Try new Torbutton Firefox-plugin

Update: Included another link to the Video. Thanks, Renke!
Just back from 24C3 where I attended Roger Dingledine’s talk about Tor’s further development plans (Torrent to Matroska-Video: Mirror #1, Mirror #2). He also presented the new development-version of Torbutton which is finally usable. The old Torbutton-plugin had several problems: It had the problem that it presented cookies, history and saved passwords from non-Tor-sessions to Tor-sessions which severely spoiled your privacy; the new development-version of Torbutton has a dedicated cookie-jar for Tor-sessionsand lot’s of other features:

• Disable plugins on Tor Usage
• Isolate Dynamic Content to Tor State
• Hook Dangerous Javascript
• Block Password+Form saving during Tor/Non-Tor
• Store Non-Tor cookies in a protected jar
• …and many more features… (complete list on the website)

See this awesome screen shots to get an idea what changed:

Figure 1: Screen shot of Torbutton Preferences: Dynamic Content

Figure 2: Screen shot of Torbutton Preferences: Cookies

So if you press the Torbutton, it totally isolates all the other non-Tor-sessions (though I don’t recommend to use those tabs), improving your privacy. Before this new plugin was available, I used a separated Firefox-profile to use Tor – not needed anymore with Torbutton.

So grab your new copy (direct link to XPI) and have fun!

Another one.

Well. I was expecting this. You know, there are people taking civil responsibility, running a Tor-node and all they get is nastygrams, kicked-down doors and ultimately, lawsuits.

So, what happened: There’s this German guy, a Tor-operator. In June the police send him a letter telling him that he’s accused of computer fraud combined with unlawful modification of evidences. He’s a law-abiding citizen nothing guilty of, just using his civil rights and quite fed up with all those silly accusations, so he followed Udo’s golden rule #1: “You have the right to remain silent“.

Months later he got a letter from a court order about a penalty order, telling him that he’s guilty on all counts.

He describes it in his own words:

In early September I received a penalty order ("Strafbefehl") - from the
court. A judge found me guilty of having ordered a gift voucher (value: 51
EUR) on amazon.de, providing address details of a living person (but not
myself obviously), and using a Web.de email address registered specifically
for this purpose. I was sentenced to pay a fine of 500 EUR.

He appealed and the whole case finally went to court, having the hearing today. What happened then is beyond all reason:

[...] the penalty order listed four witnesses (the person whose address
details had been used, a police officer in a cow town near that person's
home hometown, a local police officer, and an employee of amazon.de)

However, the trial listed no witnesses at all. That guy was a laymen-judge (lay assessor) himself, so he though that this trial is based on a very weak basis and didn’t bother about it to much. Then all hell broke lose.

The judge and the lawyer of the state realized quite quick that he was not the one who committed the fraud, but instead of dismissing the case entirely they started to construct accusations like “supporting a crime” – which is utter bullshit. The accusation of “supporting a crime” in Germany definitively states that you need to support actively a certain crime – and only especially that you’re accused of. There ain’t nothing like a “general support crime”, as the judge thought. This is just another stunt!

The judge really thought “someone needs to be punished, but we can’t accept you to help anyone else to comit a crime”:

The judge as well as the public prosecutor
refused to accept that I didn't do anything criminal, that I didn't and
still don't want to help anyone committing a crime.

Oh Lord. Where have we gone!?

Even worse. The whole lawsuit was so frightening and cumbersome to the Tor-guy that he decided to dismiss the lawsuit according to §153 StPO. That means that the accusations are dismissed because there’s no public interest in the case. But yet, that doesn’t mean that he wasn’t found NOT GUILTY!

Why did he do this? Because he didn’t want to pay for a lawyer, as I do – but I can afford it:

They offered me to dismiss the actual court trial according to paragraph 153
StPO which is not the same as an acquittal (no "Freispruch") which I
eventually accepted. It means, however, that I won't have to pay for the
trial. They also repeatedly said that this time I got off with just a slap
on the wrist - next time it wouldn't be that cheap.

