- tor-dev - lists.torproject.org

.i2p address support in torsocks
by David Goulet 02 Nov '13

02 Nov '13

Greetings everyone! I've been approached by I2P folks for adding ".i2p" address support in Torsocks. Since what torsocks does can be applied for both Tor and I2P, they felt that duplicating was not a good idea thus asking if merging both systems make sense and is possible. For now, it would only be .i2p address support (like .onion). In torsocks, it's not that difficult to support both addressing. I'm all for it, I don't see why it should not be done so I'm asking the community what do you think about that :). I can already see a question coming after this email being "Well there is "Tor" in torsocks". I'll keep that for an other thread because the whole naming of torsocks is on my todo list of things to discuss but before that I prefer getting the rewrite accepted. Thus, the naming is an "issue" but I want to address it later on (not only because of i2p). Cheers! David

6 8

two new proposals for bridgedb
by isis 02 Nov '13

02 Nov '13

I separated out the backend database improvements to BridgeDB from the social bridge distributor proposal. The former is finished and up for review and is being submitted to potential funders; the latter is still a draft (though now that some parts of the underlying crypto scheme and the threat model are detailed, early review is always helpful if anyone is super eager to point fingers at any mistakes I've made). Copies of both proposals are attached, and are also available in the common BridgeDB repo at https://gitweb.torproject.org/bridgedb.git/blob/refs/heads/feature/7520-soc… and https://gitweb.torproject.org/bridgedb.git/blob/refs/heads/feature/7520-soc… -- ♥Ⓐ isis agora lovecruft _________________________________________________________ GPG: 4096R/A3ADB67A2CDB8B35 Current Keys: https://blog.patternsinthevoid.net/isis.txt

1 0

two new proposals for bridgedb
by isis agora lovecruft 02 Nov '13

02 Nov '13

I separated out the backend database improvements to BridgeDB from the social bridge distributor proposal. The former is finished and up for review and is being submitted to potential funders; the latter is still a draft (though now that some parts of the underlying crypto scheme and the threat model are detailed, early review is always helpful if anyone is super eager to point fingers at any mistakes I've made). Copies of both proposals are attached, and are also available in the common BridgeDB repo at https://gitweb.torproject.org/bridgedb.git/blob/refs/heads/feature/7520-soc… and https://gitweb.torproject.org/bridgedb.git/blob/refs/heads/feature/7520-soc… -- ♥Ⓐ isis agora lovecruft _________________________________________________________ GPG: 4096R/A3ADB67A2CDB8B35 Current Keys: https://blog.patternsinthevoid.net/isis.txt

1 0

Project "Cute" - Design document and challenges - draft
by SiNA Rabbani 01 Nov '13

01 Nov '13

Dear Team, Sorry for multiple emails, I failed to send to tor-dev@ properly. Here is an attempt, a first attempt at the "Cute" project. Please let me have your comments and suggestions. https://trac.torproject.org/projects/tor/wiki/org/sponsors/Otter/Cute All the best, SiNA ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ "Cute" design and challenges - draft 0.1 By: SiNA Rabbani - sina redteam io *Overview* Project Cute is part of the Otter contract. This project is to provide (in the parlance of our time) "point-click-publish" hidden services to support more effective documenting and analysis of information and evidence documenting of ongoing human rights violations and corresponding training and advocacy Our goal is to improve hidden services so that they're more awesome, and to create a packaged hidden-service blogging platform which is easy for users to run. *Objective* To make secure publishing available to activists who are not IT professionals. *Activities* Tor offers Hidden Services, the ability to host web sites in the Tor Network. Deploying hidden services successfully requires the ability to configure a server securely. Mistakes in setup can be used to unmask site admins and the location of the server. Automating this process will reduce user error. We have to write "point-click-publish" plugins that work with existing blogging and micro-blogging software. *Expected results* The result will be a way to provide portals to submit text, pictures, and video. These sites will not have the ability to log information that can be used to track down citizen journalists or other users, and will be resistant to distributed denial of service (DDoS) attacks. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ *Introduction* This document describes the technical risks associated with running a web-based blog tool and exposing it over a hidden service (.onion address). Our goal is to create a packaged blogging platform that is easy to operate for the non-technical user, while protecting the application from a set of known attacks that can reveal and compromise the network identity. Hidden-services make it possible for content providers and citizen journalists to offer web-applications such as blogs and websites, hosted completely behind a firewall (NAT Network) never revealing the public IP of such services. By design, Hidden Services are resilient to attacks such as traffic analysis and DDoS, therefore it becomes compelling for the adversary to focus on the application layer vulnerabilities. According to OWASP Top 10, Injection is the number one security risk for web applications. "Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker?s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization." [1] Running a site such as WordPress involves a LAMP (Linux, Apache, Mysql, PHP) installation. This stack needs to be carefully configured and implemented to meet the desired privacy and security requirements. However, default configuration files are not suitable for privacy and lead to the leakage of identity. WordPress is the most popular blog platform on the Internet. We select WordPress due to it's popular and active core development. WordPress features a plug-in architecture and a template system, "Plugins can extend WordPress to do almost anything you can imagine. In the directory you can find, download, rate, and comment on all the best plugins the WordPress community has to offer." http://wordpress.org/plugins/ Themes and plugins are mostly developed by programmers with little or no security in mind. New code is easily added to the site without the need for any programming skills. This is recipe for disaster, a quick look at the publicly available plugin repository and security forums reveals many of the OWASP top 10 vulnerabilities such as XSS and injection vulnerabilities: http://packetstormsecurity.com/search/?q=wordpress http://wordpress.org/plugins/ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ *Adversary Model* We use the range of attacks available to the adversary adversary as the base for our Threat Model and proposed requirements. *Adversary Goals* *Code Injection* This is the most direct compromise that can take place; the ability for the adversary to execute code on the host machine is disastrous. *XSS the front-end, DoS the back-end* The adversary can overwhelm the database backed or the web-server of a dynamically hosted application, denying access to the service. *Location/Identity information* Applications that are not designed with privacy in mind tend to reveal information by default. For example, WordPress includes the name of the editor of a post inside the RSS feed: <dc:creator>John Smith</dc:creator> *Adversary Capabilities - Positioning* The adversary can position themselves at a number of places to execute their attacks. *Local Network/ISP/Upstream Provider* The attacker can hijack the DNS of the plugin repository or perform a man-in-the-middle attack and push malicious code into the blog. *Third party service providers* It is common for a blog to email authentication information. This information is at risk of social and legal attacks. The repository of the blog's source code where themes and plugins are downloaded is a target for the adversary to insert malicious code. *Adversary Capabilities - Attacks* The adversary can perform the following attacks in order to accomplish varies aspects of their goals. Most of these attacks are due to the dynamic and Web 2.0 nature of blog platforms. *SQL Injection & XSS* Dynamic sites take advantage of databases for content storage and JavaSript for client-side presentation. Programming mistakes can lead to code injection on server or client side. *Inserting plugins or core updates* Blog platforms have automatic update install features, WordPress connects to a remote repositories to download updated code. Adversary can perform a man-in-the-middle attack and insert malicious code. *Misbehaving plugins/features* Some plugins depend on remote connections to provide a feature, for e which can lead to leakage of identity. *Brute-force the admin password* Weak passwords are vulnerable to brute-force attacks. Blog engines do not provide protection against such attacks. *Remotely exploiting the LAMP stack* A determined adversary has a very large attack surface to analyze and discover 0-day vulnerabilities in Apache, PHP or Mysql applications. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ *Proposed requirement* *Dynamic to Static* A simple yet effective way to protect dynamic websites is to save a 100% static copy, hosted with a lightweight and well configured http server. We propose Nginx which is a free, open-source, high-performance HTTP server. We have the option of extending existing WordPress plugins such as "Really-Static" (HTTP://word press.or/plugins/really-static/) to generate 100% static files. *Disable Comments and New User signup (POST REQUESTS)* The ability to receive and store comments involves actions and configurations that expose the installation to DoS and other web attacks. We propose to completely disable reader's backed interactions, specifically disabling New User Registration and Comment features. *SOCKS Proxy support for WordPress* WordPress has the ability to proxy its outgoing connections, however the current implementation only supports HTTP proxy. We propose to submit a patch to WordPress core, enabling SOCKS Proxy support: http://core.trac.wordpress.org/browser/tags/3.6.1/wp-includes/class-http.php *Update safety* Tor Project or a partner such as WordPress.org should maintain the latest copy of the WordPress source-code over a .onion address. This will allow for the Core application updates to take place without ever leaving the Tor network and we achieve end-to-end encryption without relying on the traditional SSL/CA model. *OnionPress plugin* Instead of hard-coding our modifications to control WordPress' functionalities, we propose to develop a custom plugin. The plugin will provide a new menu in the Administrative panel of the site. Providing options to interact with Hidden Service features. (Note that Administrative features are going to be restricted from the public and only available to localhost) *User Authentication/Permission Levels* a) Blog Administrator This person is hosting the blog on a local computer and has physical access to the installation. There is only 1 of such role. This login will be restricted to localhost only. b) Blog editors/contributors These are the active content publishers. Each person has the ability to remotely connect, login and publish content. Editors do not have any administrative permissions such as adding or deleting users. Each editor is assigned a dedicated key and .onion hostname using the HidServAuth and HiddenServiceAuthorizeClient features in stealth mode. "HiddenServiceAuthorizeClient auth-type client-name,client-name,… If configured, the hidden service is accessible for authorized clients only. The auth-type can either be 'basic' for a general-purpose authorization protocol or 'stealth' for a less scalable protocol that also hides service activity from unauthorized clients. Only clients that are listed here are authorized to access the hidden service. Valid client names are 1 to 19 characters long and only use characters in A-Za-z0-9+-_ (no spaces). If this option is set, the hidden service is not accessible for clients without authorization any more. Generated authorization data can be found in the hostname file. Clients need to put this authorization data in their configuration file using HidServAuth." c) Readers (the world) These are the site visitors, they will be able to send GET requests to the .onion address and receive HTML and multimedia content. No login or comment posting permissions granted. *Packaged System* We propose to design and develop a Debian based Live OS that can be started as a Virtual Machine or to boot a personal computer. This OS will include Tor, LAMP stack and a running copy of WordPress. The LAMP installation will be hardened and configured to meet our security desires. We require a secondary USB disk for persistent storage. Desired outcome is a point-and-click and maybe portable solution that can be launched from inside of Windows, Linux or Mac OSX. VirtualBox is a second candidate to host the VM. http://wiki.qemu.org/Main_Page and/or https://www.virtualbox.org/ *Edge Cache Nodes* In order to provide "blazing-fast" access to the published content outside of the Tor network, we propose the deployment of caching servers operated by semi-trusted third party organizations or persons. These are similar to tor2web nodes:http://tor2web.or/ The content providers (bloggers) would select from a list of available edge servers and send a pgp signed zip file of the latest static version over Tor. Edge servers will reduce traffic from the Tor network, also provide a chance for content to reach the world in case of a DDoS or technical issues with the Tor network itself. Having cached copies available remotely make it possible for the blogger to get on-line, publish content and go back off-line, minimizing the amount of time and traffic spent on the Internet. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

