Tor Open Hack Day in Berlin (for everyone)

Hello!

We are very happy to tell you that the Tor meeting in Berlin is currently underway!

During the past days we've been busy discussing the future of Tor as an organization and designing the protocols and features that we want to see in the future.

We would like to inform you that tomorrow (Thursday, October 1st) we will be
having an open day where everyone is welcome to come and discuss Tor
with us. People interested in Tor are welcome regardless of their
background or skills.

The meeting is taking place at Betahaus in Berlin all day, and you can find more information in the wiki.

Looking forward to see you here!

Thank you!

Anonymous

October 15, 2015

Permalink

Whenever I get into tor, it doesn't matter which sites/services I visit the entry node will always be from the same country. This remains true even when setting a new identity or reinstalling tor browser. Excluding the country in question will only cause a new country to be the source of my entry nodes.

Is this the expected behavior?

Yes, that is expected. If you choose a different random entry relay every time, the odds of eventually hitting a collaborating entry and exit are quite high. When that happens, and you use that circuit to, say, log into an account, then anything you may have done with that account is now connected to you.

Anonymous

October 16, 2015

Permalink

What are some ways to detect & deter (hack) Pentium computer chips and the current model of products that are emitting signals 24hrs, even in their turned off state including removal of batteries?

This is from your average desktop to the iwatch and bluetooth.

Thank you all for your efforts.

Namaste,
imu

Anonymous

October 16, 2015

Permalink

Hello, I'm sorry I have to put this comment here:
Don't you have TOR for IOS users?
Sincerely

Anonymous

October 16, 2015

Permalink

> Shin Bet and Mossad can and do trace and capture originating ip addresses anywhere and anytime throughout the TOR network

There seem to be three claims here:

1."Shin Bet and Mossad can ... capture originating ip addresses [connecting to the Tor network]

Agreed, agencies which have created a national e-dragnet can fairly easily tell which IPs are connecting to Tor directory authorities

2. "capture ... anywhere and anytime"

It is well established that using its near-global e-dragnet, NSA can and does attempt to record hour by hour every IP which connects to the Tor network (and the Snowden leaks suggest how they constructed its e-dragnet), but if you think Israeli agencies can do the same, please explain!

The Snowden leaks do show that NSA shares certain "raw SIGINT" data feeds with Israeli agencies, so it is possible Shin Bet and Mossad are granted access to the NSA server which tracks IP addresses which have recently connected to a Directory Authority.

Is that what you meant?

3."Shin Bet and Mossad can and do trace ... ip addresses anywhere and anytime throughout the TOR network"

Conventional wisdom holds that tracing Tor data streams through the Tor network itself from source IP to destination IP is not possible in general for NSA, Shin Bet, or any other agency. (If they have planted surf-logging malware on the user's computer, they presumably would not need to try.)

It seems to be true, unfortunately, that traffic analysis can enable any agency controlling a near-global e-dragnet (and if NSA has one, we can be confident China, Russia, etc have or desire one too) to un-mask regular Tor users. People who operate or frequently use hidden services also face additional risks (from FBI malware attacks etc.). But you seem to be talking about a different mechanism.

Can you explain?

Anonymous

October 16, 2015

Permalink

refernce is made to open and presumably examinable source code in a number of places. how many people wonder about the compilation phase,could a compiler be engineered in such a way that on the surface,code complies correctly but small pockets of binary code are injected into the executable such that the resulting program when run. does other less honourable things?. Herein is the rub I think. unless you have a very good understanding of low level programming ( or assembler) not to mention plenty of time on your hands. the odds of finding very discrete harmfull modifications to compiled code are rather difficult at best. i'm speculating of course but, a oint worth exploring for those who dare to venture into the labyrinth of very low level programming!!