It’s all a big mess. Judges and lawyers have no bloody clue what Tor is about. They ignore the fact that Tor is a legal tool in a civil society and that Tor-operators aren’t responsible for the actions of their users. Heck, no one ever sued Pan Am to let the Lockerbie-bombers on board, and no one ever sued the German Postal Service for transporting letter-bombs: Yet German courts think that operators of anomymizing services are responsible for the actions of the users.

Brave new new world. Where have we gone? Our elected leaders ratify laws which are stupid. The judiciary is as dumb as a piece of stale bread. Take me out of here.

Tor madness reloaded

Update^4: If you comment doesn’t show up immediately, it probably ended up in the spamfilter (Akismet). As long as the the people keep posting I’ll continue to check the spam-folder regulary and will manually publish the posting. So don’t post twice or even more often. — alex.
Update^2: I want to point out one thing: The investigations about “computer fraud” are not related to the other case. It’s not that they try to find some other accusation to sue me in any case. Lots of people were raising that rumour: It’s not true. — alex.

As you, my regular reader, might now, I run a Tor-server in Germany. I already had some experience with the german Feds, the BKA, regarding the childporn-crackdown earlier this year. I blogged about it and even erlier I wrote a sentence – which was merley a superstition – from which I thought “this can’t possibly happen in Germany”:

“[...] the last thing I want to experience is the police kicking down my door, seizing my computer.”

I also wrote, in another posting:

“My TOR-server is still running, pushing 40GB/day around. I’m not going to shut it down for whatever reason.”

However, I have to retreat from my arguments.

On Sunday morning, 00:15 AM, July the 29th, someone knocked on my door very hard. I just came back from a pub-crawl with a friend from the UK, was quite drunk, opened the door and just heard “Police!”. They entered my appartment, cuffed me and started to search my flat. My wife was scared to death. I was held in my own kitchen for almost 30 minutes asking “WTF is that about?” when they just said “Calm down, we’ll explain everything later”.

Minutes later they explained me that I’m suspected of placing a bomb-threat at a german copper-forum called copzone.de – a forum I never heard about. They accused me of posting shit like “I’ll plant a bomb in the department of work” and that I was about to cut-throat (or something like that, I can’t remember, I was drunk) a worker from that department. (Edit: The posting at copzone.de doesn’t seem to be accessible. Since my lawyer doesn’t have the files yet, I don’t know what exactly was posted. The german police doesn’t hand over the files to the suspect, he has to hire a layer to see the files.)

I explained them that I was a Tor-operator and what Tor is about. I showed them the letters from the Feds from the earlier incident to proove that I’m not bullshitting them. However, the coppers weren’t not so much into Tech-stuff and told me that a forensic unit will care about all my equippment. They searched everything: My attic, my office, my car, they digged through my wifes underwear, they found my old chmistry books very interesting, the flak-vest I own which I use when I go to strange countries, they found the fertilizer which I use for my chilli-plants, my microcontroller-experiments looked like an IED to them: Basically, EVERYTHING was suspicious.

They installed a new lock on my office’s door, although I eplained them that my Tor-server was running in a totally different city, like 500 km away! Funny enough, that server wasn’t confiscated. Ah, and I’m supposed to pay for the new lock. WE’LL SEE ABOUT THAT.

Eventually – after 30 minutes maybe – they took off the cuffs and brought me to the police-barracks for interrogation. I explained there for hours what the hell I’m doing, what Tor is and all the crap. I spare you the details. I was drunk and the interrogation-protocol might be a bit embarrassing for me.

However. Hours later, on the same sunday, someone from the “Staatsschutz” (something like the DHS) of the city of Düsseldorf came to unlock my door, telling me something like “uh, we screwed up, sort of”. That’s not what he said, but that’s the bottomline.

So much for the incident.

The consequences: I’ve shut down my Tor-server. I can’t do this any more, my wife and I were scared to death. I’m at the end of my civil courage. I’ll keep engaged in the Tor-project but I won’t run a server any more. Sorry. No.

So, so much for my arrest. Now the same storyline continued.

I was at the Linuxbierwanderung 2007 in Crete last week. I held a talk about Tor and the legal implications running a server (slides here).

Thursday I was still sitting in the car driving through Austria back to Germany when my wife called me up “we have another letter”. This time the accusation is “computer fraud”. I don’t know any details yet, but I’m supposed to show up for interrogation next thursday. My lawyer is informed. Details when I can tell them.

