German data retention law effective 1/1/2009

We have now setup a Hamachi VPN connection for those wanting to use non-German proxies. First, use your LogMeIn Hamachi software to connect to our "nonDEvpn.pickaproxy.com" network, with password 8qJWqcv8. Then set your proxy to point to "hamachi.pickaproxy.com" with port 18233. That's all you have to do. All communications between your software and our proxy server is encrypted and private over the Hamachi VPN, and your IP address will appear to be in 1 of 32 random non-German countries, which we change every 1-2 hours.

For the Tor crowd, what "non-German" means for us is not only exit nodes that are outside Germany, but also entry nodes (1 of 18 random entry nodes changed every 1-2 hours) that are outside Germany. Relay nodes (middleman nodes) may or may not be in Germany. We currently only restrict relay nodes by way of our global "Currently Excluded Nodes" list, shown on http://www.pickaproxy.com?speak=tor. Eventually we will let our subscribers choose their own "Excluded Nodes" if they want them, either individually, or by excluded or included Country or Continent, or by excluded or included ISP's and Owning Organizations.

Report just released on Chinese surveillance of Skype users

The Information Warfare Monitor project and ONI Asia, with support from the OpenNET Initiative, the Citizen Lab, and the SecDev Group released a report yesterday on their findings of Chinese surveillance of Skype users.

The report is titled Breaching Trust: An analysis of surveillance and security practices on China's TOM-Skype platform .

EFF: How to Blog Safely (About Work or Anything Else)

http://w2.eff.org/Privacy/Anonymity/blog-anonymously.php

Paranoia part 2

Last Monday, Memorial Day in the US, and Victoria Day in Canada, I discovered a potentially troubling anomaly in the Tor network. Between about 10am and 3pm EST the number of computers running the Tor software as a relay or exit dropped to about 400 from the usual range of about 2,000.

This could be nothing serious, but also could be very serious in terms of increased exposure of Tor network traffic to possible monitoring. It is generally acknowledged that the more computers running the Tor software as relays and exits the greater anonymity of it's users. With 80% of the usual Tor servers flagged as out-of-service for 5 hours, this would mean all the normal Tor network traffic would be forced to travel through just 20% of the available servers.  In other words, if an imaginary adversary controlled 4 Tor servers, then instead of having access to just 0.2% of the total Tor network traffic (4 of 2,000), they could have access to 10% of the total Tor network traffic (4 of 400), as long as their 4 were part of the ones that remained in service.

How could all these servers have been flagged as out of service?  Was it an accidental anomaly in the Tor software?  Was someone maliciously manipulating the Tor "running" status flag for this time period, hoping that no one would notice?

We have no answers at this time, although we are convinced that this anomaly was not simply a problem with our own software which monitors the composition and state of the Tor network.  In response to this, we have started development of an alert system to be added to our pickaproxy.com service, so that when (if?) these conditions come up again, our users will be told, so they can make their own choices as to whether to continue using our service (and the Tor network in general) or disconnect until we issue a "Code Green" when more normal conditions return ...

News: SSL secure access to pickaproxy.com now available

One of the concerns with using pickaproxy.com as your proxy server is that the information you see in your browser, and that you send to web sites, can be monitored more easily than if you did not use a proxy server. The connection between your computer and our server is a single point of access, and if we were so inclined we could watch the content coming and going. This is true for much of the internet, and for any proxy server, and especially true in some countries such as those singled out by Reporters Without Borders (Reporters sans frontières) in their November 2005 article The 15 Enemies of the Internet.

We are not doing any such monitoring, first off, and have no plans to do so. But we are now offering a way for you to secure this data flowing between you and our server. This can be done by installing and configuring the open source "stunnel" software on your computer. stunnel has been available for many year, and works by using OpenSSL to encrypt all communication between your computer and our server. You then configure your "proxy" settings and your "stunnel" settings as follows:

• rather than "tryout.pickaproxy.com" and port "8123" you configure your proxy settings to be "localhost" and port "8100", and your stunnel settings to be "accept = 8100" and "connect = tryout.pickaproxy.com:7123"
• rather than "us.pickaproxy.com" and port "8125" you configure your proxy settings to be "localhost" and port "8100", and your stunnel settings to be "accept = 8100" and "connect = us.pickaproxy.com:7125"
• rather than "uk.pickaproxy.com" and port "8126" you configure your proxy as localhost port 8100, and your stunnel as accept = 8100 and connect = uk.pickaproxy.com:7126
• rather than "fr.pickaproxy.com" and port "8129" you configure your proxy as localhost port 8100, and your stunnel as accept = 8100 and connect = fr.pickaproxy.com:7129
• rather than "ru.pickaproxy.com" and port "8130" you configure your proxy as localhost port 8100, and your stunnel as accept = 8100 and connect = ru.pickaproxy.com:7130
• rather than "cn.pickaproxy.com" and port "8131" you configure your proxy as localhost port 8100, and your stunnel as accept = 8100 and connect = cn.pickaproxy.com:7131
• rather than "ca.pickaproxy.com" and port "8132" you configure your proxy as localhost port 8100, and your stunnel as accept = 8100 and connect = ca.pickaproxy.com:7132

stunnel is available for download from http://www.stunnel.org/download/binaries.html and at this time we are not providing support or assistance with installing or configuring stunnel, but we will eventually offer this service. I will say that stunnel configuration is not that difficult, and is done by making changes to the stunnel.conf file.

Great article mentioned by Roger Dingledine on or-talk last week. An analysis was done by Jeremy Clark (University of Ottawa), P.C. van Oorschot (Carleton University) and Carlisle Adams (University of Ottawa) and is available as a PDF entitled "Usability of Anonymous Web Browsing: An Examination of Tor Interfaces and Deployability". They do an excellent job of describing anonymity, in terms of what it is, what it does, and what it does not do for web users/browsers on the Internet. And they do a thorough analysis of the steps required by users to get, install, configure and use Tor from their desktop.

What their analysis does not touch on is how this compares to using Tor via a server-based proxy service like pickaproxy.com. It seems painfully clear to me while reading their analysis that for typical users trying to start out using Tor the road is bumpy. It seems equally clear that pickaproxy.com will be a great painkiller for this. Why and how?

The installation, configuration and regular monitoring of Tor as a workstation-installed bundle of software (Tor, Vidalia, Privoxy) is completely eliminated from the user's list of things to do.

The need to update this software bundle is completely eliminated.

The need to poke around with proxy settings in Internet Explorer, Firefox, Opera, or Safari (or whatever browser you use) either manually, or with extensions such as IP Changer from iPrivacyTools.com or the Torbutton extension to Firefox, etc. is almost completely eliminated, since we will be enabling use of Proxy Auto-Configuration (proxy.pac) files hosted on our server, and dynamically generated from a web interface for each user. This means users will have to poke around just once and then forget about it. We will followup with more details on how this is done, and what it means with respect to privacy, sometime soon.