> > the list. So the trick to doing that is to find the way to restrict the
> > DHCP client's ability to change the name server list and to set the name
> > server list only to those addresses you have chosen.
>
> You don't say? How does one "restrict the DHCP client's ability to
> change the name server"?
> I am guessing you mean (as I mentioned in last post) making my computer
> do the lookups directly from it's own host file. XP does not have a host
> file I think, but my flavor of windows does, however the idiots at
> microsoft gave it a bug where you have to make modifications to actually
> get it to look at the hosts file first. I have to lookup the necessary
> modification,as it has been sometime since I last used it to force
> winshit to look at the hosts file for the dns requests.
>
> > Do not assume, though, that bypassing their chosen name server means
> > that you are safe. In the U.S., for example, an unconstitional (which is
> > to say, "illegal under the Supreme Law of the Land") Act of Congress
> > requires ISPs to keep logs of all name server queries, as well as HTTP
> > requests, so they are likely to log all outbound port 53 traffic,
> > regardless
> > of its destination.
>
> well then explain to me how they can monitor dns traffic if all dns
> requests are made within the originating client box and not to any
> outside source. maybe all you tor gurus can explain how clients usually
> make dns requests through tor and WHY IT IS THAT TOR ALLOWS COMPUTERS TO
> LEAK DNS REQUESTS AT ALL???? TOR SOFTWARE SHOULD NOT ALLOW THIS AND
> SHOULD FAIL TO WORK IF DNS REQUESTS ARE MADE TO ANY NODE OTHER THAN TOR
> THROUGH PRIVOXY. OH THAT'S RIGHT TOR IS "EXPERIMENTAL" AND "NOT FOR
> GENERAL USE". FUNNY HOW LONG IT HAS BEEN EXPERIMENTAL. MAYBE THE FAULT
> HERE IS WITH TOR, NOT WITH ME OR THE LIBRARY?
>
>
> > Also, the /WINDOWS/system32/drivers/etc/hosts file is not the
> > location
> > you're looking for. What you need to look for is the WinXP equivalent of
> > a UNIX /etc/resolv.conf file. (I've forgotten where it is or even if it
> > is
> > in only one place; a quick search of my WinXP system did not turn up a
> > file
> > by that name, so I'll try looking into it a bit more after I get some
> > sleep.
> > I've been up about 27 hours at the moment, and it's getting hard to focus
> > on the screen.:-)
> > >>
> > >> Even if dns requests are made to the library machine, running a sniffer
> > >> seems to show that the TCP packets are still encrypted at the client
> > >> level. I have not had a chance to analyze the sniffer logs yet well yet,
> > >> but just watching the traffic shows encrypted TCP going to and from tor
> > >> servers, so that part is safe.
> > >>
> > >> You must disable dns requests at the firewall to prevent leaking to the
> > >> library IP.
> >
> > Possibly. However, if you can find the WinXP equivalent of
> > /etc/resolv.conf and force it to remain unchanged by your DHCP client,
> > then you should be able to avoid sending queries to the library's name
> > server(s). And if your proxy server(s) can use SOCKS4a or SOCKS5 in
> > connecting to tor, then the query resolutions can be obtained via the
> > tor network itself.
>
> covered above
>
> > >>
> > >> Once you do that it appears (again, on the surface without too much
> > >> study) that your traffic, including dns requests is safe.
> >
> > {Already covered above.]
> > >>
> > >> I will do more intensive analysis and testing as time and access to the
> > >> library connection permits.
> >
> > Looks good.
> > >>
> > >> Any useful comments and feedback appreciated.
> > >>
> > >> On Sat, 29 Sep 2007 13:58:37 -0700, mark485anderson@xxxxxx said:
> > >> > Give me a couple days and I will confirm and report back after running a
> > >> > sniffer.
> > >> > I don't use this library node often, so it will be a few days. Besides I
> > >> > do not have the
> > >> > firewall logs with me now, so don't want to misstate things until I am
> > >> > sure and have gathered as much information as I can.