TBB/Tails users please note: current versions are vulnerable to the Logjam attack! See:

https://www.eff.org/deeplinks/2015/10/how-to-protect-yourself-from-nsa-…
How to Protect Yourself from NSA Attacks on 1024-bit DH
Joseph Bonneau and Bill Budington
15 Oct 2015

The issue is easily fixed:

In about:config in Tor Browser, toggle these to "false"
"security.ssl3.dhe_rsa_aes_128_sha"
"security.ssl3.dhe_rsa_aes_256_sha"

Check at https://www.howsmyssl.com to see that your cipher suite no longer includes the lines
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA

See also:

http://arstechnica.com/security/2015/10/how-the-nsa-can-break-trillions…
How the NSA can break trillions of encrypted Web and VPN connections
Dan Goodin
15 Oct 2015

http://www.slate.com/blogs/future_tense/2015/10/16/researchers_say_the_…
This Common Cryptography Method Is Alarmingly Vulnerable
Josephine Wolff
16 Oct 2015

https://freedom-to-tinker.com/blog/haldermanheninger/how-is-nsa-breakin…
How is NSA breaking so much crypto?
Alex Halderman and Nadia Heninger
14 Oct 2015

This is serious! Tor Project userbase-assistants, please blog about this and make the change in next edition.

On the bright side, Tor Browser appears to offer protections against these issues:

uses TLS 1.2: good
uses Ephemeral key: good
no TLS compression: good
no BEAST attack: good
no insecure cipher suite: good

I recall when the Project painfully fixed BEAST vulnerability and upgraded from TLS 1.1, so thanks again for that.

@tor : https://helloworld.letsencrypt.org/
why is it not done here yet ?

https://edri.org/data-retention-german-government-tries-again/
(couldn't find much in english to date)

Outrage!

The next german data retention law has just passed parliament. Despite jurisdiction of both the constitutional court of BRD in Karlsruhe and the EUGH members of the Bundestag did it again.

404 voted yes
148 voted no
7 abstained
Germany has a big coalition to date, so that big coalition can pass laws with ease. Very dangerous, a coalition this big can even change the german constitution, turn it into a pile of rubble if it so pleases. And yes, i know it isn't even a true constitution but that is another story.

Both courts ruled that data retention hurts human rights. In other words, data retention is illegal after laws of the BRD.

Such is the crime and the mind of members of the Bundestag.

> The next german data retention law has just passed parliament.

It would be useful for some civil liberties group to tabulate current metadata retention requirements like this:

DE USA UK
dialed-number 10 weeks 5-10 years ?
call-duration 10 weeks 5-7 years ?
email-headers 10 weeks 5-7 years ?
geolocation 4 weeks 10 years ?
encrypted-data ? eternity ?

The American numbers are not made up, but based upon the Snowden leaks, so in 2015 the current requirements are certainly different (and expected to change again in the next few months). The German numbers come from this article:

http://www.theregister.co.uk/2015/10/16/germany_ok_controversial_data_r…
Germany says Ja to data-slurp law 2.0
Controversial regulations approved
Jennifer Baker
16 Oct 2015

All the governments are racing each other for the prize of "leader of the cryptofacist world".

"And Germany takes a small lead... but here is Austria coming up fast on the outside:"

http://arstechnica.co.uk/tech-policy/2015/09/austria-plans-ten-new-spy-…
Austria plans 10 new spy agencies with vast surveillance powers
"Justified suspicion" enough to spy on citizens; no warrant needed, little oversight allowed.
Glyn Moody
10 Sep 2015

We must not forget that GCHQ is also trying to "buffer" (store for analysis at leisure) all content of all internet datastreams everywhere in the world in its TEMPORA system:

https://theintercept.com/gchq-appendix/

And NSA was storing the *content* of every phone call in numerous countries, apparently on the theory that everyone in the Bahamas is a potential dope-dealer, and thus a potential threat to the national security of the US [sic], a proposition which ordinary citizens in that nation might dispute:

https://theintercept.com/2014/05/19/data-pirates-caribbean-nsa-recordin…

All that was in 2013. According to an NSA saying, "opponents never become *less* capable over time", so we should expect that in 2015 the content storing ambitions/capabilty of NSA/GCHQ/... are even more frightful.

