Running a Tor Exit, one week in

To update on my short experience as a Tor node operator, It’s been over a week now and in that week I made some changes.

First and foremost, since I’ve been online for a few days straight, I’ve been flagged by the Tor network as a “Stable” node. So now I’m processing traffic rather consistently. I’ve also been flagged as a “Guard“, meaning,”…each Tor client selects a few relays at random to use as entry points, and uses only those relays for her first hop”. More can be read about Guards here.

Secondly, I adjusted (increasing) how much of my bandwidth I’m willing to let Tor use.

RelayBandwidthRate 6000 KB
RelayBandwidthBurst 7500 KB

I’ve observed traffic peaks of 5 Megabytes a second, sending and receiving. This last Friday I noticed that I was passing a lot of traffic. It made me wonder if people are using Tor a lot more on Fridays.

As you can see, 8 Day(s), 19 Hour(s) in I’ve already relayed 1142.4 GiB.

Thirdly, I put up the standard “This is a Tor Exit Router” page on torexit.yawnbox.com.

Lastly, I am now allowing port 443 to pass HTTPS traffic. So here’s my updated Reduced Exit Policy:

ExitPolicy accept *:119 # accept nntp as well as default exit policy
ExitPolicy accept *:22  # ssh
ExitPolicy accept *:443 # https (HTTP via TLS)
ExitPolicy accept *:465 # smtps (SMTP over SSL)
ExitPolicy accept *:993 # imaps (IMAP over SSL)
ExitPolicy accept *:994 # ircs (IRC over SSL)
ExitPolicy accept *:995 # pop3s (POP3 over SSL)
ExitPolicy reject *:* # no exits allowed

It turns out that in order to be flagged as an exit, the node needs to either be exiting ports 443 and 80 or 443 and 6667. And I’m being stubborn about only passing, ideally, encrypted traffic. However, not having the check-mark next to “Exit” on my Network Status page doesn’t mean that I’m not an exit– the Tor network certainly knows I’m exiting.

Props to everyone at the UW/Tor hack-fest. Absolutely brilliant people having the most interesting of conversations. I really enjoyed the two days I spent around them, soaking in as much as I could. It made me think critically about a number of problems that I hope to blog about soon.

Node Operator Notes

Reloading Tor instead of restarting it (the service) allows me to update my torrc file without disrupting traffic.

sudo /etc/init.d/tor reload

Also, I added two security features to help block annoying attacks. Make sure you’re familiar with how to use them.

sudo apt-get install -y fail2ban denyhosts

Installing and using Tomb in Ubuntu 11.10

My blurb about Tomb

Using encryption is important when you store personal information on general-purpose computers. Information can, and in general should, easily move about via inter-connected devices. Keeping your keyfiles separate from your encrypted container adds a useful layer of security. If ever your encrypted container is lost, stolen, or purposefully stored, it is a completely useless chunk of data without its keyfile and the keyfiles correlating password. Encrypted containers that have integrated keys also have the risk of being attacked via brute-force. With the evolution of processing power along with GPU-accelerated applications, and the decrease in cost of said processing, brute-forcing passwords gets easier every year.

Special note: TrueCrypt also supports the use of keyfiles.

Tomb website: http://www.dyne.org/software/tomb/
Tomb on Github: https://github.com/dyne/Tomb/

Note: This specific blog post is licensed as Creative Commons CC0 for the purpose of contributing to the Crypto.is project. You are free to copy, change, delete, or publish any part of this guide.

This guide is written to demonstrate how to:

1. Install Tomb in Ubuntu 11.10 x64
2. Create your first tomb
3. Securely move your tomb keyfile to a USB drive
4. Access and use your tomb
5. Securely delete your tomb

Installation

To install Tomb, follow the Crypto.is guide here (see: “Install from Debian Repository”): https://crypto.is/guides/install-tomb/

Verify installation

With your terminal open, verify that you have Tomb installed correctly via version check:

tomb -v

You should get this output:

Tomb - 1.2

Reference: http://www.dyne.org/software/tomb/

Creating a tomb

Before you begin, you can safely verify that your computer’s swap space is encrypted by trying to encrypt it. If you have swap space, and without the proper “–ignore-swap” flag, Tomb will not create your file and you will receive the following warning:

You have swap activated; use --ignore-swap if you want to skip this check
. Using encryption with swap activated is very bad, because some files, or even your secret key, could be written on hard disk.
. However, it could be that your swap is encrypted. If this is case, this is ok. Then, use --ignore-swap to skip this check
. You seem to be using 1 swaps:
/dev/dm-0 partition 1234567 0 -1

Try encrypting your swap space if you have it:

sudo ecryptfs-setup-swap

Reference: https://help.ubuntu.com/community/EncryptedHome

You will get this warning if your swap space is already encrypted:

WARNING: [/dev/dm-0] already appears to be encrypted, skipping.
WARNING: There were no usable swap devices to be encrypted. Exiting.

