Library Defeats Tor Followup Addl Info

mark485anderson at eml.cc mark485anderson at eml.cc
Mon Oct 15 22:58:37 UTC 2007


copy of bounced message to scott bennett, keep forgetting to not send
him mail.

On Mon, 15 Oct 2007 15:47:03 -0700, mark485anderson at eml.cc said:
> welcome back, more inline below:
> 
> On Sun, 14 Oct 2007 04:36:54 -0500 (CDT), "Scott Bennett"
> <bennett at cs.niu.edu> said:
> >      On Sat, 13 Oct 2007 17:30:30 -0700 mark485anderson at eml.cc wrote:
> > 
> > >This group has not changed. I give information in good faith and then
> > 
> >      Well, at least *you* haven't changed:  you're still top-posting.
> > 
> > >nobody replies. Course in the beginning of this thread,
> > >watsonbladd at gmail.com and Scott Bennett" <bennett at cs.niu.edu were
> > >replying with uninformative answers, but then as soon as I give further
> > 
> >      Actually, we were responding primarily with questions, not answers
> > at all, in many cases in an attempt to get you to post the information
> > with which you should have begun the thread.  I continue that effort
> > below.
> > 
> > >information, my posts are ignored. Incidently, Scott Bennett care to
> > >tell me why posts to your address bounce (i dont have time for finding
> > >out now). This is why more people don't use Tor, it seems to be only the
> > 
> >      I'm not clairvoyant, so I can't read the error messages you got from
> > here unless you post them.
> >      That having been said, however, I will mention that the
> >      administrator
> > of this system graciously blocks most source addresses of massmail when
> > a) there is no functioning abuse or postmaster address at that source,
> > b) there is no valid MX RR for the source, or c) the source comes from
> > a part of the world that is currently a disaster area of massmail sources
> > for which reporting the massmail is nearly always a completely wasted
> > effort.  Attempts to send mail to users on this system from addresses so
> > blocked normally result in some sort of error message being returned to
> > the sender that provides a clue as to why the mail is being rejected.
> 
> don't know, no time to research that, all I know is it does not happen
> with anyone elses email address on this list so far.
> 
> > 
> > >domain of an elite group, who could care less if others join in.
> > >
> >      At least some of the people on this list do not live according to
> > the same schedule you live by and may have different obligations upon
> > their time than you have.
> 
> whatever, I researched the problem and gave a possible solution for
> those who might be similarily effected. seems the list the group could
> do is comment on my findings.
> 
> 
> > >
> > >On Sun, 07 Oct 2007 14:12:57 -0700, mark485anderson at eml.cc said:
> > >> Ok, promised I would report back. My testing time has been limited so
> > >> this information is not complete, but will help I think. Here is what I
> > >> have found:
> > >> 
> > >> 1) you cannot connect to any tor server until you connect first to a
> > >> library server, and accept the library TOS, else you get repeated error
> > >> messages from each tor server "will try again later..."
> > 
> >      Yes, that is typical.  So either wait to start tor until after you
> >      do
> > that, or ignore the messages that are issued up until your session is
> > authenticated via their web server.  I generally do the latter in those
> > situations.
> 
> prolly the quy running this library network is on this mailing list, no
> doubt.
> I am guessing they want the library IP sent out with all your traffic
> and that is why they are assigning a library ip to your outgoing
> requests. also, they probably want to track and profile your traffic,
> hence the dns requests made to the library lookup file. Also the mac
> address of the wireless connection I am using identifies the exact
> computer making all these requests. how's that for privacy invasion?
> guess I will have to start changing my mac address also.
> 
> > >> 
> > >> 2) Once you have accepted the TOS on their web page through a direct
> > >> browser connection, then all DNS requests are made through that library
> > >> server, subjecting you to profiling and tracking.
> 
> > 
> >      The private network address of the ISP's name server is usually used
> > as a forwarder address, and that address gets passed to your computer in
> > the DHCP lease.  I've forgotten exactly how to go about setting a
> > permanent
> > address under Windows XP, but it should be fairly easy to do.  If you
> > haven't
> > figured it out by the next time I shut down my FreeBSD system and boot
> > WinXP,
> > I'll dig around in it to see what has to be changed.
> 
> Who said XP? I never said XP. I said windows crap. the dhcp is assigning
> a library IP. I have no control over that I think as it is done by a
> library router or computer.
> 
> > >> 
> > >> Now the more interesting part:
> > >> 
> > >> You can defeat #2 by not allowing dns/p53 requests in you firewall
> > >> ruleset-that way all dns requests will then go directly to tor servers
> > >> (as far as my fw logs seem to indicate). This slows down the web page
> > >> and other requests considerably. I will have to relookup how to fix
> > >> Microsuck OS to do it's dns lookups directly from the client as I recall
> > >> it does not do it simply by putting entries in the hosts file.
> > 
> >      The slowdown is most likely the wait for the six-second timeout (or
> > however long it may be these days) before trying the next name server in
> > the list.  So the trick to doing that is to find the way to restrict the
> > DHCP client's ability to change the name server list and to set the name
> > server list only to those addresses you have chosen.
> 
> You don't say? How does one "restrict the DHCP client's ability to
> change the name server"?
> I am guessing you mean (as I mentioned in last post) making my computer
> do the lookups directly from it's own host file. XP does not have a host
> file I think, but my flavor of windows does, however the idiots at
> microsoft gave it a bug where you have to make modifications to actually
> get it to look at the hosts file first. I have to lookup the necessary
> modification,as it has been sometime since I last used it to force
> winshit to look at the hosts file for the dns requests.
> 
> >      Do not assume, though, that bypassing their chosen name server means
> > that you are safe. In the U.S., for example, an unconstitional (which is
> > to say, "illegal under the Supreme Law of the Land") Act of Congress
> > requires ISPs to keep logs of all name server queries, as well as HTTP
> > requests, so they are likely to log all outbound port 53 traffic,
> > regardless
> > of its destination.
> 
> well then explain to me how they can monitor dns traffic if all dns
> requests are made within the originating client box and not to any
> outside source. maybe all you tor gurus can explain how clients usually
> make dns requests through tor and WHY IT IS THAT TOR ALLOWS COMPUTERS TO
> LEAK DNS REQUESTS AT ALL???? TOR SOFTWARE SHOULD NOT ALLOW THIS AND
> SHOULD FAIL TO WORK IF DNS REQUESTS ARE MADE TO ANY NODE OTHER THAN TOR
> THROUGH PRIVOXY. OH THAT'S RIGHT TOR IS "EXPERIMENTAL" AND "NOT FOR
> GENERAL USE". FUNNY HOW LONG IT HAS BEEN EXPERIMENTAL. MAYBE THE FAULT
> HERE IS WITH TOR, NOT WITH ME OR THE LIBRARY?
> 
> 
> >      Also, the /WINDOWS/system32/drivers/etc/hosts file is not the
> >      location
> > you're looking for.  What you need to look for is the WinXP equivalent of
> > a UNIX /etc/resolv.conf file.  (I've forgotten where it is or even if it
> > is
> > in only one place; a quick search of my WinXP system did not turn up a
> > file
> > by that name, so I'll try looking into it a bit more after I get some
> > sleep.
> > I've been up about 27 hours at the moment, and it's getting hard to focus
> > on the screen.:-)
> > >> 
> > >> Even if dns requests are made to the library machine, running a sniffer
> > >> seems to show that the TCP packets are still encrypted at the client
> > >> level. I have not had a chance to analyze the sniffer logs yet well yet,
> > >> but just watching the traffic shows encrypted TCP going to and from tor
> > >> servers, so that part is safe.
> > >> 
> > >> You must disable dns requests at the firewall to prevent leaking to the
> > >> library IP.
> > 
> >      Possibly.  However, if you can find the WinXP equivalent of
> > /etc/resolv.conf and force it to remain unchanged by your DHCP client,
> > then you should be able to avoid sending queries to the library's name
> > server(s).  And if your proxy server(s) can use SOCKS4a or SOCKS5 in
> > connecting to tor, then the query resolutions can be obtained via the
> > tor network itself.
>  
> covered above
> 
> > >> 
> > >> Once you do that it appears (again, on the surface without too much
> > >> study) that your traffic, including dns requests is safe.
> > 
> >      {Already covered above.]
> > >> 
> > >> I will do more intensive analysis and testing as time and access to the
> > >> library connection permits.
> > 
> >      Looks good.
> > >> 
> > >> Any useful comments and feedback appreciated.
> > >> 
> > >> On Sat, 29 Sep 2007 13:58:37 -0700, mark485anderson at eml.cc said:
> > >> > Give me a couple days and I will confirm and report back after running a
> > >> > sniffer.
