Here are some miscellaneous notes on using Tor and TorK: What do I need to know about Tor/TorK? First of all some don'ts: * Don't use Tor/TorK for plaintext traffic such as POP3 (downloading emails) or telnet. By doing so you are sending out username/password combinations that some people harvest, e.g. http://tor.unixgu.ru. * Don't mix 'anonymous' and 'non-anonymous' traffic in Tor. For example, don't do some anonymous browsing and then log into hotmail during the same 'anonymous' Tor session. Why? Anyone listening on the tor network might put two and two together and identify you. Better to keep Tor for 'anonymous' tasks only. Now some do's: * Do run a Tor server if you can. Choose one of the server options TorK provides. A 'Relay' server is an easy and hassle-free way to contribute to the network. An 'Exit' server is the only one that involves putting your name to other people's traffic. * Do behave responsibly when using Tor. Try not to sink to the level of your own government! Finally: Tor is developed and maintained by the people at http://tor.eff.org. They are professionals. They're mostly from MIT. They know what they're doing. TorK is developed and maintained by a hobbyist. From Ireland. In his spare time. So: TorK probably has lots of faults the developer is not aware of or hasn't fixed yet. If you spot them, let the poor sod know by clicking on Help -> 'Report Bug'. What is 'Paranoid Mode'? In TorK, you can switch between 'Paranoid' and 'Not-So-Paranoid' mode by clicking on the icon of the toggling penguin-ghost. When in 'Paranoid Mode' TorK/Tor will try to use a new identity for every new connection you make. This helps mitigate the problem where you mix 'anonymous' and 'non-anonymous' traffic in Tor. For example, if you do some anonymous browsing and then log into hotmail during the same 'anonymous' Tor session anyone listening on the tor network might put two and two together and identify you. Using different identities for each connection will help reduce this problem. However, 'Paranoid Mode' is slow and you are probably better off just not mixing 'anonymous' and 'non-anonymous' activity in the first place. Where is the paranoid button located? Under the first tab ("Anonymize"), in the first section ("Welcome...", next to the big onion icon), you will see the toggling ghost-penguin button followed by a URL-like clickable link (mentioning the "paranoid mode"). Click on the icon itself to toggle between the two modes. Clicking the URL-like clickable link next to it has another result, indeed. This was fixed in the CVS (added the icon to the menu and toolbar). Why can't Konqueror access the Internet through Tor? Konqueror works just fine when I setup its proxies manually (from kcontrol). Then I open Tork and it no longer works. It doesn't matter how I toggle Tork's Konqueror button. Then I have to manually restore Konqueror's proxies (in kcontrol), and Konqueror starts working again. That is, until I restart Tork, when all this happens again. Tor/TorK say my Tor server isn't reachable. What should I do? To make your Tor server visible to the world, there are a number of things you need to make sure are set up correctly. Step One Make sure your firewall is allowing traffic to Tor's server ports. These are the commands I added to my own firewall script (the host my instance of Tor is running on is 192.168.1.2): # Allow Tor to go through iptables -A INPUT -p tcp -d 192.168.1.2 --dport 9001 -j ACCEPT iptables -A INPUT -p tcp -d 192.168.1.2 --dport 9031 -j ACCEPT If you are wondering, 'Where's my firewall script?', then you should probably create one. This is mine, for what it's worth (and that's not much): #!/bin/bash #Load modules /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_conntrack_irc #Flush old iptables -F iptables -t nat -F iptables -t mangle -F # Set policies iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT iptables -P INPUT DROP # Allow loopback iptables -A INPUT -i lo -j ACCEPT # Allow Tor to go through iptables -A INPUT -p tcp -d 192.168.1.2 --dport 9001 -j ACCEPT iptables -A INPUT -p tcp -d 192.168.1.2 --dport 9031 -j ACCEPT #bittracker portforwarding BTPORTS="7682 6881 6882 6890 6891 6892 6893 6894 6895 6896 6897 6898 6899" for pt in $BTPORTS; do /usr/sbin/iptables -A INPUT -i eth0 -p tcp --dport $pt -j ACCEPT done iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j DROP iptables -N Flood-Scan iptables -A INPUT -p tcp -m tcp --syn -j Flood-Scan iptables -A Flood-Scan -m limit --limit 1/s --limit-burst 20 -j RETURN iptables -A Flood-Scan -j LOG --log-prefix "OVER-LIMIT: " iptables -A Flood-Scan -j DROP iptables -A INPUT -p tcp -m tcp ! --syn -m conntrack --ctstate NEW -j DROP iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP iptables -A INPUT -p tcp -m conntrack --ctstate ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -m conntrack --ctstate RELATED -j ACCEPT iptables -A INPUT -p udp -m conntrack --ctstate ESTABLISHED -j ACCEPT iptables -A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT iptables -A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT iptables -A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT iptables -A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT Save this to something like /etc/fwscript. Then do the following to the file: chmod +x /etc/fwscript To have the firewall set up every time you turn on your Linux box, add it to the local equivalent of your /etc/rc.d/rc.local file. If you don't know what that is