So, so sum up everything: I was arrested. They scared my wife. They consfiscated all my equippment. They stopped the investigation. I’m sitting on a pile of bills from my lawyer no one except me has to pay. I’ll sue for compensation, but I don’t think that this will lead anywhere. I’m now accused of something else. Horray! Bloody hell. I still love my country, but it’s bitching around.

From my point of view the german police is even more than incompetent++. They aren’t able to do the most simple investigations. Pre-checks for plausibilty don’t exist. This is so stupid.

Ah, and on a sidenote: My lawyer is still waiting for the files of the bomb-threat incident. Although the investigations against me were stopped. Wonderful!

Düsseldorf, September the 16th,
Alex “Yalla” Janßen.

Edit^3: On a sidenote – some people accused me of not knowing what I’m talking about when I said that the police was incompent when it came to this incident. Let me get this straight: I’m qualfied to comment on this, I’m working in the computer security business and I know how to do real investigations. The first thing to check is if the server in question is an open relay or some anonymisation service. So stop this stupid bullshit. Just check the hostname “wormhole.ynfonatic.de” in your favourite search-engine and on the first hits it’s reveiled that this is a Tor-server. You don’t need to be a computer-expert to check on this. Incompetence++.

Tor – a brief introduction and legal aspects (update)

Hi all, long time no see! Was busy with stuff I’ll explain later; however, I’m currently on the Linuxbierwanderung 2007 in Hersonissos, Crete, Greece. Today I gave my talk about Tor and it’s legal implications for users and operators.

Grab the Slides here:

PDF: http://yalla.ynfonatic.de/media/lbw2007/tor_talk-LBW2007.pdf
Sources: http://yalla.ynfonatic.de/media/lbw2007/tor_talk-LBW2007.ppt

There you go!

Update: I corrected the broken links. Sorry that I couldn’t do it earlier, but I was sitting in a Landrover Defender 110 driving through the Balkans – which was fantastic and deserves it’s own posting later.

s/GI/FSFE

Recently I quit my membership in the German Computer Science Society (“Gesellschaft für Informatik”), mostly because I think they don’t have a real perspective. For years and years I thought that they start to be a bit more pragmatic, but they kept insisting on the “one and only lore”. I know that they’re more about science and teaching, but they didn’t meet my expectations – especially when it comes to software patents. I was recruted by them when I was still a student so I feel quite sore and sorry to leave them – but we weren’t made for staying together.
So I resigned as a member in December, something I actually didn’t want to, for I believe that people like the Bitkom don’t really present us, the hackers, fiddlers and freelancers, in a true sense.The Bitkom is more about big corporate business, the GI more about science and teaching.
Nonetheless, the GI was to far off for me too. They got me as a student, nowadays we’re not aligned any more and they can’t offer me anything.

I had to find my own way, so I finally decided – after much lobbying from friends who were already active members – to join the European chapter of the Free Software Foundation as a Fellow.

And there I am, a new proud member of the Free Software Foundation Europe.

What do I want to achieve with it? Not sure yet, but I feel that my contribution – means my membership-fee of 120 EUR a year – is better with the FSFE than with the GI.

My goals? I’d like to establish a TOR legal-fund. Maybe the FSFE is the right platform for it, although I’d be better of with the EFF, but they don’t seem to have a well-organised European chapter. Considering my recent experience with the german Feds and my lawyer’s bill – just a mere 150 EUR though – I started to think how other people with no funds could defend themselves against ill accusations. Rabenhorst said that he doesn’t really agree with me that the Feds did the right thing how to prosecute evildoers who abuse TOR. I’m still not with his opinion since running TOR is one thing and prosecuting child-porn dealers is another one, but others pointed out correctly that there are other people running TOR who don’t have the funds to hire a lawyer as I have.

I can’t promise anything by now, I don’t have a real plan yet; but a TOR legal-fund for us German TOR-operators wouldn’t be too bad.

If you feel inclined to help me out with it, drop me a line, I’d be happy to discuss a legal fund as I have a lawyer handy who might be able to consult us.

Cheers, Alex, FSFE member #916.