3 2

Proposal 221: Stop using CREATE_FAST
by Nick Mathewson 31 Oct '13

31 Oct '13

Filename: 221-stop-using-create-fast.txt Title: Stop using CREATE_FAST Authors: Nick Mathewson Created: 12 August 2013 Target: 0.2.5.x Status: Open 0. Summary I propose that in 0.2.5.x, Tor clients stop sending CREATE_FAST cells, and use CREATE or CREATE2 cells instead as appropriate. 1. Introduction The CREATE_FAST cell was created to avoid the performance hit of using the TAP handshake on a TLS session that already provided what TAP provided: authentication with RSA1024 and forward secrecy with DH1024. But thanks to the introduction of the ntor onionskin handshake in Tor 0.2.4.x, for nodes with older versions of OpenSSL, the TLS handshake strength lags behind with the strength of the onion handshake, and the arguments against CREATE no longer apply. Similarly, it's good to have an argument for circuit security that survives possible breakdowns in TLS. But when CREATE_FAST is in use, this is impossible: we can only argue forward-secrecy at the first hop of each circuit by assuming that TLS has succeeded. So let's simply stop sending CREATE_FAST cells. 2. Proposed design Currently, only clients will send CREATE_FAST, and only when they have FastFirstHopPK set to its default value, 1. I propose that we change "FastFirstHopPK" from a boolean to also allow a new default "auto" value that tells Tor to take a value from the consensus. I propose a new consensus parameter, "usecreatefast", default value taken to be 1. Once enough versions of Tor support this proposal, the authorities should set the value for "usecreatefast" to be 0. In the series after that (0.2.6.x?), the default value for "FastFirstHopPK" should be 0. (Note that CREATE_FAST must still be used in the case where a client has connected to a guard node or bridge without knowing any onion keys for it, and wants to fetch directory information from it.) 3. Alternative designs We might make some choices to preserve CREATE_FAST under some circumstances. For example, we could say that CREATE_FAST is okay if we have a TLS connection with a cipher, public key, and ephemeral key algorithm of a given strength. We might try to trust the TLS handshake for authentication but not forward secrecy, and come up with a first-hop handshake that did a simple curve25519 diffie-hellman. We might use CREATE_FAST only whenever ntor is not available. I'm rejecting all of the above for complexity reasons. We might just change the default for FastFirstHopPK to 1 in 0.2.5.x-alpha. It would make early users of that alpha easy for their guards to distinguish. 4. Performance considerations This will increase the CPU requirements on guard nodes; their cpuworkers would be more heavily loaded as 0.2.5.x is more adopted. I believe that, if guards upgrade to 0.2.4.x as 0.2.5.x is under development, the commensurate benefits of ntor will outweigh the problems here. This holds even more if we wind up with a better ntor implementation or replacement. 5. Considerations on client detection Right now, in a few places, Tor nodes assume that any connection on which they have received a CREATE_FAST cell is probably from a non-relay node, since relays never do that. Implementing this proposal would make that signal unreliable. We should do this proposal anyway. CREATE_FAST has never been a reliable signal, since "FastFirstHopPK 0" is easy enough to type, and the source code is easy enough to edit. Proposal 163 and its successors have better ideas here anyway.