> > >> > I don't use this library node often, so it will be a few days. Besides I
> > >> > do not have the
> > >> > firewall logs with me now, so don't want to misstate things until I am
> > >> > sure and have gathered as much information as I can.
> > >> > 
> > >> > 
> > >> > 
> > >> > 
> > >> > On Fri, 28 Sep 2007 23:57:17 -0500 (CDT), "Scott Bennett"
> > >> > <bennett at cs.niu.edu> said:
> > >> > >      On Fri, 28 Sep 2007 15:06:48 -0700 mark485anderson at eml.cc wrote:
> > >> > > 
> > >> > > >On Fri, 28 Sep 2007 15:02:53 -0700, mark485anderson at eml.cc said:
> > >> > > >> 
> > >> > > >> On Thu, 27 Sep 2007 21:20:42 -0500 (CDT), "Scott Bennett"
> > >> > > >> <bennett at cs.niu.edu> said:
> > >> > > >> >      On Thu, 27 Sep 2007 19:05:27 -0700 mark485anderson at eml.cc wrote:
> > >> > > >> > 
> > >> > > >> > >On Thu, 27 Sep 2007 19:52:30 -0500 (CDT), "Scott Bennett"
> > >> > > >> > ><bennett at cs.niu.edu> said:
> > >> > > >> > >>      On Thu, 27 Sep 2007 20:35:58 -0400 Watson Ladd
> > >> > > >> > >>      <watsonbladd at gmail.com>
> > >> > > >> > >> wrote:
> > >> > > >> > >> >mark485anderson at eml.cc wrote:
> > >> > > >> > >> >> Then after agreeing to the TOS, you are able to connect to tor servers,=
> > >> > > >> > >> >
> > >> > > >> > >> >> but all dns requests go through a library computer IP, such that they
> > >> > > >> > >> >> can see and record where you are going. I am not sure if they can see
> > >> > > >> > >> >> the TCP content, but the UDP (which I assume is the dns lookups are all=
> > >> > > 
> > >> > >      What does your firewall software or other tool at your disposal have
> > >> > >      to
> > >> > > say about the TCP packets from your browser?  Do they go to privoxy?  And
> > >> > > where does it say that packets from privoxy go?  To your tor client? 
> > >> > > Somewhere
> > >> > > else?
> > 
> >      The above questions are, I think, still waiting to be answered.
> > >> > > 
> > >> > > >> > >> >> being monitored and probably logged by the library server through which=
> > >> > > >> > >> >
> > >> > > >> > >> >> you are connected. Firewall logs clearly show the outgoing and incoming=
> > >> > > >> > >> >
> > >> > > >> > >> >> DNS packets to the library IP. Rest of connections to Tor servers in th=
> > >> > > >> > >> >e
> > >> > > >> > >> >> firewall log appear normal.
> > >> > > 
> > >> > >      Just to confirm:  your firewall log shows that the UDP packets in
> > >> > > question are destined to some IP address and port 53?
> > >> > > 
> > >> > > >> > >> >Make sure to run DNS queries over tor if anonymity is important.
> > >> > > >> > >> 
> > >> > > >> > >>      Absolutely.  Check your privoxy configuration file to make sure its
> > >> > > >> > >> first line is
> > >> > > >> > >> 
> > >> > > >> > >> forward-socks4a / localhost:9050 .
> > >> > > >> > >
> > >> > > >> > >already is
> > >> > > >> > >
> > >> > > >> >      Okay.  Good.
> > >> > > >> > >> 
> > >> > > >> > >> If you're using some other port than 9050, change that accordingly. 
> > >> > > >> > >> Other
> > >> > > >> > >> programs, e.g. PuTTY, will need to be configured, too, if you use them.
> > >> > > >> > >> In the case of PuTTY, each remote login site that you configure to be
> > >> > > >> > >> proxied through tor will need to be set to use socks5 and to do DNS name
> > >> > > >> > >> lookups at the proxy end (see "Proxy" under "Connection").
> > >> > > >> > >> 
> > >> > > >> > >> >>=20
> > >> > > >> > >> >> I have not run a sniffer yet on this, because my laptop is old and it
> > >> > > >> > >> >> might not be able to handle it. But tor anonymity is obviously shot whe=
> > >> > > 
> > >> > >      Your laptop, old though it may be, apparently has no trouble
> > >> > >      handling
> > >> > > wireless IP traffic, so I would bet that a sniffer storing, say, only UDP
> > >> > > packets to port 53 wouldn't overtax it.