While I think tor is a MUST for today's censored world, some people, either out of ignorance or due to specific mission, want to portray tor as evil and in many cases as a haven for child pornography which is today's buzz word for eliminating any dissent under the guise of fighting child pornography. The link below is given from a reputable and honest site that fights the censorship in Iran.

https://tech.khodnevis.org/article/65866

It has shown tor as what I described above. Since I have no way of giving good input to the site, please let them know how useful tor is for Iranians and I for one could not access their site if it were not for tor. This issue should be addressed strongly that tor is not for outlaws, it is for all the good people who want to live and speak freely.

It is the vested interests trying to bring down Tor by bringing it into disrepute who are responsible for the 'criminality' on the network: a three-letter agency was even busted uploading CP to the 'dark-web'.

Could you please elaborate? Evidence that a government planted illegal material in order to incriminate users would make for a nice article.

Been seeing this quite regularly whilst browsing with Tor:

"Access denied. Your IP address [77.247.181.165] is blacklisted. If you feel this is in error please contact your hosting providers abuse department."

Wonder who this 'hosting provider' is... ?

Yeah, this is super-sad. I've seen it a few times recently too.

For more background reading on the general topic, see
https://blog.torproject.org/blog/call-arms-helping-internet-services-ac…

BlueCoat web hosting appears to be responsible for this.

Yeah, keep getting this message when trying to access torproject.org through Tor :)

Hm! I wonder which exit relay you are using. Maybe it has some sort of censorship getting in the way.

On further thought, maybe this is why you should be going to *https*://www.torproject.org, not just "torproject.org"? :)

CISA is about the pass the US Senate by a wide margin. What does this mean for Tor users? Nothing good. At a minimum, expect more and more doors to shut in real life because you have been identified as a Tor user or someone who advocates strong citizen cryptography (that's regarded as "suspicious"). At worst, over time, using Tor may be effectively outlawed in the US. The true effects of the bill will be shrouded in deep secrecy, and may only become apparent over time through an increasing number of anecdotal reports of retaliation against journalistic sources, activists, human rights workers, and privacy/anti-censorship advocates.

Here's why the bill is so awful:

http://www.slate.com/articles/technology/future_tense/2015/10/stopcisa_…
The Many, Many, Many Flaws of CISA
Mike Godwin
26 Oct 2015

In brief:

* a surveillance bill disguised as a cybersecurity bill
* does NOTHING to improve cybersecurity
* financial incentives for companies NOT to improve cybersecurity
* financial incentives for companies to "voluntarily" share info on their customers
* personal information will be widely shared, poorly protected
* info will be shared in bulk with DHS, NSA, NCTC, etc.
* can be used for purposes other than "cybersecurity"
* enshrines state-sponsored discrimination
* facilitates IRL retaliation against activists, whistle-blowers
* blanket immunity for companies to violate privacy regulations
* blanket exemptions allowing government to violate transparency laws
* blanket exemption from examination by regulatory agencies
* key terms such "cybersecurity threat", "personal info" undefined
* interpretation of bill by TLAs will be secret and aggressive

A minority of Senators, including Ron Wyden and Al Franken, tried hard to introduce amendments which would blunt the worst effects of CISA on US citizens:

https://cdt.org/blog/guide-to-cybersecurity-information-sharing-act-ame…
Guide To Cybersecurity Information Sharing Act Amendments
23 Oct 2015

One by one, the US Senate has voted them all down:

http://thehill.com/policy/cybersecurity/258189-senate-kills-privacy-adv…
Senate kills privacy advocates' bid to change cyber bill
Cory Bennett
27 Oct 2015

The mood of the enemies of privacy is triumphant:

http://thehill.com/policy/cybersecurity/258170-cyber-bill-to-sail-in-se…
Cyber bill to sail in Senate
Cory Bennett
27 Oct 2015

But our enemies are not satisfied and continue to call for future warrrantless dragnet surveillance/sharing "enhancements":

http://thehill.com/blogs/floor-action/senate/258200-reid-cyber-bill-bet…
Reid: Cyber bill 'too weak'
Jordain Carney
27 Oct 2015

Any comment from Tor Project on the likely impacts of CISA on the US Tor user community?

where do i go for some good beginners knowledge on hacking i wanna arm myself to join the fight against isis and the kkk online!