then I'm afraid you're going to have to find out yourself. Step Two If you have a broadband connection you may need to configure your router to allow access to your Tor service. In most cases this means something like what I had to do with my own Zyxel prestige router. The instructions that follow are specific to my router but you should be able to do something similar with your own: robert@darkstar ~> telnet 192.168.1.1 Trying 192.168.1.1... Connected to 192.168.1.1. Escape character is '^]'. Password: Then I got this screen: Copyright (c) 1994 - 2003 ZyXEL Communications Corp. Prestige 623R-T1 Main Menu Getting Started Advanced Management 1. General Setup 21. Filter Set Configuration 3. LAN Setup 22. SNMP Configuration 4. Internet Access Setup 23. System Password 24. System Maintenance Advanced Applications 25. IP Routing Policy Setup 11. Remote Node Setup 26. Schedule Setup 12. Static Routing Setup 15. NAT Setup 99. Exit Enter Menu Selection Number: 15 I selected 'NAT Setup'. Menu 15 - NAT Setup 1. Address Mapping Sets 2. NAT Server Sets Enter Menu Selection Number:2 I selected 'NAT Server Sets'. Menu 15.2 - NAT Server Sets 1. Server Set 1 (Used for SUA Only) 2. Server Set 2 3. Server Set 3 4. Server Set 4 5. Server Set 5 6. Server Set 6 7. Server Set 7 8. Server Set 8 9. Server Set 9 10. Server Set 10 Enter Set Number to Edit: 1 I selected the first one. Menu 15.2 - NAT Server Setup Rule Start Port No. End Port No. IP Address --------------------------------------------------- 1. Default Default 0.0.0.0 2. 0 0 0.0.0.0 3. 9031 9031 192.168.1.2 4. 9001 9001 192.168.1.2 5. 0 0 0.0.0.0 6. 0 0 0.0.0.0 7. 0 0 0.0.0.0 8. 0 0 0.0.0.0 9. 0 0 0.0.0.0 10. 0 0 0.0.0.0 11. 0 0 0.0.0.0 12. 0 0 0.0.0.0 Press ENTER to Confirm or ESC to Cancel: As you might guess the address of my pc is 192.168.1.2 and I'm running my Tor ORPort on 9001 and my Tor DirPort on 9031.You're probably doing the same. That's it. Save your changes and exit the telnet session with the router. Step Three Your Tor server should now be reachable - unless you (or your distro) have done something exotic with your hosts.allow and hosts.deny files. Try starting your Tor server again from TorK and see what happens. If you are still experiencing problems try the Tor FAQ Entry for more possibilities. How do I use TorK to anonymize applications? The 'Anonymize' tab allows you to launch 'anonymized' instances of various applications with a single click. How can I be sure it's working? In the miniview, you should see the sites you are connecting to in their 'raw' form. For example, if you launched an 'Anonymous SSH session' and have typed the following in konsole: ssh me@my.shell.net You should see 'my.shell.net' in the miniview and not my.shell.net's IP address. If you see an IP address, that means your system has bypassed Tor to get the IP address for my.shell.net. This is a problem if you think someone might be using your domain name lookups to track your internet activity. If you are having this problem, you should delete all instance of libtsocks.so on your system and re-install TorK, that should ensure the correct library is being called to route all traffic through Tor. How is it meant to work? TorK uses two helper applications: 1. 'torify', a shell script installed with Tor; and 2. 'tsocks' a utility bundled and installed with TorK that ensures the application goes through Tor anonymously. OK, how does it really work? TorK launches the following command: torify name-of-your-app-here. The torify script calls a script called tsocks. This loads the libtsocks.so library dynamically linked to the application at runtime. The libtsocks.so library intercepts all of the application's TCP/IP calls and routes them through Tor, i.e. uses Tor as a SOCKS proxy. This tsocks, it's the one available at http://tsocks.sf.net right? No, it's a version of that one patched to intercept domain name resolutions as well as all other traffic. See this entry in the Tor FAQ to understand why this is desirable. Security/Anonymity FAQs Is Tor more secure than ordinary internet use? No. In some ways it's less secure (though this is just an opinion). Let me explain: The Tor network contains known eavesdroppers. These eavesdroppers are servers on the network that act as exit nodes (points in the Tor network where your traffic pops back out onto the internet proper). If you use plaintext authentication (e.g. type a name/password into a website that is not using a secure connection) and are using an eavesdropper as your exit node, that exit node can capture your username/password. But isn't there a risk of this happening in the ordinary internet anyway? Yes, of course there is. However, you do not know (for a fact) that there are computers listening to your ordinary internet connection - but you do know (now) that there are servers on the Tor network listening to traffic. And they could listen to yours if you do not behave securely. Put simply: Tor has a specific layer of exposure that is easily accessible to anyone who is interested in it. That is not true of non-Tor traffic. This is not a widely accepted opinion, to paraphrase Nigel Tufnell 'it's a fine line between paranoid and stupid', so for more info see: Tor Eavesdropping FAQ http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#head-5e18f8a8f98fa9e69ffac725e96f39641bec7ac1 Where are all the other Security/Anonymity answers? I'll leave that to the experts: http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