Tech Tags: legal TOR organisations FSFE

TOR, the feds and me

I run a TOR-server. Anonymity is not a crime. There are a million reason why you want to stay anonymous on the interweb. Lately there was quite a hassle about seized TOR-servers in Germany and I was waiting for my server to be seized too. Didn’t happen until now. Something quite unexpected happened instead.

On the 28th of December I got a letter from the BKA (Germany’s Federal Criminal Police Office). The content of the letter was something like that:

“The owner of the IP-Address $my_servers_address is suspected of posession of child pornography. Hereby we order you to tell us the real name of the owner and disclose all relevant logfiles according to §113 TKG in the time of the 26th of October, 7:00 PST. We also demand the names of all your customers which use your service and we inform you that disclosing our request to your customers may be punishable.”

Obviously I was a bit scared about the “the owner of the IP-address part” so I hired a lawyer. The overall text was also a bit far-off for my taste, but whatever. My lawyer sent out a fax yesterday to the BKA asking if I, as his client, am a suspect or a witness. He also stated that I’m running a TOR-server and that no relevant log-files according to §113 TKG exist. In case that I’m a suspect he asked for all the files dealing with the investigation.

That was last night, today, about 20 hours later, we already got an reply. The BKA acknowledged, that they understood my lawyer’s statement that the TOR-server does not create relevant logfiles and claimed that this information is enough for their ongoing investigations. Furthermore they say that they need no further “statements” from my side. (which can be read as thanks, we’re fine, but who knows…)

Hm, they finally seem to have come to their senses. They really scared the shit out of my wife and me, believe me. When I started running a dedicated TOR-server I had a chat with my wife and explained her what I’m up to, what TOR is and what consequences it might have – she never thought that this case would ever occur.

I have only two possible explanations why they wrote the letter in that way. Either they thought that I rented the server to someone else – doing business with that dedicated server – or they just wanted to spread fear among the German TOR-operators. Could be either way. However, they were quite polite, not threatening in a direct way. But enough to make me call a lawyer.

However, this is rather an improvement compared to what happened in the last couple of months, LEAs seizing random server without thinking. This LEA thought before taking action, followed the way of investigation what would be obvious to everyone.

A very warm Thank You very Much to Dr. Michael Stehmann, my lawyer.

TOR-operators in Germany: Don’t let the LEAs scare you. Remember: It’s not you. It’s criminals abusing your service. You’re not the criminals, it’s them. And don’t let the “If you’ve nothing to hide”-argument bother you. It’s us, the citizen, to observe the state, not the state to watch on us. And a hammer doesn’t make the tools-dealer a murder.

Cheers, Alex.

Tech Tags: TOR law

TOR howto: Accessing Freenode Via Tor step-by-step for Windows

A couple of people onthe freenode.net IRC-network asked today the same question: How to get access to freenode using TOR according to their instructions. The real problem is not the methode, but the way how to get to that point. I decided to create a small step-by-step howto.

Overview

To gain access to Freenode using TOR the Freenode-staff wants TOR-users to use their hidden service which can only be accessed after creating an account there. To get an account you need to have a GPG keypair. I’ll describe step by step how to create a keypair.

I got one problem with this website: It is notoriously clipping all pictures to a certain width – if the screenshot isn’t clearly visible, vlick on it to see the complete screenshot. Sorry for that.

Step 1: Download GnuPG for Windows and install it

First, you need to grab the GnuPG software: ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32cli-1.4.5.exe

After downloading it, open the file and follow the installation instructions, clicking next, next next, peck, peck (“even a chicken can install Debian”). When asked for the path, accept the default or note down where you installed it:

Finish the installation through clicking “Next” mucho times. All should be set now.

Step 2: Create a GPG keypair on the Windows-commandline

Now we’re about to create a keypair. This is quite simple, but involves a bit of typing:

1. Press Start
2. Choose “Run”
3. Type cmd

After pressing “OK”, the Windows commandline appears. There you have to change to the correct directory through typing "cd C:\Program Files\GNU\GnuPG". If you did it correctly, typing the command “cd” should yield the result "C:\Program Files\GNU\GnuPG":

Voilá! Now it’s time to create the keypair. To do this, you enter the command "gpg --gen-key" and follow the instructions step-by-step, accepting the defaults, choosing a reasonably secure passphrase to encrypt your private key. Note note or better remember your passphrase, you’ll need it:

Now you created a keypair which is appropriate to use for the Freenode IRC-network. Do not close that window.

