Announcement

**Feathers McGraw** · Jan 11, 2014, 03:54 AM

Originally posted by SteveRiley View Post

Allow SMTP relaying

I actually don't think I've done this one

In sure the list will continue to grow as I continue my enthusiastic tinkering, though!

I also had that scare where I thought I'd allowed WAN access to my printer. That would have been an impressive one if it had made the list!

On the plus side, having made so many catastrophic errors I was able to write a decent RasPi mail server tutorial that seems to have helped a few people!

**Simon** · Jan 11, 2014, 09:48 AM

The ultimate double bluff: pretending to accidentally run a proxy so you can look at naughty websites and claim it was someone else.

Well... I wouldn't be a healthy young man if I didn't peek now and then.

I am not very concerned about the proxy I am using. Roughly 2 years ago I met the man's family through online gaming... I am such a stalker.

Anyways at the time, I was paying for a monthly service call "Hide My *Donkey" only replace Donkey with a 3 letter version. He informed me that even with my MMOs my bandwidth usage is pretty low and isn't charging me for the proxy or VPN or whatnot. So basically he set me up so I am projecting a US IP for all my online activity. I adopted his family in exchange lol.

**GreyGeek** · Jan 11, 2014, 12:03 PM

Originally posted by SteveRiley View Post

Yes, that's why proxy servers represent a risk that many people don't think about. Often, the risk is of the "don't care" variety -- you're using the proxy so that you can get around country-specific content restrictions; who cares if someone intercepts the traffic? It's public and unencrypted anyway. You would not want to use any public proxy for sensitive communications. Tor is much better in those cases.

TOR is better protection than a pointed stick, but one still has to be careful, as I know you are aware. From the TOR site:

Don't provide your name or other revealing information in web forms. Be aware that, like all anonymizing networks that are fast enough for web browsing, Tor does not provide protection against end-to-end timing attacks: If your attacker can watch the traffic coming out of your computer, and also the traffic arriving at your chosen destination, he can use statistical analysis to discover that they are part of the same circuit.

The problem I had with TOR is that the TOR browser was so slow it was like using a dialup.

**SteveRiley** · Jan 11, 2014, 04:21 PM

Originally posted by GreyGeek View Post

TOR is better protection than a pointed stick, but one still has to be careful, as I know you are aware. From the TOR site:

Indeed. Gotta give the Tor folks credit for being honest about its limitations. Compare that to, say, HideMyAss. Those guys make misleading claims and never mention the things they can't do.

Originally posted by GreyGeek View Post

The problem I had with TOR is that the TOR browser was so slow it was like using a dialup.

Have you tried the latest? I downloaded the Tor bundle a couple weeks ago. In my totally unscientific evaluation, it felt like my 100 Mb/sec connection ran at about half its normal speed.

**SteveRiley** · Jan 11, 2014, 04:42 PM

Originally posted by Feathers McGraw View Post

I actually don't think I've done this one

I also had that scare where I thought I'd allowed WAN access to my printer. That would have been an impressive one if it had made the list!

Ah, maybe that's what I was thinking of -- I knew there was a third oops we had discussed.

Originally posted by Feathers McGraw View Post

On the plus side, having made so many catastrophic errors I was able to write a decent RasPi mail server tutorial that seems to have helped a few people!

And a very well-written one, at that. Congratulations, you probably have the most up-to-date Debian+Postfix+Dovecot+webmail tutorial on the Internet right now. Bask in your glory!

**Feathers McGraw** · Jan 11, 2014, 05:05 PM

Originally posted by SteveRiley View Post

And a very well-written one, at that. Congratulations, you probably have the most up-to-date Debian+Postfix+Dovecot+webmail tutorial on the Internet right now. Bask in your glory!

Thanks, it won't last long! Lol

**GreyGeek** · Jan 11, 2014, 07:19 PM

Originally posted by SteveRiley View Post

.... Have you tried the latest? I downloaded the Tor bundle a couple weeks ago. In my totally unscientific evaluation, it felt like my 100 Mb/sec connection ran at about half its normal speed.

100Mb/s

I have only 15Mb/s

I measured Tor at less than 1Mb/s.

**SteveRiley** · Jan 11, 2014, 10:57 PM

Are you on DSL?

**GreyGeek** · Jan 13, 2014, 08:11 AM

Originally posted by SteveRiley View Post

Are you on DSL?

No. RoadRunner. Mytest.net gives me 15.3 Mb/s down and 1.9Mb/s up, which is pretty good for a purchased 15Mb/s connection.

**GreyGeek** · Jan 13, 2014, 08:12 AM

BTW, Tor give the following advice, reposted here for convenience:

Want Tor to really work?

You need to change some of your habits, as some things won't work exactly as you are used to.