Create a “test” tomb that is 2 Megabytes in size:

tomb create -s 2 test --ignore-swap

Enter your new password and again for verification. Remember, when creating a password for an encrypted container, a longer password is better than a more complicated password.

PartyLikeIts#1999ButIn@2012

…is better than:

fG#jg8-sm$db

…because a longer password, in general, takes longer to brute-force, presuming that your tomb and keyfile are together.

Moving your keyfile to a USB device

Copy, not move, your keyfile to your USB device:

sudo cp test.tomb.key /media/name-of-mounted-usb-device/

Shred the original keyfile to securely delete it:

sudo shred -f -v -z -u test.tomb.key

Reference: http://maketecheasier.com/ubuntu-how-to-delete-your-files-or-wipe-your-hard-drive-beyond-recovery/2008/02/14

Mounting your tomb

Remember that Tomb is a command-line utility, so even after mounting your tomb, you cannot access it using a GUI.

Mount your “test” tomb referencing the keyfile that is located on your USB drive:

tomb open test.tomb -k /media/name-of-mounted-usb-device/test.tomb.key --ignore-swap

Move a file over to your mounted tomb directory (into your tomb):

sudo mv /name-of-directory/name-of-file /media/test.tomb

Note: you can, of course, copy it over then shred the original.

Closing your tomb directory

Close your mounted tomb directory when you are done:

tomb slam

Deleting your tomb

If you ever need to delete your tomb, be sure to delete both the tomb and the keyfile:

sudo shred -f -v -z -u test.tomb
shred -f -v -z -u /media/name-of-mounted-usb-device/test.tomb.key

My first 24 hours as a Tor exit node

I setup a limited Tor exit node in my home yesterday by following @grahamking‘s guide for Ubuntu. Presently I’m using Ubuntu 11.10 x64 on a spare laptop. The laptop is HP/Compaq 6510b; not very powerful, but I wanted a low-power solution since it is running 24/7 in my home.

The basic steps

First I configured my A record for torexit.yawnbox.com. Then my static IP/hostname for the laptop (step 7 from this guide).

If I open my torrc file, these are the settings I uncommented or added:
vim /etc/tor/torrc

SocksPort 0 # what port to open for local application connections
Log notice file /var/log/tor/notices.log
RunAsDaemon 1
DataDirectory /var/lib/tor
ORPort 9001
Nickname yawnbox
Address torexit.yawnbox.com
RelayBandwidthRate 2500 KB # Throttle traffic to 2500KB/s
RelayBandwidthBurst 5000 KB # But allow bursts up to 5000KB/s
ContactInfo Christopher Sheats
DirPort 9030 # what port to advertise for directory connections
DirPortFrontPage /etc/tor/tor-exit-notice.html
ExitPolicy accept *:119 # accept nntp as well as default exit policy
ExitPolicy accept *:22 # ssh
ExitPolicy accept *:465 # smtps (SMTP over SSL)
ExitPolicy accept *:993 # imaps (IMAP over SSL)
ExitPolicy accept *:994 # ircs (IRC over SSL)
ExitPolicy accept *:995 # pop3s (POP3 over SSL)
ExitPolicy reject *:* # no exits allowed

I am only allowing ports that are intended for encrypted traffic. I am not yet allowing the standard IRC ports. Also, since this Tor exit node is in my home, I’m not comfortable with running a completely open node. After I figured out what ports I would be allowing, I configured the iptables firewall accordingly using UFW.

Bandwidth usage

I set the bandwidth at 2,500KB/s with 5,000KB/s burst. By browsing the Ubuntu Sofware Center I managed to find two easy to use bandwidth monitors. One for watching locally and one for watching remotely. In just over 24 hours, I have already sent/received 27 GB of traffic!

A GUI bandwidth monitor, KNemo
A command-line bandwidth monitor, BMon

Why am I running a Tor exit node from my home?

