Tag Archives: Tor

Using Anonymity for good, or Why Tor Matters

During the last years, there has been a disturbing trend of law enforcement agencies (both european and american) demonizing the Tor project and anonymity in general, and Tor Hidden Services specifically. Recently, during 31c3, Jacob Appelbaum (a Tor developer and generally awesome person) put out a call to the community to start conversations about anonymity in order to inform people about why anonymity is important and how it is useful not only to (perceived or actual) criminals, but also to regular people. This is my (public) contribution.

First, I will briefly explain how Tor in general and hidden services specifically work. If you are familiar with Tor and hidden services, feel free to skip ahead.

What is Tor?

“Tor” stands for “The Onion Router”. It is a program that can be used to browse the internet anonymously (the websites you visit cannot identify you unless you provide them with identifying information yourself, e.g. by logging in). It also hides which websites you are visiting from your internet company. This is achieved (slightly simplified) by sending your internet traffic through a number of servers all over the globe before delivering it to the website you are visiting.

Tor also supports a system called “hidden services“. A hidden service is a website (or any other type of service, like a mail or chat server) that can only be reached over the Tor network. When used properly, the server never knows the identity of users connecting to it, and the users never know the location of the server they are talking to.

The usual caveats apply: Tor cannot protect your identity if you use it incorrectly. For example, you will obviously not be anonymous if you log into facebook via Tor. Read the warnings on the download site.

Why use Tor?

There are many reasons why you may want to use Tor, and the overwhelming majority of them do not involve anything that you may find questionable. For example, Tor is used…

  • …by dissidents who want to get around state censorship (e.g. in China, Syria, …)
  • …by whistleblowers and journalists alike to protect themselves and their sources
  • …by privacy-concious people who want to avoid the omnipresent tracking on many websites
  • The list goes on. The Tor project has a nice list of potential uses and users of their software.

But I was told criminals use Tor!

Yes, there are people who are using Tor to hide their identities when extorting money, or to buy and sell drugs. It is in the nature of an anonymity system that it is impossible to prevent malicious use while still allowing those with “legitimate” (however you would define that) interests to use it. In the end, it all comes down to a tradeoff between the good and the bad that Tor does. How many drug smuggling rings equal one Edward Snowden? How many chinese dissidents equal one criminal using Tor to extort money?

In my personal opinion, Tor does more good than it does bad. You may think differently. Just keep in mind that Tor does save lifes under oppressive regimes, and that it enables people like Edward Snowden to come forward with at least a small measure of safety. You will have to decide if it is worth loosing all of that to cut off a channel for drug trade. In the end, there will always be ways to more-or-less-securely trade drugs, but there may not be any way for dissidents to safely use the internet.

And what about those hidden services?

Hidden services enjoy a particularily bad reputation as a place where only drug traders and pedophiles hang out, and it is true that there is a lot of awful stuff hosted on hidden services. But again, there are a lot of different ways these hidden services can be used. Here are two ways in which I personally use hidden services:

  • I have my own Server for instant messaging using Jabber / XMPP, and I connect to it using a Tor hidden service. That way, my server does not know my current IP address (which is good, in case it ever gets taken over by criminals), and it also prevents anyone watching the network from identifying that I am using it at all. Additionally, it gives the other users of my server a way to use it and still be sure that I cannot track them. I would obviously never even try to track them, but I firmly believe in minimizing the amount of damage any one party can do, no matter how trustworthy.
  • I also have a seperate hidden service I use to access my server using the SSH protocol (a protocol used to remotely administrate my server), as lately, doubt has been cast on the security of the SSH protocol. By using hidden services, I am adding another layer of security to the connection, which helps keep my server secured against the aforementioned criminals.

In both cases, I am not interested in hiding the location or identity of my server (as that is trivial to determine using the protocols themselves), but more interested in hiding myself from my server, and hiding the fact that I am talking to the server. This makes it slightly harder to identify me, and much harder to identify which channels I am using to communicate (another case of minimizing the information available to any single party). And, most importantly, it adds another layer of protection to the information I am sending.

