The Onion Digest

Author Archive

First, install the OpenBSD version of netcat. If you’re on a BSD-based system, this should already be the case. If you’re using Debian, run sudo apt-get install netcat-openbsd. Users of other distributions should consult their system’s documentation and package repositories to learn how to install this package. If nc -zX5 1337 doesn’t give an error, you have the correct version.

Next, because Git isn’t able to understand a GIT_PROXY_COMMAND with arguments, we need to create a wrapper for the proxy. Put the following in ~/.torgit, and then make it executable using chmod +x ~/.torgit.

exec nc -X5 -x "$@"

Note: If Tor is listening on a non-standard port, use that instead of 9050

Now, we need to set up Git so that it knows that we want it to use our script. Add the following to your ~/.bashrc:

export GIT_PROXY_COMMAND=~/.torgit

Warning: After you do this, you’ll need to run source ~/.bashrc every time you start a terminal until you reboot, otherwise Git won’t know you set this.

That should take care of pulling. Now to set up pushing, we’d do it just as if we were to set up SSH for proxying. First, make a public key using ssh-keygen -f ~/.ssh/tor_git_key. We’re passing a filename to make sure not to confuse this key with regular SSH keys for non-Tor sessions. Then, to make sure SSH uses our keys, put the following into ~/.ssh/config:

User git
PreferredAuthentication publickey
Compression yes
ProxyCommand nc -X5 -x %h %p
IdentityFile ~/.ssh/tor_git_key

Note: If you’re going to be pushing to somewhere other than Gitorious, you’ll need to change the Host line accordingly.

Tags: , ,

I’ve set up a git repository containing a versioned and tagged TorChat with the third-party patch that fixed some security issues in prof7bit’s version.

The more I’ve looked at the TorChat source, the more I’m seeing really significant issues in its design, not to mention some hacks that shouldn’t really ever appear in something you intend the public to use (i.e. something you’d make a Portable Executable out of.) At this point, I’d really recommend pretty strongly against using it.

There are several more security issues I’ve found in just a cursory inspection, and I’ve not gotten around to putting up patches yet. If you’ve got any coding ability, you might want to check out my git repository and even consider writing something for it.

This software seems to have gotten some use in our paranoid community, which I find a bit disturbing. Again, even though I’ve put up a repository and such, I strongly recommend that you do not use TorChat.

UPDATE: I’ve created a stability branch in the TorChat repository that makes as few modifications to prof7bit’s version as possible. A tarball of this repository (it contains all the patches needed) is available here. A tarball of my version is available here.

I’ve made a git repository for shallot. At the moment, it doesn’t contain anything new, but hopefully this’ll stimulate development.

For some unknown reason, we were suspended, but we’re back now. Yay!

Shouts to Anthony from the team.

Many people stumbling across this blog may not yet be aware of the sheer awesomeness that is Onion Land. Put simply, Onion Land is what the Internet was once thought of as being: anonymous, uncensored, and free.

But really, what is Onion Land? Onion Land is built on top of a revolutionary technology called Tor. Tor gives you anonymity while you browse the web; not the kind of anonymity that 4chan gives, but real, honest-to-goodness anonymity of the kind that infuriates law enforcement agencies. When using Tor, you are really anonymous.

Onion Land, though, is not the anonymity given to you, the web browser, by Tor, though. Onion Land is the community that exists on Tor’s Hidden Services. Hidden Services are just that: hidden. What differentiates a hidden service from a normal server on the Internet is that the owner of the service can not be identified. This creates an unprecedented opportunity for free speech, more so even than the use of Tor to post to the ‘vanilla’ Internet (like I’m doing now) because not only is there no fear of repercussions for the poster, but indemnity is also granted to the person running the service, be it a chat room or a forum.

Here are some links to get you started:

  • The Hidden Wiki contains links to get you started in Onion Land. You need to be using Tor to view it.
  • Onion Forum (Tor-only) is one of the oldest and by far the most active site in Onion Land. It’s pretty cool; check it out.

Hello, and welcome to the Onion Digest, a group blog by the residents of Onion Land. If you’re a resident of Onion Land, just comment and I’ll add you as a contributor.