What is it?

Tor Messenger is a cross-platform chat program that aims to be secure by default and sends all of its traffic over Tor. It supports a wide variety of transport networks, including Jabber (XMPP), IRC, Google Talk, Facebook Chat, Twitter, Yahoo, and others; enablesOff-the-Record (OTR) Messaging automatically; and has an easy-to-use graphical user interface localized into multiple languages.

Source: Tor Messenger Beta: Chat over Tor, Easily | The Tor Blog

I am getting pretty peeved with Google recently. I have a huge amount of music on my Google Music library, so much in fact, that I hit Google’s track limit for uploads. Now, I’m trying to download my purchased music back to my machine, but their MusicManager is winding me up no end. It downloads for a while, then stops, thinking it has finished, with several tracks not downloaded. I restart the download, and it goes on a bit more then stop again.

Google suggested a few things, eventually ending up blaming my ISP. But there isn’t much alternative for me. Other than my current ISP, I can only use my corporate connection, but that requires a proxy - something Google do not support on MusicManager, or using Tor, which also doesn’t work properly. They suggested using the Google Music app, but that only works (if it ever does) on a single album.

I even tried using AWS and Google Cloud, but the app ties to MAC and refuses to identify my machine (which is a virtual machine). I also tried using an LXC contain, and that worked for a bit longer, but also died. So now, I’m trying using a Docker image. Slightly different concept, but lets see if it works.

If that doesn’t work, I’m going to try using TAILS.

EDIT: Docker image didn’t work. So anything with a “true” virtual environment such as AWS, GC, and Docker don’t seem to work (VirtualBox will probably be in this list too), anything else (LXC, e.g.) will work, but fail later.

The National Security Agency has some of the brightest minds working on its sophisticated surveillance programs, including its metadata collection efforts. But a new chat program designed by a middle-school dropout in his spare time may turn out to be one of the best solutions to thwart those efforts.

School dropout codes chat program that foils NSA spying (Wired UK).

I’ve started looking at the iptables function within the Linux kernel, and found out, that with a bit of tinkering, you can use the IBLOCK lists to do a machine-wide block based on IP. You use pipes (gotta love ‘em) to route them into ipset which allows you to create a set of IP addresses/ranges which then reference in the iptables. You can use wget or curl. If you use wget, you might need to use the quiet switch. You can use xargs to multi-download lists and concatenate. I’m tinkering with my download script at the moment.

First, create the set. Here, I have used a high maxelem number because I use a lot of IBLOCK’s lists. The “maxelem 1048576” can be omitted or the number reduced if you are only using one or a small number of IBLOCK lists.

ipset create IBLOCK hash:net maxelem 1048576

Second, download and add to the set if it doesn’t already exist. You can chain multiple lists into the wget or use xargs. For this example, I’m only using one.

wget -q "[list.iblocklist.com](http://list.iblocklist.com/?list=bt_level1&fileformat=p2p&archiveformat=gz)" -O- |
    gunzip |
    cut -d: -f2 |
    grep -E "^[-0-9.]+$" |
    gawk '{print "add IBLOCK "$1}' |
    ipset restore -exist

Finally, add rules into the iptables to drop package to and from IP addresses that exist in the set. This means that packets coming in from external IPs that match IP addresses in the set will not be answered.

iptables -I INPUT -m set --match-set IBLOCK src -j DROP
iptables -I OUTPUT -m set --match-set IBLOCK dst -j DROP

When I tried this with my IBLOCK download script, it seemed to kill TOR functionality as well, which I suspect means that IBLOCK have included the TOR IP range in one or more of their lists, so I’ll need to determine which one(s) they are and exclude them, as I do use TOR actively.

As with most things, there’s more than one way to do this, and this is one of many ways you could implement blocking behaviour.

Source: Dustin C. Hatch, Using PeerBlock lists on Linux

I’ve been using Tor for a while now, and have been tinkering with settings to try to get it work right. One of the many frustrating things is DNS leaking whereby an application resolves DNS using the host DNS and not via Tor. Consequently, since the DNS server of your PoP (Point of Presence) is usually your ISP’s DNS server, or a DNS server maintained by your ISP, they can easily eavesdrop on your surfing behaviour, by simply connecting a DNS query with a traffic stream to that same IP soon afterwards.

Using DNS via Tor is a bit of a pain, but there are various ways I’ve found that seem to work. Some better than others.

Solution 1: Local DNS Host

It is possible to setup Tor to act as a local DNS host by using the “DNSPort 53” directive within the torrc. However, you will need to run tor (or Vidalia) as root in order to be able to open this port.

Once this is done, you can add 127.0.0.1 to your DNS hosts list in /etc/resolv.conf. To account for when Tor isn’t running, I add my true DNS afterwards so my resolv.conf would be:

nameserver 127.0.0.1
nameserver 192.168.0.1

Which means it should  resolve through Tor first, then my ISP DNS if that fails. Tor DNS only responds to A-records, MX and NS queries return an error.

If you turn on DEBUG level logging in Vidalia, you can test if DNS is working by trying to ping a host and seeing if Tor receives a DNS request.

Solution 2: Wrapper

Probably an easier method than above, is to use a wrapper tool, such as torsocks or proxychains. My preference is proxychains and you’ll see why.

Torsocks, as its name suggests is built by the same group who created tor and wraps the application you pass to it, tunnelling all traffic through tor. However, it seems rather quirky to me, and when used with some apps, it drops out several pages of LD_PRELOAD errors and the application either doesn’t start or starts without access to the net.

Proxychains, similarly wraps an application and tunnels traffic through a proxy (including its DNS queries, by default.) Not specifically Tor, but it does come with its config already setup for Tor and works fine. When you start it up with an application, by default, it shows all the DNS queries it makes (configurable). It also allows you to chain proxies (hence the name) so proxy A to proxy B to proxy C, etc. to make it even harder to follow your traffic. It even allows you to randomise your proxy chains so one request might go A-B-C and the next might go A-C-B.

At the moment I use the DNS method to hide my DNS traffic on most of my linux applications, then use proxychains on anything I specifically want to tunnel through Tor, such as browser sessions or the occasional BitTorrent download.

In case you haven’t seen this, Tails (The Amnesic Incognito Live System) is a live incognito DVD/USB which you can use to boot off any machine that supports USB boot (and for those which don’t boot of USB, you can use PLOP).

All connections go through Tor and since its a live disk, nothing is left on the hard disk (unless you choose to save something off the Internet, I guess).

I’ve been tinkering with Tor and managed to get my DNS routed through Tor, with my normal DNS as a backup, although routing traffic is a bit tricker, since not applications like to play with the Tor network properly. Some applications such as Vuze provide SOCKS capability, which allows routing of traffic through the Tor network via proxy. Others, like Chrome/Chromium don’t offer this as well, and you have to fudge it.