Step 3: Create a signed password hash inside the IRC-server

I assume that you already have access to the Freenode-network and that you just want to do “the real thing”. Now, inside your IRC-client, create a hash with the command "/quote makepass <password>" where <password> is your choosen password. I take "schwubbdiwupp" as an example:

Note down the complete hash, whith all dollar- and slash-signs. Even better, copy it to the Windows Clipboard, you need it in the next step.

Step 4: Get Freenode’s key from the keyserver

Since you need to encrypt to the Freenode-staff and sign the message with your key, you need the GPG-key opf the freenode-staff. Just download it with the command: "gpg --keyserver pgpkeys.pca.dfn.de --recv-keys 035D6B1D"

Step 5: Sign your nickname with the hash

The next step signs the hash you just created and your nickname with the GPG private key you created in step 2. Go back to the window where GPG was and enter the following command, replacing my nickname "yalla" and my has "$1$8HQdxmzs$MiTG6Spl1HPb5iB4iIdmb/" with your hash:
echo "yalla $1$8HQdxmzs$MiTG6Spl1HPb5iB4iIdmb/" | gpg --gnupg -sea -r 035D6B1D"

It will first ask you for the passphrase you used in step 2 to create your keypair; enter it. Next it will tell you something like: “It is NOT certain that the key belongs to the person named in the user ID. If you *really* know what you are doing, you may answer the next question with yes.” – you can safely say “yes” here:

Step 6, prepare email to Freenode:

Copy everything starting from "-----BEGING PGP MESSAGE-----" until "-----END PGP MESSAGE-----" to a file and save it to a safe location. This is the encrypted message with your nickname and hash which you will be sending to Freenode; but you also have to include your public key. This is done by typing the command "gpg --armor --export your@email.address":

Copy and paste this output to a safe location.

Step 7, last step:

No write an email to the Freenode-staff including your public key and encrypted message you’ve created in step 5 and 6.

Conclusion:

OK, this is the hard way to do it, but it’s the prefered way. Hope that helps.

---

This work is licensed under a Creative Commons Attribution 2.5 License.

---

Tech Tags: TOR Howto

Analyzing TOR-exitnodes for anomalies – results

As my regular readers clearly remember, a couple of days ago i accused the Linux Magazine of bigotry. Later I learned that it’s not only the Linux Magazine, but lot’s of other sites which show a strange behaviour when accessed through the Tor-system.

To check what’s really going on i started an investigation and tested more than a thousand Tor-nodes for strange behaviour. I submitted my results to the or-talk List yesterday:

Date: Thu, 5 Oct 2006 17:56:51 +0200
From: “Alexander W. Janssen” <yalla@ynfonatic.de>
To: or-talk@freehaven.net
Subject: First results of analysis

Hi all,

i checked 1161 nodes in total.

269 of them where responsive exit-nodes, all behaving correctly.

9 exitnodes where responsive, but their had some proxy installed which didn’t behave quite correct when you accessed a webpage with the notation original.url.$nodename.exit; the error-messages varied from “could not resolve” (looks like a DNS-leak to me) over “502 Bad Gateway” through “502 Proxy Error”.

However, in my list of exit-nodes i couldn’t find any host which showed the described behaviour. My test-URL was http://www.linux-magazine.com/.

So there is still some space left for discussion: Did i miss the “bad” or “banned” exitnode?

I tend to agree with Claude; at the moment it doesn’t seem likely that we have some sort of bad exitnodes in place.

However we probably should think if we should install some kind of early warning system. I could imagine something like this: Every client checks once per day some random website on the internet via, let’s say, 10 random exit-nodes and compares the results. If something is wrong the exitnode could be signalled to a real human which could verify the claim.

How do you think about that?

Cheers, Alex.

I stopped my efforts at the moment; I tend to blame Linux Magazine’s webhoster, but no-one knows exactly what’s going on. It’ll just be a matter of time until somehow set’s up rogue Tor-nodes.

