The’re actually announceing it, they’ve already put it in place and you and your familly are now granted access to Tor version 0.1.2.16 by the Tor developers.

You must buy it now

Official Tor story regarding security of current versions of Tor and good reasons to upgrade is this:

Tor 0.1.2.16 fixes a critical security vulnerability that allows a
remote attacker in certain situations to rewrite the user’s torrc
configuration file. This can completely compromise anonymity of users
in most configurations, including those running the Vidalia bundles,
TorK, etc. Or worse.

Users who do not have ControlPort enabled are secure; if you are not
sure, you should upgrade and you should probably overwrite your torrc
file with the default when you upgrade. More details will be posted over
the next few days.

https://tor.eff.org/download.html

We have Vidalia bundles for OS X Tiger on the website now. The recommended
workaround for Windows users is either to wait until we have a Vidalia
bundle ready, or do separate installs of the Win32 “expert” package from
 https://tor.eff.org/download-windows

and the Windows Vidalia-only package from
 http://vidalia-project.net/download.php

Changes in version 0.1.2.16 – 2007-08-01
o Major security fixes:
- Close immediately after missing authentication on control port;
do not allow multiple authentication attempts.

Immediate danger indicated

Unofficial developer on IRC story regarding the new version is this:

02:06 < xiando> I read the annoucement. It says immediate danger for all tor users. very bad. news at 11.
02:07 < nickm> yup. all users who don’t upgrade. quite bad. upgrade upgrade upgrade.

You upgrade your Tor immediately by downloading from https://tor.eff.org/download.html (or svn update)

Tor v0.2.0.3-alpha has a new killer feature against blocking which may prove to be extremely cool. It allows you to run as a bridge which can be used by other people who want to connect to the Tor-network.

Those who configure their Tor-clients as Bridges pass traffic between end-users and the Tor-network.

People who can’t get to the Tor-network because the main Tor-network is blocked can connect to a bridge (which hopefully isn’t blocked) and use that to get to a uncencored version of the Internet.

Tor is the adversary

Bridges makes it so much harder to block people from the Tor-network. If your corporation, school, government or anyone else says that

“Tor is bad and privacy is bad and anonymity is bad and we need to turn it all off and we do not want you or your familiy to have access to this technology”

and they block you from connecting to all known Tor-servers then all you have to do is to find someone who is running a bridge and use that to get to the Tor-network. The adversary can just download a complete list of all Tor-servers and block them. It is that much harder for the adversary to figure out that some computer on some ADSL somewhere is a bridge when there is no huge list which includes it.

Official “please test this” story

The official Roger Dingledine story regarding this is:

Hi folks,

The upcoming 0.2.0.3-alpha release has a couple new features from the
blocking-resistance design we’re working on. I’m going to write down more
details about how it works soon, but I wanted to give people a chance
to play with it (and report problems) now that it’ll be out in a release.

For background on the design, see
 https://tor.eff.org/svn/trunk/doc/design…

In short, the new Tor release lets you run a relay that isn’t in the
main directories (known as a bridge), and you can configure your client
by giving it a set of bridge addresses to use as your first hop into
the Tor network and as your source of directory information. There’s no
support in Vidalia for it yet, and the design is still in flux, but here
are some tips to get you started.

(Warning: these instructions are geared for people who are comfortable
editing their torrc and messing around with Tor. If it breaks and
you think it’s a bug, please let me know; if you just fail to get it
working, wait for a few more releases and it’ll be easier. Also, note
that these features alone do not provide very good blocking-resistance;
more features are on the way still.)

Thanks!
–Roger

********* Part one: using a bridge when you’re a client *****

Add these lines to your torrc file:

UseBridges 1
TunnelDirConns 1
Bridge 128.31.0.34:9009 4C17 FB53 2E20 B2A8 AC19 9441 ECD2 B017 7B39 E4B1

You can specify as many Bridge lines as you like, one for each bridge
you’d like to use. You can leave out the key if you don’t know it or
don’t care:

Bridge 128.31.0.34:9009

******** Part two: setting up your own bridge ***********

Configure yourself as if you were a normal Tor server. Make sure to
define a DirPort. Then add this line to your torrc file:

PublishServerDescriptor 0

This makes you into a Tor server that doesn’t advertise on the main
directory authorities. You should tell people your IP address and ORPort
(and optionally your identity fingerprint) and they can write their own
Bridge lines as in “Part one” above.

Optionally, you may want to set

RelayBandwidthRate 50 KB
RelayBandwidthBurst 50 KB

instead of the more traditional BandwidthRate and BandwidthBurst options,
so you can use your bridge as a Tor client too and not get hit by your
own rate limiting.

********Part three: a bridge directory authority *********

For the adventurous, I’m also running a temporary bridge directory
authority. If you want your bridge to publish to this bridge authority,
use these lines in your torrc:

PublishServerDescriptor bridge
dirserver moria1 v1 orport=9001 128.31.0.34:9031 FFCB 46DB 1339 DA84 674C 70D7 CB58 6434 C437 0441
dirserver moria2 v1 orport=9002 128.31.0.34:9032 719B E45D E224 B607 C537 07D0 E214 3E2D 423E 74CF
dirserver tor26 v1 orport=443 86.59.21.38:80 847B 1F85 0344 D787 6491 A548 92F9 0493 4E4E B85D
dirserver lefkada orport=443 140.247.60.64:80 38D4 F5FC F7B1 0232 28B8 95EA 56ED E7D5 CCDC AF32
dirserver dizum 194.109.206.212:80 7EA6 EAD6 FD83 083C 538F 4403 8BBF A077 587D D755
dirserver moria5 orport=9005 bridge no-v2 128.31.0.34:9035 F812 FCC1 E3EB E2E8 1C09 E516 E51A F9BF AFE3 3974

The first line specifies to publish to all authorities of type ‘bridge’,
and the last line specifies a new dirserver of type bridge. The others
are just repeating the current dirservers so we don’t lose them when we
define a new one. I promise I’ll have a better interface for this soon.

Then clients that use your bridge can add

UpdateBridgesFromAuthority 1

to their torrc, and now even if your IP:port change (for example you’re
on a dynamic IP address), they’ll still be able to find you again.

Roger Dingeldine just bumped Tor SVN revision 10982 (/tor/trunk) to 0.2.0.3-alpha and put it in place for immediate testing at http://freehaven.net/~arma/tor-0.2.0.3-alpha.tar.gz

The Changelog.

0.2.0.3-alpha changelog story is this:

Changes in version 0.2.0.3-alpha – 2007-07-29
o Major features:
- Create listener connections before we setuid to the configured
User and Group. Now you can choose port values under 1024, start
Tor as root, and have Tor bind those ports before it changes to
another UID.
- New ConstrainedSockets option to set SO_SNDBUF and SO_RCVBUF on TCP
sockets. Hopefully useful for Tor servers running on “vserver”
accounts. (Patch from coderman.)
- Be even more aggressive about separating local traffic from relayed
traffic when RelayBandwidthRate is set. (Refines proposal 111.)

o Major features (experimental):
- First cut of code for directory authorities to vote on a common
network status document rather than each publishing their own
opinion.  This code needs more testing and more corner-case handling
before it’s ready for use.

o Security fixes:
- Directory authorities now call routers Fast if their bandwidth is
at least 100KB/s, and consider their bandwidth adequate to be a
Guard if it is at least 250KB/s, no matter the medians. This fix
complements proposal 107. [Bugfix on 0.1.2.x]
- Directory authorities now never mark more than 3 servers per IP as
Valid and Running.  (Implements proposal 109, by Kevin Bauer and
Damon McCoy.)
- Minor change to organizationName and commonName generation procedures
in certificates, to invalidate some earlier censorware approaches.
This is not a long-term solution, but applying it will give us a bit of
time to look into the epidemiology of countermeasures as they spread.

o Major bugfixes (directory):
- Rewrite directory tokenization code to never run off the end of
a string. Fixes bug 455. Patch from croup. [Bugfix on 0.1.2.x]

o Minor features (controller):
- Add a SOURCE_ADDR field to STREAM NEW events so that controllers can
match requests to applications. (Patch from Robert Hogan.)
- Report address and port correctly on connections to DNSPort. (Patch
from Robert Hogan.)
- Add a RESOLVE command to launch hostname lookups. (Original patch
from Robert Hogan.)
- Add GETINFO status/enough-dir-info to let controllers tell whether
Tor has downloaded sufficient directory information. (Patch
from Tup.)
- You can now use the ControlSocket option to tell Tor to listen for
controller connections on Unix domain sockets on systems that
support them. (Patch from Peter Palfrader.)
- STREAM NEW events are generated for DNSPort requests and for
tunneled directory connections. (Patch from Robert Hogan.)
- New “GETINFO address-mappings/*” command to get address mappings
with expiry information. “addr-mappings/*” is now deprecated.
(Patch from Tup.)

o Minor features (misc):
- Merge in some (as-yet-unused) IPv6 address manipulation code. (Patch
from croup.)
- The tor-gencert tool now creates all files as readable to the file
creator only, and write-protects the authority identity key.
- When dumping memory usage, list bytes used in buffer memory
free-lists.
- When running with dmalloc, dump more stats on hup and on exit.
- Directory authorities now fail quickly and (relatively) harmlessly
if they generate a network status document that is somehow
malformed.

o Performance improvements:
- Be more aggressive with freeing buffer RAM or putting it on the
free lists.
- If exit bandwidth ever exceeds one third of total bandwidth, then
use the correct formula to weight exit nodes when choosing paths.
(Based on patch from Mike Perry.)
- Use Critical Sections rather than Mutexes for synchronizing threads
on win32; Mutexes are heavier-weight, and designed for synchronizing
between processes.

o Deprecated and removed features:
- RedirectExits is now deprecated.
- Stop allowing address masks that do not correspond to bit prefixes.
We have warned about these for a really long time; now it’s time
to reject them. (Patch from croup.)

o Minor bugfixes (directory):
- Fix another crash bug related to extra-info caching. (Bug found by
Peter Palfrader.) [Bugfix on 0.2.0.2-alpha]
- Directories no longer return a “304 not modified” when they don’t
have the networkstatus the client asked for. Also fix a memory
leak when returning 304 not modified. [Bugfixes on 0.2.0.2-alpha]
- We had accidentally labelled 0.1.2.x directory servers as not
suitable for begin_dir requests, and had labelled no directory
servers as suitable for uploading extra-info documents. [Bugfix
on 0.2.0.1-alpha]

o Minor bugfixes (dns):
- Fix a crash when DNSPort is set more than once. (Patch from Robert
Hogan.) [Bugfix on 0.2.0.2-alpha]
- Add DNSPort connections to the global connection list, so that we
can time them out correctly. (Bug found by Robert Hogan.) [Bugfix
on 0.2.0.2-alpha]
- Fix a dangling reference that could lead to a crash when DNSPort is
changed or closed (Patch from Robert Hogan.) [Bugfix on
0.2.0.2-alpha]

o Minor bugfixes (controller):
- Provide DNS expiry times in GMT, not in local time. For backward
compatibility, ADDRMAP events only provide GMT expiry in an extended
field. “GETINFO address-mappings” always does the right thing.
- Use CRLF line endings properly in NS events.
- Terminate multi-line control events properly. (Original patch from tup.)
[Bugfix on 0.1.2.x-alpha]
- Do not include spaces in SOURCE_ADDR fields in STREAM events. Resolves
bug 472.  [Bugfix on 0.2.0.x-alpha]

o Minor bugfixes (misc):
- Choose perfectly fairly among routers when choosing by bandwidth and
weighting by fraction of bandwidth provided by exits. Previously, we
would choose with only approximate fairness, and correct ourselves
if we ran off the end of the list. [Bugfix on 0.1.2.x]

No announcement yet

The Changelog is in the SVN. The package is packed. 2.0.3 is as good as released.

But it must be mentioned that there is no official announcement at this point in time. However, tor-0.2.0.3-alpha.tar.gz will be available at the official site & mirrors in addition to http://freehaven.net/~arma/tor-0.2.0.3-a… shortly.

You can also get the sourcecode for this exact version using the following command:

svn checkout https://tor-svn.freehaven.net/svn/tor/tr… tor -r 10982

DNS Server

One last detail. The latest Tor version can be used as DNS servers. All you have to do is to add something like this to your torrc:

DNSPort 53
DNSListenAddress 127.0.0.1

Root involvement also nice

New versions can also start as root, bind to low ports and then leave root and run doggedly on as whatever user you’ve set using User and Group in torrc.

Happy upgrading… and good luck. 

Benjamin Schieder as announced that he will no longer develop the ROCKate LiveCD after German laws reciently became even more fascist than they were during World War II. ROCKate is a Linux LiveCD which includes anonymity software such as Tor. It is clear that the tyrannical German government does not want you or your loved ones to have access to this technology. No. Benjamin announced the following information regarding this at OR-Talk:

Hi people.

In response to a law that passed the german legislative today, I will cease
production, development and distribution of ROCKate binaries and – maybe -
even source code soon.

The reasen is §202c StGB which states (IANAL translation):

“Producing, acquiring, selling, giving, distributing or making-accessible of
passwords or other access codes as well as computer programs whose aim it is
to commi a crime … will be punished with up to one year in jail or a fine.”

See also: http://www.phenoelit.de/202/202.html

Basically, these waters are too hot for me to tread in. Though the official
reading of the wall – reading from politicians that is – says that they only
target ‘criminals’ and there is no need to worry with the wording, nobody
knows when some underworked lawyer thinks he might go on to sue the ass off
of everyone in IT.

If someone wants to mirror/host/develop ROCKate further, be my guest. If you
need technical assistance, I can offer guidance, but I probably won’t write
a single line of code anymore. Sorry.

Greetings, Benjamin

If you are in a country which is slightly more free than Germany and you want to help keep the ROCKate project alive then please do so. It is clear

Someone posted a comment saying that it is hard to get a valid copy of a new version of Tor. It’s real easy if you already have a working version of Tor: Go to https://tor.eff.org/download.html.en and download a new copy using Tor. The website is https, the certificate has fingerprint 00:FE:80:50:1A:33:90:B4:97:DE:D7:FF:4D:31:D8:30:7B (issued to *.eff.org) and you can be sure the copy you get is valid since you are using a end-to-end https connection.

It may be slightly harder to get a copy of Tor if you don’t have a working copy of it already if tor.eff.org is blocked in your country (there are many mirrors like https://tor.linuxreviews.org/ which may work if tor.eff.org is blocked). Perhaps the best thing to do is to ask around and find out if anyone you know has a copy if all the sites where it can be downloaded on the net are blocked. If you have a copy of Tor then it’s easy to get a new version: just download the upgrade using Tor..

Random open WIFI networks and pay pr use public WIFIs at cafés and such are great if you have a laptop computer. But can you trust them? Are they perhaps subject to surveillance? How do you know if an adversary or anyone else for that matter are watching your traffic?

Encrypt pass your local adversary

The Google Scraper Scroogle.org are now offering their SSL version under the slogan “(coffee shop WiFi entrance)”. This is great if you just want to hide which search-terms you are submitting to Google via Scroogle from someone who is watching you locally, but there’s a catch:

They know that you’re connected to Scroogle using a HTTPS connection. It is encrypted, but it’s there in plain sites, everyone can see that you’re sending a few bytes thisway and getting sligktly more back thatway and it’s plain obvious that you’ve search for something. It is still easy to profile you and classify you as “the terrorist” by doing traffic analysis of your activities on the Internet even if all the sites you visit are visited using https. Big Brother will just say “We know you’re viewing a lot of pages on all these subversive websites. We don’t know what you are looking at there since you are viewing them using https, but we don’t care, we know all these sites are subversive and we don’t care exactly what subversive activity you are interested in).