3 4

Torsocks 2.x issue - Need eyes on that
by David Goulet 31 Oct '13

31 Oct '13

Hi everyone, I stumble upon an issue when testing torsocks[1] with firefox. I'm still wondering how this can be fixed thus I need more eyes on this :). The issue is that torsocks gets into a deadlock during the initialization phase within the libc. Here it is. This new torsocks version hijacks the "syscall" symbol (syscall(2)) in order to intercept applications that decides to do some network operations with that interface. To do that, the torsocks library constructor (executed before the application main()) lookup the original symbol in the libc (dlopen(3)) and is used for unhandled syscall values (for instance open(2)). Now the issue was detected with firefox which uses a custom malloc hook meaning that it handles its own memory allocation. This hook uses mmap() that firefox redefines to be a direct syscall(__NR_mmap, ...) and remember that this symbol is hijacked by torsocks. Torsocks constructor calls dlsym() to get the original libc syscall symbol. This call locks a "loading lock" inside the libc: dlfcn/dlsym.c +68: __rtld_lock_lock_recursive (GL(dl_load_lock)); Just after, dlerror_run is called which does a calloc() which then calls the firefox malloc hook and calls syscall() for mmap that torsocks hijacks. In torsocks, syscall() make a check on the original libc syscall pointer to see if it's NULL or not and if NULL, tries to look it up with dlsym(). And there you have the deadlock. dlsym --> LOCK --> dlerror_run --> calloc --> syscall() --> dlsym() --> dlerror_run --> DEADLOCK. It's a bit of a catch 22 because torsocks is basically looking for the libc syscall symbol but then it gets call inside that lookup code path... To be honest, I am not sure what's the right fix here or if there is any way to lookup the symbol in a "special" way that would help here. Any idea or questions are VERY welcome :). Hope this explanation is clear enough, this is a "not that trivial" issue. Cheers! David [1] https://github.com/dgoulet/torsocks.git

4 9

First draft of Requirements and Software Design for a Better Tor Performance Measurement Tool
by Karsten Loesing 30 Oct '13

30 Oct '13

Hi everyone, I just finished a first draft of a tech report sketching out the requirements and a software design for a new Torperf implementation. This is related to my earlier attempt to rewrite Torperf in Twisted [0], which I still think is a good idea, but only if somebody else who's better at Python and Twisted than I does it. Sathya offered help to implement this tool by "translating English into Python". But I think this project can keep more than one person busy for a while. I assume both Sathya and I would appreciate feedback from others. (Of course, I'm eager to hear your thoughts, Sathya.) Neither the requirements nor the software design are set in stone, and the implementation, well, does not exist yet. Plenty of options for giving feedback and helping out, and most parts don't even require specific experience with hacking on Tor. Just in case somebody's looking for an introductory Tor project to hack on. Here are the PDF and the LaTeX sources: https://people.torproject.org/~karsten/volatile/torperf2.pdf https://gitweb.torproject.org/user/karsten/tech-reports.git/tree/refs/heads… Feedback in the form of patches to the LaTeX sources is most preferred, though email replies are of course fine, too. Thanks! Karsten [0] https://lists.torproject.org/pipermail/tor-dev/2013-January/004356.html

4 6

One-Click-Publishing HS - aka "Project Cute"
by SiNA Rabbani 30 Oct '13

30 Oct '13

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Dear List, I have been trying to help get Project Cute which is a "point-and-click" hidden service blogging tool, off the ground. So far I have 2 documents that have come out as a result of a few IRC chats. 1) Possible use-cases: https://trac.torproject.org/projects/tor/attachment/wiki/org/sponsors/Otter… 2) Working draft Design Document: https://trac.torproject.org/projects/tor/attachment/wiki/org/sponsors/Otter… Any comment or attention from you is very much appreciated. All the best, SiNA For the sake of discussion, I am pasting the Use Case document, so you can just reply away: This document is an attempt to list the possible users of a "one-click-publishing" hidden service. The goal of this effort, is to provide developers with a set of options and features that could support their development decisions. It is also an attempt to describe the challenges and risks associated with anonymous content publishing 1) Activist - a single person This is a person with a specific message or material. Wishes to share some content with the world, without revealing identity. This activist/publisher can operate from a range of private and public places. Such as: Work, Home, School, Internet Cafe and the public library. May or may not be able to dedicate a hardware for such activities. But we can assume access to to a computer that can be booted with a USB or CD. 2) Activists - 2 or more of them They all access the same site from different places on the Internet. They have specific political/social agenda. Often they maintain an AFK identity and an on-line persona. Hoping for a level of privacy. They each have different roles based on their skills. Roles like reporter, editor, graphic designer and comment-moderator. They publish content on a consistent bases, and very determined to get their words out. Such groups are the building blocks of large scale political/social movements. Their activities lead to mass protests and social change. 3) Whileslblowers This could be an employee of an evil entity that is about to do harm. For example company X bypassing international laws & selling DPI boxes to dictatorships. This whistle blower wishes to stay anonymous in fear of retribution. He/She may have limited technical abilities, and facing a well resourced adversary. 4) Professionals I call this group professionals because they usually operate like a business and involved in some sort of commercial activity. This group includes and not limited to: Newspapers, public and private entities. They wish to use the features such as end-to-end encryption and DDoS mitigation of hidden services, but don't have the desire or technical ability to setup a proper Hidden service. Many major newspapers are setting up whistle blowing portals on their websites already. 5) Anonymous Crime Reporters Police departments have webportals for the public to send "anonymous" crime reports. The reality is that these portals are NOT anonymous, considering the state of insecurities on the Internet. Such Law Enforcement groups can instead direct crime-reporters to launch a self hosted hidden service and not depend their lives on privacy by policy. 6) Anyone that does not or can not got to wordpress.com and register for a free blog. Help me identify these groreality ups :) - -- “Be the change that you wish to see in the world.” Mahatma Gandhi -----BEGIN PGP SIGNATURE----- iQJ8BAEBCgBmBQJScVN8XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGQ0E0NjQxNDg4RUMyMjUwOThBQzA0QTYz QzYyNzgwMTIyMkNFOUE4AAoJEDxieAEiLOmow2EP/iS+hA4QFq0d67DoWUaBffwd DAl4cYX94dxlYMjyvE6F1y9Gbj6FKfNXnerzUzCvsS+9SzQgHsPT2V2vbOItTI62 AfHm1EitUVO2YfdioJbUaom6Gh3JfIJukPjy0oJbbccK6jlQcs8TBFdas0FYi4ML YQNN/UQrGkSGm4JnnVCobFGwVBcVp7SOb3ClyGVTml/dpkntoHwyJ7aO6ZmoGhxv +bqx0o90cfka3a0wnamAhkTp1pUi1fMcDdG2OJ1ccemvaaBBmG/Gjt1Fw266HN2p 53vMZ6ZcEZE8iCGgShEm4nnq/FJn7mGuXHxwozjbYao5uCMPNrqCsfxnxS80H3d4 vH6ICCbF7ETfLoLVe//UV0+SRfnIaCQ97x8SMugnK1nKNlAvAuwvRZpm6xyteeoW syR2EfnNEERjmlzzqBlfjX9HkuSE0BAnWEbhTzsIzWyFjpr8KahYHtcTyKAyFcz1 ph6Wxi6/PAVNuAAow7gybKf425Qt19G85IU+3OZj6RtIl0vjnX1Umyu/3JvViLUs Y6gluA7RA6JMxH9a5p3BhjjnvEfIFFHGvwJeFf2wG3Tmq+N9XArS3kszFuvuW5j8 KaVWF7e2ql7BucgY9AasYkxobFOsX91THhOMaLJfqO9CtB3p2WxNQrsI64syd2SQ fr30v9bBRv0zN/bozpF7 =HEt2 -----END PGP SIGNATURE-----

1 0

Tech report: Evaluation of a libutp-based Tor Datagram Implementation
by Karsten Loesing 30 Oct '13

30 Oct '13

Hi tor devs, Steven, Rob, and I wrote a tech report on evaluating Steven's libutp Tor implementation in the public Tor network and using Chutney and Shadow: https://research.torproject.org/techreports/libutp-2013-10-30.pdf >From the introduction: """ Datagram designs are a promising approach to overcome Tor's performance-related problems. Advantages of datagram designs over stream designs are that they allow better end-to-end congestion management, reduce queue lengths on nodes, and prevent cell loss on one circuit delaying cells on other circuits. In earlier reports we compared possible Tor datagram designs and outlined a testing plan. In this report we evaluate our implementation of a libutp-based Tor datagram design. However, this evaluation does not focus on performance improvements over the current stream-based Tor implementation, because we found that our datagram-based Tor implementation is not mature enough for such a comparison. The focus is rather on our approach to integrate a datagram design into the Tor source code and on setting up test environments to evaluate the new design. We hope that our findings will be useful when further tweaking our libutp-based design or implementing other datagram designs. In the next section we describe our libutp-based Tor implementation in sufficient detail for others to understand our source code and to act as blueprint for implementing other datagram designs. Sections 3 to 5 outline the experimental setup that we used to evaluate our implementation and point out roadblocks that kept us busy longer than necessary. Section 6 concludes the report by sketching out possible next steps. """ As the introduction says, this report doesn't contain shiny performance comparisons, because we kept hitting bugs and then ran out of time. But the report contains detailed instructions for experimenting with libutp and Tor, and it has plenty of footnotes containing starting points and a conclusion with suggested next steps. In short, we had to stop when things started to be fun. Unfortunately, neither of us can work on this topic in the next two months at the very least. If anybody here wants to pick up this work and comes up with bug fixes or even a performance comparison to current Tor, please post your findings here! All the best, Karsten

1 0

[Otter/Buoyant] Tor Documentation Pad
by Colin C. 30 Oct '13

30 Oct '13

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello everyone, At today's Buoyant Otter meeting, it was determined that we needed a pad to organize our thoughts regarding the current documentation we have, and what we need. I have created a pad at https://zugzug.titanpad.com/3 for this purpose, and will begin adding resources to it tomorrow. - -- - -Phoul -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJScH3pAAoJEJ01Zvx7KO7Y1c0P/39cMM5fSdx5LIVdfuKVctYx 6hde6OPDvmTPzzTI03MlcYMKRSvH60cJUKCah2J7r2nfEGD3gw0uq0hcn/izc1wr +de7y3yAofbygFCT1k9v3KBaPi+nezvglqYu+hia9gsKuXf3+cLSATpymxTtUIDN eOtEIsggCjDv3eD8bs4rSYINI2B+j6V0qj5Lhts0nikbLkoiO/Q34RxELr1DQxot D+19Lvqb+yVCZE3NEsGyeJEu9hbAwRGgYgB2Qv/CSvbJ7c6SYFx4K0PUbG1ZYlHs wQ0MB6PoZ3cub4W4jb0R3HwyT++tBARvzbrbALHGehmKCNsY6wZ1ucx36xJB/p6x ABruNMjzAZhMPAz7yrf9cakOCskqXn10se21yd6EHUlknOKECEwzdCxJxE0Oswph OjISwL+JAkI5aTC52NGelIwd2VPrYY/2RkOgCnybop7wGsBBqNqrY7pGLiT03NJx m7MYE0RqJfZUjH++Ym52KU15ycPG2JhRxjnmym8OrvW1TPw0t24mSjfzIR0x90XI Og7teG9ugxv2rCftdCVMNKLUh8BVOTC7G6GIxeqPlii7IHiHEAqBdxAhXAm945WJ BjrimEQ0E73s/M/j7mDf7dblZegansvlHXuoBEpJSiT9fZHu3DAlAGvTS0dmBIkF aMUcspY2nbhD+zCdI4z2 =OVcv -----END PGP SIGNATURE-----

1 0