  1. I strongly support the notion of our right to read, no matter who is trying to stop us.
  2. I am paying for a fast Internet service that I don’t fully utilize 24/7
  3. I want to contribute to the Tor Project, especially after watching Roger Dingledine and Jacob Appelbaum (two “core people“) talk at 28C3 (YouTube video below)

We, the Web Kids.


Piotr Czerski
We, the Web Kids.
(translated by Marta Szreder)


There is probably no other word that would be as overused in the media discourse as ‘generation’. I once tried to count the ‘generations’ that have been proclaimed in the past ten years, since the well-known article about the so-called ‘Generation Nothing’; I believe there were as many as twelve. They all had one thing in common: they only existed on paper. Reality never provided us with a single tangible, meaningful, unforgettable impulse, the common experience of which would forever distinguish us from the previous generations. We had been looking for it, but instead the groundbreaking change came unnoticed, along with cable TV, mobile phones, and, most of all, Internet access. It is only today that we can fully comprehend how much has changed during the past fifteen years.

We, the Web kids; we, who have grown up with the Internet and on the Internet, are a generation who meet the criteria for the term in a somewhat subversive way. We did not experience an impulse from reality, but rather a metamorphosis of the reality itself. What unites us is not a common, limited cultural context, but the belief that the context is self-defined and an effect of free choice.

Writing this, I am aware that I am abusing the pronoun ‘we’, as our ‘we’ is fluctuating, discontinuous, blurred, according to old categories: temporary. When I say ‘we’, it means ‘many of us’ or ‘some of us’. When I say ‘we are’, it means ‘we often are’. I say ‘we’ only so as to be able to talk about us at all.

1.
We grew up with the Internet and on the Internet. This is what makes us different; this is what makes the crucial, although surprising from your point of view, difference: we do not ‘surf’ and the internet to us is not a ‘place’ or ‘virtual space’. The Internet to us is not something external to reality but a part of it: an invisible yet constantly present layer intertwined with the physical environment. We do not use the Internet, we live on the Internet and along it. If we were to tell our bildnungsroman to you, the analog, we could say there was a natural Internet aspect to every single experience that has shaped us. We made friends and enemies online, we prepared cribs for tests online, we planned parties and studying sessions online, we fell in love and broke up online. The Web to us is not a technology which we had to learn and which we managed to get a grip of. The Web is a process, happening continuously and continuously transforming before our eyes; with us and through us. Technologies appear and then dissolve in the peripheries, websites are built, they bloom and then pass away, but the Web continues, because we are the Web; we, communicating with one another in a way that comes naturally to us, more intense and more efficient than ever before in the history of mankind.

Brought up on the Web we think differently. The ability to find information is to us something as basic, as the ability to find a railway station or a post office in an unknown city is to you. When we want to know something - the first symptoms of chickenpox, the reasons behind the sinking of ‘Estonia’, or whether the water bill is not suspiciously high  - we take measures with the certainty of a driver in a SatNav-equipped car. We know that we are going to find the information we need in a lot of places, we know how to get to those places, we know how to assess their credibility. We have learned to accept that instead of one answer we find many different ones, and out of these we can abstract the most likely version, disregarding the ones which do not seem credible. We select, we filter, we remember, and we are ready to swap the learned information for a new, better one, when it comes along.

To us, the Web is a sort of shared external memory. We do not have to remember unnecessary details: dates, sums, formulas, clauses, street names, detailed definitions. It is enough for us to have an abstract, the essence that is needed to process the information and relate it to others. Should we need the details, we can look them up within seconds. Similarly, we do not have to be experts in everything, because we know where to find people who specialise in what we ourselves do not know, and whom we can trust. People who will share their expertise with us not for profit, but because of our shared belief that information exists in motion, that it wants to be free, that we all benefit from the exchange of information. Every day: studying, working, solving everyday issues, pursuing interests. We know how to compete and we like to do it, but our competition, our desire to be different, is built on knowledge, on the ability to interpret and process information, and not on monopolising it.

2.
Participating in cultural life is not something out of ordinary to us: global culture is the fundamental building block of our identity, more important for defining ourselves than traditions, historical narratives, social status, ancestry, or even the language that we use. From the ocean of cultural events we pick the ones that suit us the most; we interact with them, we review them, we save our reviews on websites created for that purpose, which also give us suggestions of other albums, films or games that we might like. Some films, series or videos we watch together with colleagues or with friends from around the world; our appreciation of some is only shared by a small group of people that perhaps we will never meet face to face. This is why we feel that culture is becoming simultaneously global and individual. This is why we need free access to it.