Therefore: Dear editor and people from the Linux Magazine, I was in rage. You clearly didn’t deserve to be called “bigot”. I honestly apologize. I don’t know what’s really going on, but maybe you start an investigation on your own.

Alexander “Yalla” Janssen.

Tech Tags: TOR Security Analysis Privacy

Analyzing TOR-exitnodes for anomalies

A few days ago I had a strange encounter with Linux New Media‘s “Linux Magazine” website; depending on whether I used TOR to access their website i got different results. Accessing their site with TOR resulted in getting redirected to some kind of link-farm which made me totally suspicious. I assumed that they’re looking on the source IP-address and deciding for the correct webpage – however, that phenomenon vanished a couple of hours after blogging about it so i assumed that they fixed it.

Later i found a posting on the or-talk mailinglist about someone who was suspecting that certain TOR-nodes might alter webpages and include advertising of some sort. This would’ve been an interesting attack.

I take my own work and my own assumptions very serious. I don’t want to blame the Linux Magazine if they didn’t do it and denouncing their actions as “bigotry“, as I did, is not to be taken ligthly.

For that reason, out of curiosity, interest and for everyone else I started an investigation about if there are any bogus TOR-exitnodes which might alter the content of webpages and if they do, what else they might do.

Theory of operation is simple:

1. Get a list of known nodes which allow outbound tcp/80 traffic (http://localhost:9030/tor/running-routers is a good start)
2. Loop over all exitnodes i and get a website A via exitnode i using TOR: “wget http://A.${i}.exit/ -O $i.html“
3. Compare all stored websites (or, let’s say, distinctive parts) with an original

I already checked about 20% of all known exitnodes which were known to one of machines as of today and I certainly will conduct the same experiment a couple of times until publishing a result.

Stay tuned for updates. If there are bogus exitpoints we’ll find; what actions we might take is up to the TOR-operators. I’d suggest putting them on your TOR-nodes blacklist.

Tech Tags: TOR Security Analysis Privacy

The Linux Magazine, TOR and bigotry

Update: Just hours later i can access the website via TOR. Nice that they reacted that fast. Or maybe not all TOR exit-nodes suffer from this message?

Update 2 (Wednesday): Something doesn’t seem to be so right, more people are complaining about the same problem on various websites so that i started an analysis if there’s something wrong with the Tor-system itself.

Update 3 (Friday): I finished my analysis and I’m not so sure anymore what’s really going on: A formal excuse to the people of the Linux Magazine, ideas about how to proceed.

This morning a friend of mine sent me a link to an article at the Linux Magazine; i pasted the link into my Firefox’s URL-field, pressed on go… and i got redirected to a very strange URL, “http://www.linux-magazine.com/frame.aspx?\
u=http%3a%2f%2flanding.domainsponsor.com\
%3fa_id%3d1637%26domainname%3dlinux-magazine.com\
%26adultfilter%3doff%26popunder%3doff&r=\
SUSPECTED+UNDESIRABLE+BOT“. (backspaces mine)

(click to see full picture, stupid theme clips pictures at 480px)

That made me suspicious, maybe there’s a typo in the URL? Checked, asked my friend, she said “no, the URL is correct” – other people also said that they don’t have any problems. Then I remembered that i was using the TOR-network. I told Firefox not to use TOR, called up the same site, and…

(clicky-click)

I’d like to point out their article named “TOR and Privoxy: Protect your Privacy by covering your IP-address”. Obviously there seems to be a disagreement between the editor of the Linux Magazine and the webmaster of Linux New Media about what’s appropriate content and who’s considered to be a good client and who’s not. Good clients do not need to hide themselves! People who try to protect their privacy can only be evildoers! Obey!
The URL gives a hint: “SUSPECTED+UNDESIRABLE+BOT“. “Suspected” comes from “suspicious”. “Undesirable”. “Bot”? Not me.

Disappointing. Maybe someone just tried out a new blacklist-feature and didn’t really bother about the implications. Considering that TOR is one of the very few alternatives for certain people living in oppressive countries to access the interweb freely, the Linux Magazines gives a very bad example for the rest of the web.

Filed under rants. I’m disappointed.

Tech Tags: TOR Privacy rants