Closing notes

I hope that this article helped you understand that there are many different ways people use anonymity tools like Tor, and many of them are completely acceptable by every sane person. So, what I am asking of you is simple: Keep this in mind when you next hear politicians railing against anonymity: For every criminal, pedophile and “terrorist” using Tor, there is at least one dissident, activist, journalist, or server operator using the same software for good.

Life is not as easy as people make it sound. Why should the issue of anonymity be any different?

Howto: Running Tor on a Synology DiskStation

(Repost from my tumblr)

After a brief conversation with the TOR support, I tried to and suceeded at getting TOR to run on my Synology DiskStation 211j. I suppose the setup process will be similar on all DiskStations and possibly other BusyBox NAS Systems, but I only tried my own one.

I suppose you already know your way around your NAS, in having SSH enabled and secured (important!) , and ipkg installed. You should also know basic stuff about linux (editing files, creading directories, sudo / su, …), but you don’t need to be an expert (hell, I am mostly a newbie myself when it comes to linux).

Please also be aware of the legal implications that come with running TOR. I am not responsible for anything that happens to you, your NAS, your Network, Internet Connection, computer, data, cat, or anything else. Also, please note that while the following steps have worked for me, they might not work for you, and chances are that I will be unable to assist you in any way. Use Google or whatever search engine you are comfortable with to find solutions.

A note on the ipkg version of TOR:

I have asked the guys at TOR, and the version on IPKG is not official. It is also outdated, so please don’t use it. Compile TOR yourself instead.

Step one: Getting the TOR Source code

There are, as of April 2012, no precompiled ARM binaries available, so you will have to compile TOR yourself.

Go to https://www.torproject.org/download/download.html.en and download the Source Tarball (That’s important. Donot download any precompiled linux package).

Copy it to your NAS in some way (Via a network share, for example). Getting the source Tarball directly on the NAS was not possible for me, as it is only loadable via https, and my wget had no https support compiled in.

Copy it to a location of your choice (your home folder, for example), and unpack it using:

tar x -f name_of_source_tarball.tar.gz

(remember you can autocomplete the filename with tab)

Step two: Checking the config

This step is easy. Just run “./configure” from the unpacked directory (you may have to “cd” into it first).

You will most likely get errors. Don’t freak out, thats normal.

If it complains that you don’t have gcc installed, just run “sudo ipkg install gcc” and you should be fine.

Usually, it will tell you that it has found a shared library, but is unable to use it, and you can specify a new path using the “—with-[libraryname]-dir=path/to/library” switch.

Most of the libraries will be located at /opt/lib

If you are indeed missing a library completely, you can most likely install it using ipkg.

For example, I was missing the openssl-libraries. By running “sudo ipkg list | grep openssl”, I was able to locate the “openssl-dev”-package that contained the libraries. If you really can’t find the libraries, use a search engine to figure out how to get them.

Once you get the “./configure” command to run without errors, using the switches explained above, you can run “make” (or install it first, if you don’t have it already, using “sudo ipkg install make”).

This will take a while (about 10 minutes for me). It should run without errors. If you encounter problems here, I will most likely not be able to help you, so use your friendly search engine again.

Step three: Preparing the system

First off, if you have not properly sealed your ssh, now is the time to do it. Use keyfiles to log in, change the standard port, disallow root login and so on. I will not go into details here, there are enough tutorials for that online.

Make sure all your software is up to date (“sudo ipkg update”, followed by “sudo ipkg upgrade”), and that your router’s Firewall is blocking every port by default. Be a bit paranoid.

If you are done with that, run “sudo mkdir /root/.tor”, followed by “sudo chown -R [your_username] /root/.tor”. This will enable TOR to use the directory, as per standard config.

Alternatively, you could just run “sudo [path_to_tor_source_dir]/src/or/tor” and then, after a second, cancel the execution using ctrl+c. TOR should create all required directories. Now you can run it without the “sudo” to get a list of all relevant directories that were created (Because it will complain that it has no access to them). “chown -R” all of them to your user, as described above.