> > >> > > >> > >> >n
> > >> > > >> > >> >> connecting to their wifi nodes. I believe I tried to block the DNS
> > >> > > >> > >> >> lookups to the Library IP with privoxy generic block rules and then I\
> > >> > > 
> > >> > >      Because I don't know how that works in privoxy, I'll ask, does your
> > >> > > firewall allow you to block outbound UDP packets to port 53?  If so, what
> > >> > > happens if you block them that way instead of via privoxy?
> > >> > > 
> > >> > > >> > >> >Using socks-4a should fix this.
> > >> > > >> > >
> > >> > > >> > >already set to sock 4a
> > >> > > >> > >
> > >> > > >> > >> 
> > >> > > >> > >>      Right.  Or socks5, though privoxy doesn't yet appear to support
> > >> > > >> > >>      that.
> > >> > > >> > >
> > >> > > >> > >did you just start using tor?
> > >> > > >> > >
> > >> > > >> >      About 2.5 years so far.
> > >> > > >> > >> 
> > >> > > >> > >> >> could not load any web pages, indicating again that the dns requests ar=
> > >> > > >> > >> >e
> > >> > > >> > >> >> first being routed to the library machine, where they are, of course,
> > >> > > >> > >> >> logged (and maybe sent off to the FBI, if your reading muslim materials=
> > >> > > >> > >> >,
> > >> > > >> > >> >> haha).
> > >> > > >> > >> >Now are these DNS requests for sites you are browsing? It sounds like
> > >> > > >> > 
> > >> > > >> >      I think the question posed here may reveal the answer.
> > >> > > >> 
> > >> > > >> Already answered that I think, the dns requests APPEAR to be made each
> > >> > > >> time a new url is looked up and not in looking up tor servers, but I
> > >> > > >> will only know for certain when I run the sniffer, if that is possible
> > >> > > >> on my laptop.
> > >> > > >> 
> > >> > >      As long as your wireless interface (and its driver) can run in
> > >> > > promiscuous mode, a sniffer ought to work okay.  Some systems may well be
> > >> > > able to trap outbound packets without an actual sniffer.  On most/all
> > >> > > UNIX
> > >> > > systems, you will need root privileges, too, to run tools like
> > >> > > tcpdump(1).
> > >> > > >> 
> > >> > > >> > 
> > >> > > >> > >> >that is the case, but I just want to make sure.
> > >> > > >> > >> 
> > >> > > >> > >>      Most public wireless locations use no encryption at all.  In these
> > >> > > >> > >> situations, things like tor and SSH are about the only significant
> > >> > > >> > >> privacy
> > >> > > >> > >> protection most users have.
> > >> > > >> > >
> > >> > > >> > >no problem with tor and other wifi connections, dns goes to tor, hence
> > >> > > >> > >my OP title LIBRARY DEFEATS TOR
> > >> > > >> > >Tentative Conclusion: Tor cannot be used with any confidence on
> > >> > > >> > >publically maintained machines, but there is no reference to this on the
> > >> > > >> > >tor website; nor any real illumination from this group, so far.  I
> > >> > > >> > >suppose now someone is going to tell me to disable javascript and
> > >> > > 
> > >> > >      Actually, that's probably worth a shot, given recent postings by the
> > >> > > author of Torbutton.  It's also trivial to do if you have the Quick Java
> > >> > > and/or NoScript plugins installed in firefox.
> > >> > > 
> > >> > > >> > >cookies, ;-) The encryption is SUPPOSED to occur at the client before it
> > >> > > 
> > >> > >      Cookies are just data.  They do not execute and therefore do not
> > >> > >      query
> > >> > > name servers, so I wouldn't think that would be worth bothering with.
> > >> > > 
> > >> > > >> > >even gets to any outside server, but obviously this is not happening as
> > >> > > >> > >the dns requests are being subverted. Perhaps the traffic is being
> > >> > > >> > >shuttled from the kernel OS to a library server. IOW tor should provide
> > >> > > >> > >the encryption necessary and no wifi encryption should be needed. I will
> > >> > > >> > >see if I can run a sniffer to find out exactly what's happening.
> > >> > > >> > >
> > >> > > >> >      Yes, and I think that may be why Watson asked the question I noted
> > >> > > >> > above.  Tor does its own name server queries for two purposes:  1) to
> > >> > > >> > provide exit service when running in server mode, 2) to look up addresses
> > >> > > >> > of other tor servers, regardless of mode.  These are normal operations
> > >> > > >> > and reveal only those activities.  When you are using it in a public
> > >> > > >> > location, I assume that it is running only as a client.  So that returns
> > >> > > >> > us to the question of exactly what kinds of addresses is tor looking up?
> > >> > > >> 
> > >> > > >> the laptop appears to be getting web site dns translations from a
> > >> > > >> library node rather than from tor, which allows tracking and profiling.
> > >> > > >> each time a new url is introduced I get a firewall dns request in the
> > >> > > >> log.
> > >> > > >> 
> > >> > > >> > Are they only the addresses of other tor servers?  Or do they also
> > >> > > >> > include the addresses of the web sites you're trying to reach?
> > >> > > >> >      Would you also please double check your browser configuration to
> > >> > > >> > make sure it is forwarding everything through privoxy?  If you're using
> > >> > > >> > a firefox plug-in module like Torbutton, switchproxy, or foxyproxy, have
> > >> > > >> > you accidentally disabled the proxy?
> > >> > > >> 
> > >> > > >> nope, don't use those, the browser is always set to go through privoxy.
> > >> > > >> will do some further testing and try to report back, but suprised not
> > >> > > >> more answers to this post. certainly others should have experienced this
> > >> > > >> problem.
> > >> > > >> 
> > >> > >      I guess that's the point:  we haven't experienced it, which is why
> > >> > > we've been asking questions to try to debug the problem.  Here are more.
> > >> > > 
> > >> > > 	1) Are you using a Microslop operating system?  If so, which?
> > 
> >      The second question, namely, *which* operating system, still awaits
> > an answer.
> > 
> > >> > > 	And if not, then which operating system and version are you using?
> > >> > > 
> > >> > > 	2) What is the firewall software that you have referred to several
> > >> > > 	times?
> > 
> >      This question still awaits an answer.
> > >> > > 
> > >> > > 	3) Which version of tor are you running?
> > 
> >      This question still awaits an answer, but may no longer be
> >      important.
> > >> > > 
> > >> > > 	4) Which browser and version are you using?
> > 
> >      I understand you to be using Firefox, though you have not specified
> > which version.
> > >> > > 
> > >> > > 	5) Under the assumption for the moment that your connection to the
> > >> > > 	wireless attach point gets configured by DHCP, which IP address(es)
> > >> > > 	got assigned to your system for its own address, for an IP gateway,
> > >> > > 	and for name server(s) to be used?
> > >> > > 
> > >> > >      I keep having the feeling that what you think is happening differs
> > >> > >      from
> > >> > > what is actually happening and/or something misconfigured somehow is
> > >> > > being
> > >> > > overlooked.  Please be patient with us.  We're trying to help figure out
> > >> > > what's going on, and you're the only one who can provide the
> > >> > > observational
> > >> > > data that might lead to a solution.  If it seems like we are just
> > >> > > grabbing
> > >> > > at straws so far, rest assured that we aren't there yet and can't get
> > >> > > there
> > >> > > until we first have at least the basic facts of the case established. 
> > >> > > ;-)
> > >> > >      Anyone else with pertinent questions, please join in!
> > 
> >      FWIW, soon I intend to stop replying to top-posted followups, at
> >      least
> > in most cases, except when I choose to delete all of the previously
> > posted
> > material that the top-poster has clearly deemed irrelevant as context for
> > his/her followup.
> > 
> > 
> >                                   Scott Bennett, Comm. ASMELG, CFIAG
> > **********************************************************************
> > * Internet:       bennett at cs.niu.edu                              *
> > *--------------------------------------------------------------------*
> > * "A well regulated and disciplined militia, is at all times a good  *
> > * objection to the introduction of that bane of all free governments *
> > * -- a standing army."                                               *
> > *    -- Gov. John Hancock, New York Journal, 28 January 1790         *
> > **********************************************************************
> -- 
>   
>   mark485anderson at eml.cc
> 
> -- 
> http://www.fastmail.fm - A no graphics, no pop-ups email service
> 
-- 
  
  mark485anderson at eml.cc

-- 
http://www.fastmail.fm - And now for something completely different




More information about the tor-talk mailing list