Tor is a better solution when you’re at a public cafe. Or using some random WIFI you stumbled upon. It will encrypt your traffic through the wifi, through three random Tor-servers and comes out at some random Tor exit node and goes to the website you are interested in. The only catch is that you can’t submit plaintext login information over Tor since you should assume that all Tor-traffic is eavesdropped (which isn’t near as upsetting as it sounds, all someone watching what goes out of a Tor exit node sees is that “some guy who came through the Tor-network fetched some website”).

Good for non-wifi cafés too.

One last detail: You probably want to buy one of those really cheap 1 GB USB memory sticks and put a Linux distribution which includes Tor or something like that on it. You’ll find that real handy if you come accross an Internet café without a WIFI, in which case you have to use their desktop computers).

Incognito is yet another Linux Live-CD for network anonymity when you are on the movie. It’s based on Gentoo Linux and boots into a complete Linux system where all the network traffic goes through the Tor onion router.

The CD comes in a “small” version with Firefox, Fluxbox as as window manager and Tor/Privoxy and a full version with KDE and a whole lot of network security tools.

The CD may be a specially good investment in fascist-ruled countries such as those with in the NATO alliance since it will allow you to access censored websites and also allow you to download later versions of Tor if the tyrannical G8 dictators in the supposedly “free” world suddenly decide to revoke the common peoples access to uncensored information.

The CD may also be essential if you frequently travel from place to place and use the Internet – that is, if those places allow you to reboot the computers using your own CD, many libraries and Internet cafées will not allow you to do that. However, it’s been rumored that Internet café employees in Egypt only require a very small tip to allow tourist to do this. The same may be true in other parts of the world.

See http://www.patdouble.com/incognito.htm to d0wnload and to et more information.

The relatively unimportant photo sharing website Flickr is now supposedly partly censored when viewed by people from The Middle Kingdom. Flickr story regarding this on their “Help / Forum” is:

Update from Flickr staff (10:00 PDT, June 7th) : It seems that access to our image servers is being blocked for users in much of China. Our technical staff has looked into this at depth and determined this is not a technical issue from our end. We will keep an eye on the situation and update if we get any developments.

Update from Flickr staff [2] (01:00 PDT, June 8th) : We are checking periodically to see if the block is still in place, but haven’t detected any change. We hope that this is a temporary issue and we currently believe that it will be. In the meantime, we are investigating our alternatives. Thank’s for your patience,

Xiamen protest censorship indicated?

Flickr is mostly used by the almost completely mindcontrolled drone-like slaves within the NATO alliance to share pictures of their mostly dumb-as-cows dressed-up-as-dicated-by-television friends and loved ones. Internet rumors indicate that numerous more interesting pictures than usual have been uploaded to Flickr the last few days:

There were huge demonstrations against the building of a chemical plant in Xiamen, China the whole week after construction workers decided to stop working on May 30th. Rumors indicate that many pictures from these protest were uploaded to Flickr and other sites on the Internet. The Flickr-claimed censorship of images to users visiting from China just happened to start shortly after these signifficant demonstrations in Xiamen.

xiamen-2007-06-04.flv

The rumors of censorship are likely true. This is indicated by the heavily-censored crinically-lying western “free” press agency “The Associated Press” claims that the protests were not in the streets by done by text messages. Thus; China already having enlisted the fascist western “news outlets” in their propaganda may compell them to take serious measures to ensure that the truth is heavily supressed.

Tor solution still working

It’s still possile to make connections from China to the whole Tor-network. Thus; it’s still possible to make uncensored connections to Flickr using a Tor-client – which is available from tor.eff.org & tor.linuxreviews.org. Tor is mainly used by people within the NATO alliance to avoid government torture for reading or writing the wrong thing on the Internet, but it also works great to view partially censored sites such as Flickr claims to be when visiting from China right now.

The long-established location hidden Tor-service The Hidden Wiki (http://6sxoyfb3h2nvok2d.onion/) is now gone and now only shows the following message:

“The hidden wiki is gone. If you set up a new one and post the link to the or-talk list I’ll link it from here. 06/07/07.”

There are several location hidden wiki’s. The one knows as The hidden wiki is the one admitted and recommended as a starting point for people who are new to Tor and the only-available-to-Tor-users location hidden services, which possibly explains why this particular hidden wiki is known as The hidden wiki.

Location hidden services are websites and services who are provided using a Tor-server and can only be accessed using a Tor-client. The actual domains for the services are hard to guess (and remember) because the domains are actually hashes of a private key. This provides security since you can be sure that the service you connect to are actually run by the person(s) who have the key for the hash you are visiting. It also makes location hidden services very hard to find by accident.

The hidden wiki was a nice starting point for location hidden services, a “front page” if you will. Now it’s gone. Thus; I feel compelled to provide some other nice starting points for people who are relatively new to Tor and location hidden services.

nnqtnsoohprzqcke

Nnqtnsoohprzqcke(tm) is a Tor-land search-engine based on the free DataParkSearch search engine software. It’s a great first step into the world of location hidden Tor-services for two important reasons:

1. It looks very much like that well-known non-Tor search-engine.
2. It’s fast. Relatively speaking. Tor’s .onion services are slower than normal websites. Searching nnqtnsoohprzqcke is slower than other search-engines for this reason, but the slight deal is limited to the typical “it’s a .onion site”-delay. nnqtnsoohprzqcke itself seems very fast.

Toogle

Toogle is the other good Tor-land search-engine. It’s based on mnogosearch and is a nice startingpoint. It seems to return fewer and less relevant results than Nnqtnsoohprzqcke(tm), but still: It’s relatively fast and it presents a clean search-result page.

..just a few more tips..

The above mentioned search-engines should allow you to find most of the interesting non-closed community location hidden services. Here are a few more startingpointers just for fun:

• onionforum – perhaps the most visited/used forum in onionland.
• APE hidden services links – A wikipage with a list of location hidden services, much like the one which was at the front page of The hidden wiki.

This should be enough links to .onion-land to get you started on the anonymous and uncencored Internet.

One last little detail: There are a few location hidden services who may upset some people. 99.9% of them are labelled as such when linked to, the chance of accidentially visiting a site with content that is disturbing to most people is realtively low. But it may happen. You’ve been warned. Now.. welcome to Tor-land and do enjoy all the subversive sites and services out there!

E-mail spam has been a huge problem for years and it just don’t want to go away. And the line between a spam mailing list and a interesting mailing list is sometimes thin.

“Kyle” had this to say in a reply to a message about problems with the anonymity software Tor on the OR-Talk mailing list:

FIRST AND FINAL WARNING!!!!
You have 48 hours to remove me from your mailing list.
If you do NOT remove me, I will DDOS (Distributed Denial of Service) your
server until you are broke.

Try me, I got 10 OC192’s, 15 OC48’s, and 8 OC12’s just waiting for shit like
this…and I’m getting pissed. If you are working for yourself or some spam
king, either way the “customer” who is paying you to “advertise” will NOT be
happy when they spent their money to be only be attacked in return.

Remove me or else I remove your source of revenue.

Again, FIRST AND FINAL WARNING!!!!

Have a nice day and get a real fucking job.

“Kyle” then got a copy of his message to the mailing list back to him and realized that it was a reply to a legitimate message from a mailing list he subscribes to – and not a reply to spam. He then mailed this to OR-talk:

Subject: IGNORE PREVIOUS MESSAGE
I was testing a spam-reply script and  or-talk at freehaven.net got into it
somehow.
My bad, sorry.

Well, good luck with your spam-reply script, Kyle! I personally think such scripts are a bad idea, because what they really do is tell the spammer is that “You know, this is a valid e-mail account, your spam is getting through, you should mark it as a valid mail account and send it more spam”.

Oh, btw. Don’t mess with Kyle. Remember, he’s got all those 10 OC192’s, 15 OC48’s, and 8 OC12’s just waiting for shit.