Step four: Preparing a torrc file

TOR should have created a folder called “tor” somewhere (For me, it was /opt/etc/tor). cd to that folder and edit the torrc.sample (Or maybe it will be called torrc, without the .sample).

Read through it carefully and consider your choices, then make your changes. Also, check if you have write access by changing something and saving. If it works, keep going. Otherwise, exit your editor and restart it using “sudo”.

Keep in mind that the “#” character is signifying a comment. So, make sure the relevant lines are uncommented.

The most important decisions you have to make are:

  • SocksPort: Set to 0 if you only want to run a relay / exit node
  • Log configuration: It is useful to set a logfile for “notice” level logs. For example: “Log notice file /path/to/the/file/filename.txt”
  • RunAsDaemon: If you want TOR to keep running in background if you terminate your SSH connection, set this to 1. In this case, it is important toset a log file, or you will be unable to find out what is going on inside TOR, and if there are any problems.
  • Port: Set some some port and make sure that it is forwarded in your router.Only set this if you want to run a relay, bridge, or exit node.
  • NickName: Set anything here to identify your Nod. Again, only set if you want to run a relay, bridge or exit node.
  • RelayBandwidthRate: Set if you want to limit traffic through your relay, bridge or exit node.
  • RelayBandwidthBurst: Same here
  • AccountingMax, AccountingStart: Same here
  • ContactInfo: Set if you want the TOR team to be able to contact you, should something be wrong.Search engines are indexing this, so spammers will find your email eventually, if you are setting this.
  • DirPort: If you want to mirror directory information, set this and make sure your Router forwards the port.
  • DirPortFrontPage: Specify a HTML document that should be displayed if someone browses to your IP on your DirPort.Totally optional
  • MyFamily: Set the fingerprints of other TOR relays you are running here.
  • ExitPolicy:This is critical!If you want to only relay traffic (From TOR into TOR, as opposed to from TOR into the Internet), set this to “reject *:*”. Else, you can reject special ports, for example BitTorrent, Usenet, …If you chooseto be an exit node, you will get problems at some point, because people are using TOR to do illegal stuff, and your IP will show up eventually.Consider this carefully. Running a non-exit relay is safe and needed.
  • BridgeRelay: If you want to serve as a bridge, set this to 1.

If you need your fingerprint to configure other relays, check “/root/.tor”.

Don’t forget to remove the “.sample” from the torrc file, if it was still there (“mv torrc.sample torrc)

Step five: Running TOR for the first time (for real)

Run TOR using “[path_to_TOR_sources]/src/or/tor”. If the torrc file is not in the standard directory, you can specify the path using “-f /path/to/file/torrc”.

If you have set Daemon to 1, check your log files. It should say “Self-testing indicates your ORPort is reachable from the outside”, as well as “self-testing indicates your DirPort is reachable from the outside” (If you have enabled the respective ports). If there are problems, check your port forwarding, paths and permissions.

Step six: Killing TOR if is is a daemon

If you have set Daemon to 1 and need to kill TOR for some reason, run “ps | grep tor”, note the PID of the tor process and run “sudo kill -SIGINT [tor_pid]”. It will take 30 seconds for TOR to shut down. If you need to shut it down fast, without regard for the stability of the currently connected clients, you can just use the kill command without the -SIGINT. Please try to avoid this.

That’s it.You are now (hopefully) running a TOR relay, or at least have access to TOR, using your NAS as a Proxy.

Some notes:

  • Subscribe to the tor-announce mailing list if you want to be notified on new TOR updates. Install them ASAP, as old versions might be insecure.
  • IMPORTANT: Read this page on the TOR documentation about improving security of your TOR Relay. There are many things you can do to make it harder for people to break into your machine. This is especially important if you are running an exit node.

So, that’s it, this time for real. If you have any notes concerning the process, do not hesitate to comment.