This does not mean that we demand that all products of culture be available to us without charge, although when we create something, we usually just give it back for circulation. We understand that, despite the increasing accessibility of technologies which make the quality of movie or sound files so far reserved for professionals available to everyone, creativity requires effort and investment. We are prepared to pay, but the giant commission that distributors ask for seems to us to be obviously overestimated. Why should we pay for the distribution of information that can be easily and perfectly copied without any loss of the original quality? If we are only getting the information alone, we want the price to be proportional to it. We are willing to pay more, but then we expect to receive some added value: an interesting packaging, a gadget, a higher quality, the option of watching here and now, without waiting for the file to download. We are capable of showing appreciation and we do want to reward the artist (since money stopped being paper notes and became a string of numbers on the screen, paying has become a somewhat symbolic act of exchange that is supposed to benefit both parties), but the sales goals of corporations are of no interest to us whatsoever. It is not our fault that their business has ceased to make sense in its traditional form, and that instead of accepting the challenge and trying to reach us with something more than we can get for free they have decided to defend their obsolete ways.

One more thing: we do not want to pay for our memories. The films that remind us of our childhood, the music that accompanied us ten years ago: in the external memory network these are simply memories. Remembering them, exchanging them, and developing them is to us something as natural as the memory of ‘Casablanca’ is to you. We find online the films that we watched as children and we show them to our children, just as you told us the story about the Little Red Riding Hood or Goldilocks. Can you imagine that someone could accuse you of breaking the law in this way? We cannot, either.

3.
We are used to our bills being paid automatically, as long as our account balance allows for it; we know that starting a bank account or changing the mobile network is just the question of filling in a single form online and signing an agreement delivered by a courier; that even a trip to the other side of Europe with a short sightseeing of another city on the way can be organised in two hours. Consequently, being the users of the state, we are increasingly annoyed by its archaic interface. We do not understand why tax act takes several forms to complete, the main of which has more than a hundred questions. We do not understand why we are required to formally confirm moving out of one permanent address to move in to another, as if councils could not communicate with each other without our intervention (not to mention that the necessity to have a permanent address is itself absurd enough.)

There is not a trace in us of that humble acceptance displayed by our parents, who were convinced that administrative issues were of utmost importance and who considered interaction with the state as something to be celebrated. We do not feel that respect, rooted in the distance between the lonely citizen and the majestic heights where the ruling class reside, barely visible through the clouds. Our view of the social structure is different from yours: society is a network, not a hierarchy. We are used to being able to start a dialogue with anyone, be it a professor or a pop star, and we do not need any special qualifications related to social status. The success of the interaction depends solely on whether the content of our message will be regarded as important and worthy of reply. And if, thanks to cooperation, continuous dispute, defending our arguments against critique, we have a feeling that our opinions on many matters are simply better, why would we not expect a serious dialogue with the government?

We do not feel a religious respect for ‘institutions of democracy’ in their current form, we do not believe in their axiomatic role, as do those who see ‘institutions of democracy’ as a monument for and by themselves. We do not need monuments. We need a system that will live up to our expectations, a system that is transparent and proficient. And we have learned that change is possible: that every uncomfortable system can be replaced and is replaced by a new one, one that is more efficient, better suited to our needs, giving more opportunities.

What we value the most is freedom: freedom of speech, freedom of access to information and to culture. We feel that it is thanks to freedom that the Web is what it is, and that it is our duty to protect that freedom. We owe that to next generations, just as much as we owe to protect the environment.

Perhaps we have not yet given it a name, perhaps we are not yet fully aware of it, but I guess what we want is real, genuine democracy. Democracy that, perhaps, is more than is dreamt of in your journalism.



___
"My, dzieci sieci" by Piotr Czerski is licensed under a Creative Commons Uznanie autorstwa-Na tych samych warunkach 3.0 Unported License:
http://creativecommons.org/licenses/by-sa/3.0/

Contact the author: piotr[at]czerski.art.pl

Stream Dance via Ubuntu

radiotray

These are some of my favorite Internet radio stations that I used to access via iTunes. One of the obvious benefits of streaming via Radio Tray is that it will show you the song that is playing which is great for looking up an artist later. It uses way less resources than iTunes. I’ve tested this on all versions of Ubuntu 11.10 – 15.04.

sudo apt-get install radiotray gstreamer0.10-plugins-ugly

If you’re using Unity, be sure to select ‘app indicator‘ if Radio Tray asks.

Radio Tray >> Preferences >> Configure Radios…

Add the following streaming URLs: