A bunch of different things, few of which I got actual traction on, in true ADHD form (though some of that was being unable to go to the local hackerspace, for hardware work) One thing which has been rather fun and…
You mentioned the firmware is open, but I couldn't find it anywhere. Could you post a link, ideally to the Git repository where it's developed?
Regarding password storage with GPG, there is pass(1) (https://passwordstore.org) which is a wrapper around Git and GnuPG, and there are a number of front-ends for it. :)
I am involved in a non-profit that operates Tor exit nodes for a while ( https://nos-oignons.net ), and before then I was running exit nodes on my own. The main benefit of setting up a non-profit is not shifting the…
I'm not sure MX records would work without either modifying SMTP servers or using Tor in transparent proxy mode. Postfix, for instance, has [transport maps](http://www.postfix.org/transport.5.html), but those let you…
> Google can monetize your information much easier than an ISP. More to the point: Google is a more central actor, who gets to see the data of far more users, than your ISP ever will. Moreover, this moves from giving a…
> people in most places around the world already have slow connections - sharing that with others would be the last thing they'd want to do You seem to misunderstand how Tor works. It doesn't require you to become a…
Ah, ok, you were referring to the DoS vector. Yes, a simultaneous seizure of the DirAuth would do that, breaking Tor relays and clients until the software is updated (the list is in src/or/config.c if you are curious).…
Or Tails
The takeaway was indeed that they could deanonymise individual users, but they couldn't target it and it required significant amounts of human effort (i.e. it did not scale). AFAIK, Tor developers are willing to…
There is automated tooling out there that is used to detect misbehaving exits, like ExitMap: https://gitweb.torproject.org/user/phw/exitmap.git/
> The more people are aware that plaintext over Tor is a really, really bad idea [1], the more people will use end-to-end encryption. Yes, but how does your collecting logs impact overall awareness? Even if it did (say,…
The Reduced Exit Policy goes in that direction: https://trac.torproject.org/projects/tor/wiki/doc/ReducedExi... It's basically a documented exit policy (i.e. the configuration stating which outbound traffic you accept…
The guy was convicted for literally saying in a public chat room “if you want to host child porn, you can do it on a Tor onion service”, IIRC. That's very much not them getting convicted for running a Tor exit node.
> The problem is more like that tor relies on a few directory authorities and the only protection they have is geographic distribution and the public outcry should a set of nation state go actually seize them. Seizing…
They indeed are.
For IM: http://nicolas.braud-santoni.eu/otr.asc For email: https://sks-keyservers.net/pks/lookup?op=vindex&fingerprint=...
> But then again, a lot of people do use Tor to do stupid shit like DDoS or run C&C for botnets. Misinformed at best: you wouldn't want to DDoS anything over Tor, because 1) the nature of the protocol means that the…
Well, one single person running 1000 exit nodes would be potentially armful. Same for 1000 exit nodes running on the same network. That's why it's not very practical to simply write a deployment script for some major…
Yes: a number of non-profits exist, who operate high-bandwidth Tor exit nodes. In Europe and North America, many of them partnered with the German TorServers.net: https://www.torservers.net/partners.html There are…
Also, remember that the NSA has had that kind of capabilities for a while, yet what came out of the Snowden leaks was “Tor stinks” (read: “We don't know how to break it in any practical sense”).
The point is not that the DB schema will evolve sanely, nothing can guarantee that (nor with JSON). The point is that the schema is explicit: worst case, I can go look it up, and I /know/ that the data conforms to it.
That's FUD and untrue. The first thing you see in Tor Browser is a tab explaining that you got properly connected to Tor, but that Tor in itself is not a complete solution to online privacy and suggests you follow a…
Assuming the server uses SNI, the domain name requested by the client is also sent in plaintext. Also, it's exposed anyway in DNS queries.
There are several reasons you want this, relating to security, privacy and “politics” (in the wider sense). Regarding security, using HTTPS (along with the right measures on externally-hosted content) guarantees (to…
A bunch of different things, few of which I got actual traction on, in true ADHD form (though some of that was being unable to go to the local hackerspace, for hardware work) One thing which has been rather fun and…
You mentioned the firmware is open, but I couldn't find it anywhere. Could you post a link, ideally to the Git repository where it's developed?
Regarding password storage with GPG, there is pass(1) (https://passwordstore.org) which is a wrapper around Git and GnuPG, and there are a number of front-ends for it. :)
I am involved in a non-profit that operates Tor exit nodes for a while ( https://nos-oignons.net ), and before then I was running exit nodes on my own. The main benefit of setting up a non-profit is not shifting the…
I'm not sure MX records would work without either modifying SMTP servers or using Tor in transparent proxy mode. Postfix, for instance, has [transport maps](http://www.postfix.org/transport.5.html), but those let you…
> Google can monetize your information much easier than an ISP. More to the point: Google is a more central actor, who gets to see the data of far more users, than your ISP ever will. Moreover, this moves from giving a…
> people in most places around the world already have slow connections - sharing that with others would be the last thing they'd want to do You seem to misunderstand how Tor works. It doesn't require you to become a…
Ah, ok, you were referring to the DoS vector. Yes, a simultaneous seizure of the DirAuth would do that, breaking Tor relays and clients until the software is updated (the list is in src/or/config.c if you are curious).…
Or Tails
The takeaway was indeed that they could deanonymise individual users, but they couldn't target it and it required significant amounts of human effort (i.e. it did not scale). AFAIK, Tor developers are willing to…
There is automated tooling out there that is used to detect misbehaving exits, like ExitMap: https://gitweb.torproject.org/user/phw/exitmap.git/
> The more people are aware that plaintext over Tor is a really, really bad idea [1], the more people will use end-to-end encryption. Yes, but how does your collecting logs impact overall awareness? Even if it did (say,…
The Reduced Exit Policy goes in that direction: https://trac.torproject.org/projects/tor/wiki/doc/ReducedExi... It's basically a documented exit policy (i.e. the configuration stating which outbound traffic you accept…
The guy was convicted for literally saying in a public chat room “if you want to host child porn, you can do it on a Tor onion service”, IIRC. That's very much not them getting convicted for running a Tor exit node.
> The problem is more like that tor relies on a few directory authorities and the only protection they have is geographic distribution and the public outcry should a set of nation state go actually seize them. Seizing…
They indeed are.
For IM: http://nicolas.braud-santoni.eu/otr.asc For email: https://sks-keyservers.net/pks/lookup?op=vindex&fingerprint=...
> But then again, a lot of people do use Tor to do stupid shit like DDoS or run C&C for botnets. Misinformed at best: you wouldn't want to DDoS anything over Tor, because 1) the nature of the protocol means that the…
Well, one single person running 1000 exit nodes would be potentially armful. Same for 1000 exit nodes running on the same network. That's why it's not very practical to simply write a deployment script for some major…
Yes: a number of non-profits exist, who operate high-bandwidth Tor exit nodes. In Europe and North America, many of them partnered with the German TorServers.net: https://www.torservers.net/partners.html There are…
Also, remember that the NSA has had that kind of capabilities for a while, yet what came out of the Snowden leaks was “Tor stinks” (read: “We don't know how to break it in any practical sense”).
The point is not that the DB schema will evolve sanely, nothing can guarantee that (nor with JSON). The point is that the schema is explicit: worst case, I can go look it up, and I /know/ that the data conforms to it.
That's FUD and untrue. The first thing you see in Tor Browser is a tab explaining that you got properly connected to Tor, but that Tor in itself is not a complete solution to online privacy and suggests you follow a…
Assuming the server uses SNI, the domain name requested by the client is also sent in plaintext. Also, it's exposed anyway in DNS queries.
There are several reasons you want this, relating to security, privacy and “politics” (in the wider sense). Regarding security, using HTTPS (along with the right measures on externally-hosted content) guarantees (to…