> > >> >
> > >> >
> > >> >
> > >> >
> > >> > On Fri, 28 Sep 2007 23:57:17 -0500 (CDT), "Scott Bennett"
> > >> > <bennett@xxxxxxxxxx> said:
> > >> > > On Fri, 28 Sep 2007 15:06:48 -0700 mark485anderson@xxxxxx wrote:
> > >> > >
> > >> > > >On Fri, 28 Sep 2007 15:02:53 -0700, mark485anderson@xxxxxx said:
> > >> > > >>
> > >> > > >> On Thu, 27 Sep 2007 21:20:42 -0500 (CDT), "Scott Bennett"
> > >> > > >> <bennett@xxxxxxxxxx> said:
> > >> > > >> > On Thu, 27 Sep 2007 19:05:27 -0700 mark485anderson@xxxxxx wrote:
> > >> > > >> >
> > >> > > >> > >On Thu, 27 Sep 2007 19:52:30 -0500 (CDT), "Scott Bennett"
> > >> > > >> > ><bennett@xxxxxxxxxx> said:
> > >> > > >> > >> On Thu, 27 Sep 2007 20:35:58 -0400 Watson Ladd
> > >> > > >> > >> <watsonbladd@xxxxxxxxx>
> > >> > > >> > >> wrote:
> > >> > > >> > >> >mark485anderson@xxxxxx wrote:
> > >> > > >> > >> >> Then after agreeing to the TOS, you are able to connect to tor servers,=
> > >> > > >> > >> >
> > >> > > >> > >> >> but all dns requests go through a library computer IP, such that they
> > >> > > >> > >> >> can see and record where you are going. I am not sure if they can see
> > >> > > >> > >> >> the TCP content, but the UDP (which I assume is the dns lookups are all=
> > >> > >
> > >> > > What does your firewall software or other tool at your disposal have
> > >> > > to
> > >> > > say about the TCP packets from your browser? Do they go to privoxy? And
> > >> > > where does it say that packets from privoxy go? To your tor client?
> > >> > > Somewhere
> > >> > > else?
> >
> > The above questions are, I think, still waiting to be answered.
> > >> > >
> > >> > > >> > >> >> being monitored and probably logged by the library server through which=
> > >> > > >> > >> >
> > >> > > >> > >> >> you are connected. Firewall logs clearly show the outgoing and incoming=
> > >> > > >> > >> >
> > >> > > >> > >> >> DNS packets to the library IP. Rest of connections to Tor servers in th=
> > >> > > >> > >> >e
> > >> > > >> > >> >> firewall log appear normal.
> > >> > >
> > >> > > Just to confirm: your firewall log shows that the UDP packets in
> > >> > > question are destined to some IP address and port 53?
> > >> > >
> > >> > > >> > >> >Make sure to run DNS queries over tor if anonymity is important.
> > >> > > >> > >>
> > >> > > >> > >> Absolutely. Check your privoxy configuration file to make sure its
> > >> > > >> > >> first line is
> > >> > > >> > >>
> > >> > > >> > >> forward-socks4a / localhost:9050 .
> > >> > > >> > >
> > >> > > >> > >already is
> > >> > > >> > >
> > >> > > >> > Okay. Good.
> > >> > > >> > >>
> > >> > > >> > >> If you're using some other port than 9050, change that accordingly.
> > >> > > >> > >> Other
> > >> > > >> > >> programs, e.g. PuTTY, will need to be configured, too, if you use them.
> > >> > > >> > >> In the case of PuTTY, each remote login site that you configure to be
> > >> > > >> > >> proxied through tor will need to be set to use socks5 and to do DNS name
> > >> > > >> > >> lookups at the proxy end (see "Proxy" under "Connection").
> > >> > > >> > >>
> > >> > > >> > >> >>=20
> > >> > > >> > >> >> I have not run a sniffer yet on this, because my laptop is old and it
> > >> > > >> > >> >> might not be able to handle it. But tor anonymity is obviously shot whe=
> > >> > >
> > >> > > Your laptop, old though it may be, apparently has no trouble
> > >> > > handling
> > >> > > wireless IP traffic, so I would bet that a sniffer storing, say, only UDP
> > >> > > packets to port 53 wouldn't overtax it.
> > >> > > >> > >> >n
> > >> > > >> > >> >> connecting to their wifi nodes. I believe I tried to block the DNS
> > >> > > >> > >> >> lookups to the Library IP with privoxy generic block rules and then I\
> > >> > >
> > >> > > Because I don't know how that works in privoxy, I'll ask, does your
> > >> > > firewall allow you to block outbound UDP packets to port 53? If so, what
> > >> > > happens if you block them that way instead of via privoxy?
> > >> > >
> > >> > > >> > >> >Using socks-4a should fix this.
> > >> > > >> > >
> > >> > > >> > >already set to sock 4a
> > >> > > >> > >
> > >> > > >> > >>
> > >> > > >> > >> Right. Or socks5, though privoxy doesn't yet appear to support
> > >> > > >> > >> that.
> > >> > > >> > >
> > >> > > >> > >did you just start using tor?
> > >> > > >> > >
> > >> > > >> > About 2.5 years so far.
> > >> > > >> > >>
> > >> > > >> > >> >> could not load any web pages, indicating again that the dns requests ar=
> > >> > > >> > >> >e
> > >> > > >> > >> >> first being routed to the library machine, where they are, of course,
> > >> > > >> > >> >> logged (and maybe sent off to the FBI, if your reading muslim materials=
> > >> > > >> > >> >,
> > >> > > >> > >> >> haha).
> > >> > > >> > >> >Now are these DNS requests for sites you are browsing? It sounds like
> > >> > > >> >
> > >> > > >> > I think the question posed here may reveal the answer.
> > >> > > >>
> > >> > > >> Already answered that I think, the dns requests APPEAR to be made each
> > >> > > >> time a new url is looked up and not in looking up tor servers, but I
> > >> > > >> will only know for certain when I run the sniffer, if that is possible
> > >> > > >> on my laptop.
> > >> > > >>
> > >> > > As long as your wireless interface (and its driver) can run in
> > >> > > promiscuous mode, a sniffer ought to work okay. Some systems may well be
> > >> > > able to trap outbound packets without an actual sniffer. On most/all
> > >> > > UNIX
> > >> > > systems, you will need root privileges, too, to run tools like
> > >> > > tcpdump(1).
> > >> > > >>
> > >> > > >> >
> > >> > > >> > >> >that is the case, but I just want to make sure.
> > >> > > >> > >>
> > >> > > >> > >> Most public wireless locations use no encryption at all. In these
> > >> > > >> > >> situations, things like tor and SSH are about the only significant
> > >> > > >> > >> privacy
> > >> > > >> > >> protection most users have.
> > >> > > >> > >
> > >> > > >> > >no problem with tor and other wifi connections, dns goes to tor, hence
> > >> > > >> > >my OP title LIBRARY DEFEATS TOR
> > >> > > >> > >Tentative Conclusion: Tor cannot be used with any confidence on
> > >> > > >> > >publically maintained machines, but there is no reference to this on the
> > >> > > >> > >tor website; nor any real illumination from this group, so far. I
> > >> > > >> > >suppose now someone is going to tell me to disable javascript and
> > >> > >
> > >> > > Actually, that's probably worth a shot, given recent postings by the
> > >> > > author of Torbutton. It's also trivial to do if you have the Quick Java
> > >> > > and/or NoScript plugins installed in firefox.
> > >> > >
> > >> > > >> > >cookies, ;-) The encryption is SUPPOSED to occur at the client before it
> > >> > >
> > >> > > Cookies are just data. They do not execute and therefore do not
> > >> > > query
> > >> > > name servers, so I wouldn't think that would be worth bothering with.
> > >> > >
> > >> > > >> > >even gets to any outside server, but obviously this is not happening as
> > >> > > >> > >the dns requests are being subverted. Perhaps the traffic is being
> > >> > > >> > >shuttled from the kernel OS to a library server. IOW tor should provide
> > >> > > >> > >the encryption necessary and no wifi encryption should be needed. I will
> > >> > > >> > >see if I can run a sniffer to find out exactly what's happening.
> > >> > > >> > >
> > >> > > >> > Yes, and I think that may be why Watson asked the question I noted
> > >> > > >> > above. Tor does its own name server queries for two purposes: 1) to
> > >> > > >> > provide exit service when running in server mode, 2) to look up addresses
> > >> > > >> > of other tor servers, regardless of mode. These are normal operations
> > >> > > >> > and reveal only those activities. When you are using it in a public
> > >> > > >> > location, I assume that it is running only as a client. So that returns
> > >> > > >> > us to the question of exactly what kinds of addresses is tor looking up?
> > >> > > >>
> > >> > > >> the laptop appears to be getting web site dns translations from a
> > >> > > >> library node rather than from tor, which allows tracking and profiling.
> > >> > > >> each time a new url is introduced I get a firewall dns request in the
> > >> > > >> log.
> > >> > > >>
> > >> > > >> > Are they only the addresses of other tor servers? Or do they also
> > >> > > >> > include the addresses of the web sites you're trying to reach?
> > >> > > >> > Would you also please double check your browser configuration to
> > >> > > >> > make sure it is forwarding everything through privoxy? If you're using
> > >> > > >> > a firefox plug-in module like Torbutton, switchproxy, or foxyproxy, have
> > >> > > >> > you accidentally disabled the proxy?
> > >> > > >>
> > >> > > >> nope, don't use those, the browser is always set to go through privoxy.
> > >> > > >> will do some further testing and try to report back, but suprised not
> > >> > > >> more answers to this post. certainly others should have experienced this
> > >> > > >> problem.
> > >> > > >>
> > >> > > I guess that's the point: we haven't experienced it, which is why
> > >> > > we've been asking questions to try to debug the problem. Here are more.
> > >> > >
> > >> > > 1) Are you using a Microslop operating system? If so, which?
> >
> > The second question, namely, *which* operating system, still awaits
> > an answer.
> >
> > >> > > And if not, then which operating system and version are you using?
> > >> > >
> > >> > > 2) What is the firewall software that you have referred to several
> > >> > > times?
> >
> > This question still awaits an answer.
> > >> > >
> > >> > > 3) Which version of tor are you running?
> >
> > This question still awaits an answer, but may no longer be
> > important.
> > >> > >
> > >> > > 4) Which browser and version are you using?
> >
> > I understand you to be using Firefox, though you have not specified
> > which version.
> > >> > >
> > >> > > 5) Under the assumption for the moment that your connection to the
> > >> > > wireless attach point gets configured by DHCP, which IP address(es)
> > >> > > got assigned to your system for its own address, for an IP gateway,
> > >> > > and for name server(s) to be used?
> > >> > >
> > >> > > I keep having the feeling that what you think is happening differs
> > >> > > from
> > >> > > what is actually happening and/or something misconfigured somehow is
> > >> > > being
> > >> > > overlooked. Please be patient with us. We're trying to help figure out
> > >> > > what's going on, and you're the only one who can provide the
> > >> > > observational
> > >> > > data that might lead to a solution. If it seems like we are just
> > >> > > grabbing
> > >> > > at straws so far, rest assured that we aren't there yet and can't get
> > >> > > there
> > >> > > until we first have at least the basic facts of the case established.
> > >> > > ;-)
> > >> > > Anyone else with pertinent questions, please join in!
> >
> > FWIW, soon I intend to stop replying to top-posted followups, at
> > least
> > in most cases, except when I choose to delete all of the previously
> > posted
> > material that the top-poster has clearly deemed irrelevant as context for
> > his/her followup.
> >
> >
> > Scott Bennett, Comm. ASMELG, CFIAG
> > **********************************************************************
> > * Internet: bennett at cs.niu.edu *
> > *--------------------------------------------------------------------*
> > * "A well regulated and disciplined militia, is at all times a good *
> > * objection to the introduction of that bane of all free governments *
> > * -- a standing army." *
> > * -- Gov. John Hancock, New York Journal, 28 January 1790 *
> > **********************************************************************
> --
>
> mark485anderson@xxxxxx
>
> --
> http://www.fastmail.fm - A no graphics, no pop-ups email service
>
--
mark485anderson@xxxxxx
--
http://www.fastmail.fm - And now for something completely different?