Use the Tor Browser Tor does not protect all of your computer's Internet traffic when you run it. Tor only protects your applications that are properly configured to send their Internet traffic through Tor. To avoid problems with Tor configuration, we strongly recommend you use the Tor Browser Bundle. It is pre-configured to protect your privacy and anonymity on the web as long as you're browsing with the Tor Browser itself. Almost any other web browser configuration is likely to be unsafe to use with Tor.
Don't torrent over Tor Torrent file-sharing applications have been observed to ignore proxy settings and make direct connections even when they are told to use Tor. Even if your torrent application connects only through Tor, you will often send out your real IP address in the tracker GET request, because that's how torrents work. Not only do you deanonymize your torrent traffic and your other simultaneous Tor web traffic this way, you also slow down the entire Tor network for everyone else.
Don't enable or install browser plugins The Tor Browser will block browser plugins such as Flash, RealPlayer, Quicktime, and others: they can be manipulated into revealing your IP address. Similarly, we do not recommend installing additional addons or plugins into the Tor Browser, as these may bypass Tor or otherwise harm your anonymity and privacy. The lack of plugins means that Youtube videos are blocked by default, but Youtube does provide an experimental opt-in feature (enable it here) that works for some videos.
Use HTTPS versions of websites Tor will encrypt your traffic to and within the Tor network, but the encryption of your traffic to the final destination website depends upon on that website. To help ensure private encryption to websites, the Tor Browser Bundle includes HTTPS Everywhere to force the use of HTTPS encryption with major websites that support it. However, you should still watch the browser URL bar to ensure that websites you provide sensitive information to display a blue or green URL bar button, include https:// in the URL, and display the proper expected name for the website.
Don't open documents downloaded through Tor while online The Tor Browser will warn you before automatically opening documents that are handled by external applications. DO NOT IGNORE THIS WARNING. You should be very careful when downloading documents via Tor (especially DOC and PDF files) as these documents can contain Internet resources that will be downloaded outside of Tor by the application that opens them. This will reveal your non-Tor IP address. If you must work with DOC and/or PDF files, we strongly recommend either using a disconnected computer, downloading the free VirtualBox and using it with a virtual machine image with networking disabled, or using Tails. Under no circumstances is it safe to use BitTorrent and Tor together, however.
Use bridges and/or find company Tor tries to prevent attackers from learning what destination websites you connect to. However, by default, it does not prevent somebody watching your Internet traffic from learning that you're using Tor. If this matters to you, you can reduce this risk by configuring Tor to use a Tor bridge relay rather than connecting directly to the public Tor network. Ultimately the best protection is a social approach: the more Tor users there are near you and the more diverse their interests, the less dangerous it will be that you are one of them. Convince other people to use Tor, too!

**GreyGeek** · Jan 13, 2014, 11:01 AM

I thought about my Tor speed and what Steve was experiencing and decided to visit the Tor site again. There I found a 64bit Linux bundle with everything in it, fired by a shell script. I downloaded and unpacked it and fired the script. Gave me a nice FF browser with the option to run FF if your ISP was "free" and another button if you knew your connection was monitored.

This FF browser was reasonably fast. I discovered the "Silk Road", various hacker sites, and such. I also found this information:

http://www.thehiddenwiki.net/breakin...uding-tormail/

“In this paper we expose flaws both in the design and implementation of Tor’s hidden services that allow an attacker to measure the popularity of arbitrary hidden services, take down hidden services and deanonymize hidden services
Trawling for Tor Hidden Services: Detection, Measurement, Deanonymization”

http://www.ieee-security.org/TC/SP20...s/4977a080.pdf

**SteveRiley** · Jan 17, 2014, 11:25 PM

Tor isn't perfect, true. But when big-moneyed interests are pouring big money into eliminating anonymity on the Internet, I'm glad we have projects like Tor that help to fight for us little people.

**SteveRiley** · Jan 17, 2014, 11:34 PM

@Feathers:

Originally posted by SteveRiley View Post

So you have managed to:

Get unknown accounts showing up in your Citadel deployment
Allow SMTP relaying
Run an open proxy

Mighty impressive! Did I forget anything?

Originally posted by Feathers McGraw View Post

I actually don't think I've done this one

Originally posted by SteveRiley View Post

* Allow SMTP relaying

Updated!

Get unknown accounts showing up in your Citadel deployment
Run an open proxy
Become a small DDoS target against .htaccess

**Feathers McGraw** · Jan 18, 2014, 04:22 AM

An impressive set of accolades!

I wonder whether the .htaccess file would have been a problem on a system with more memory? I may add some swap, see if that helps at all.

**SteveRiley** · Jan 18, 2014, 05:08 PM

Originally posted by Feathers McGraw View Post

I wonder whether the .htaccess file would have been a problem on a system with more memory? I may add some swap, see if that helps at all.

Eh, don't bother. .htaccess is not intended for frequent modification. That's a pretty bad way to accomplish what you want. Fail2Ban's express purpose is to create and maintain dynamic block lists. It's the correct approach.

Announcement

One cable modem -- Two networks?

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment