FAQ
From TorK
What is TorK?
Tor (tor.eff.org) is an onion-router. You use it to anonymize your internet traffic.
TorK is an Anonymity Manager. It helps you to manage and use the Tor network for anonymous internet activity and the mixminion network for anonymous email.
What is the TorK logo meant to be?
Short answer: an improvement on the last one. Long answer: That green thing is meant to be an onion sprout. And the black thing is an old-fashioned anarchist's bomb. So what you have is a bomb with an onion sprout instead of a fuse. What is that supposed to mean? Well the onion-sprout is a reference to the so-called 'onion-routing' technology that underlies the Tor network, and the bomb is a reference to the fact that, in a society which engages in the wholesale wiretapping of its citizens, one of the most subversive/anarchistic things a citizen can do is assert his/her right to privacy. Hope that doesn't sound too Citizen Smith!
What has anonymity got to do with privacy?
Anonymity + Security = Privacy. Anonymity breaks the link between you and your communications, security makes your communications unintelligible to unintended recipients. Most communications systems (e.g. TV, radio, the postal system, telephony) have (or at least had) a great deal of anonymity built in, while security (e.g. encryption) was a cumbersome extra layer. The internet has it the other way round. Security is relatively trivial to use, while anonymity is the hard part. Technologies like Tor create the infrastructure for internet anonymity. Applications like TorK try to make it easy to use.
Installation FAQs
How do I Install The Bleeding Edge Version of TorK?
cd ~ mkdir torkcvs cd torkcvs cvs -z3 -d:pserver:anonymous@tork.cvs.sourceforge.net:/cvsroot/tork co -P tork cd tork make -f Makefile.cvs ./configure make su -c 'make install'
What do I need to compile and install TorK?
- To save time, just install all devel packages from your distribution. More specifically, you need kde-devel, xorg-dev, and libqt4-dev (plus their automatically installed deps), but naming may vary from one distro to another. Also, make sure you are using KDE 3.5.3 or later, or Tork won't compile.
Using TorK
What do I need to know about Tor/TorK?
First of all some don'ts:
- * Don't use Tor/TorK for plaintext traffic such as POP3 (downloading emails) or telnet. By doing so you are sending out username/password combinations that some people harvest, e.g. http://tor.unixgu.ru.
- * Don't mix 'anonymous' and 'non-anonymous' traffic in Tor. For example, don't do some anonymous browsing and then log into hotmail during the same 'anonymous' Tor session. Why? Anyone listening on the tor network might put two and two together and identify you. Better to keep Tor for 'anonymous' tasks only.
Now some do's:
- * Do run a Tor server if you can. Choose one of the server options TorK provides. A 'Relay' server is an easy and hassle-free way to contribute to the network. An 'Exit' server is the only one that involves putting your name to other people's traffic.
- * Do behave responsibly when using Tor. Try not to sink to the level of your own government!
Finally:
- Tor is developed and maintained by the people at http://tor.eff.org. They are professionals. They're mostly from MIT. They know what they're doing.
- TorK is developed and maintained by a hobbyist. From Ireland. In his spare time.
- So: TorK probably has lots of faults the developer is not aware of or hasn't fixed yet. If you spot them, let the poor sod know by clicking on Help -> 'Report Bug'.
What is 'Paranoid Mode'?
- In TorK, you can switch between 'Paranoid' and 'Not-So-Paranoid' mode by clicking on the icon of the toggling penguin-ghost.
- When in 'Paranoid Mode' TorK/Tor will try to use a new identity for every new connection you make. This helps mitigate the problem where you mix 'anonymous' and 'non-anonymous' traffic in Tor. For example, if you do some anonymous browsing and then log into hotmail during the same 'anonymous' Tor session anyone listening on the tor network might put two and two together and identify you. Using different identities for each connection will help reduce this problem. However, 'Paranoid Mode' is slow and you are probably better off just not mixing 'anonymous' and 'non-anonymous' activity in the first place.
Where is the paranoid button located?
- Under the first tab ("Anonymize"), in the first section ("Welcome...", next to the big onion icon), you will see the toggling ghost-penguin button followed by a URL-like clickable link (mentioning the "paranoid mode").
- Click on the icon itself to toggle between the two modes. Clicking the URL-like clickable link next to it has another result, indeed. This was fixed in the CVS (added the icon to the menu and toolbar).
Why can't Konqueror access the Internet through Tor?
- Konqueror works just fine when I setup its proxies manually (from kcontrol). Then I open Tork and it no longer works. It doesn't matter how I toggle Tork's Konqueror button. Then I have to manually restore Konqueror's proxies (in kcontrol), and Konqueror starts working again. That is, until I restart Tork, when all this happens again.
- Fixed in the CVS: make sure you follow the First-Run Wizard (don't miss the "Configure Konqueror..." step).
After I download Dante, what do I do next?
- It says it will compile but then nothing happens.
- Fixed in the CVS: Dante not necessary (and not supported) anymore.
Why doesn't my Tork display the servers list?
- Under the "Tor Network" tab, sometimes it does display the servers list, sometimes not at all, sometimes only hours after beginning to use Tor. Why is this?
- This is a Tor issue. Use the latest unstable version of Tor.
How do I connect to a remote running instance of Tor?
- In order for this to be possible, one has to be able to tell Tor (on the remote machine) not only to listen on port 9051, but also on an IP other than 127.0.0.1 (for instance, Tor's machine LAN IP or even public IP). However, Tor's configuration text file doesn't seem to offer this possibility. So what is to be done?
- Add the following line to Tor's config file on the remote machine, then restart Tor (192.168.0.1 is just an example IP):
ControlListenAddress 192.168.0.1
How do I start TorK?
- Watch the demo: Starting TorK
What configuration options are there?
- Watch the demo: Exploring TorK options.
How do I update my version of Tor/TorK?
- Watch the demo: Updating Tor/Tork.
How do I create a hidden service?
- Create a hidden web service: Video Demo.
How do I block exit nodes by country?
- See 'My Network View' in this demo: Video Demo.
What other features does TorK have?
- TorK has a miniview: Video Demo
- TorK provides ad-hoc info on network members: Video Demo
Tor/TorK say my Tor server isn't reachable. What should I do?
To make your Tor server visible to the world, there are a number of things you need to make sure are set up correctly.
Step One
Make sure your firewall is allowing traffic to Tor's server ports. These are the commands I added to my own firewall script (the host my instance of Tor is running on is 192.168.1.2):
# Allow Tor to go through iptables -A INPUT -p tcp -d 192.168.1.2 --dport 9001 -j ACCEPT iptables -A INPUT -p tcp -d 192.168.1.2 --dport 9031 -j ACCEPT
If you are wondering, 'Where's my firewall script?', then you should probably create one. This is mine, for what it's worth (and that's not much):
#!/bin/bash #Load modules /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_conntrack_irc #Flush old iptables -F iptables -t nat -F iptables -t mangle -F # Set policies iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT iptables -P INPUT DROP # Allow loopback iptables -A INPUT -i lo -j ACCEPT # Allow Tor to go through iptables -A INPUT -p tcp -d 192.168.1.2 --dport 9001 -j ACCEPT iptables -A INPUT -p tcp -d 192.168.1.2 --dport 9031 -j ACCEPT #bittracker portforwarding BTPORTS="7682 6881 6882 6890 6891 6892 6893 6894 6895 6896 6897 6898 6899" for pt in $BTPORTS; do /usr/sbin/iptables -A INPUT -i eth0 -p tcp --dport $pt -j ACCEPT done iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j DROP iptables -N Flood-Scan iptables -A INPUT -p tcp -m tcp --syn -j Flood-Scan iptables -A Flood-Scan -m limit --limit 1/s --limit-burst 20 -j RETURN iptables -A Flood-Scan -j LOG --log-prefix "OVER-LIMIT: " iptables -A Flood-Scan -j DROP iptables -A INPUT -p tcp -m tcp ! --syn -m conntrack --ctstate NEW -j DROP iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP iptables -A INPUT -p tcp -m conntrack --ctstate ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -m conntrack --ctstate RELATED -j ACCEPT iptables -A INPUT -p udp -m conntrack --ctstate ESTABLISHED -j ACCEPT iptables -A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT iptables -A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT iptables -A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT iptables -A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT
Save this to something like /etc/fwscript. Then do the following to the file:
chmod +x /etc/fwscript
To have the firewall set up every time you turn on your Linux box, add it to the local equivalent of your /etc/rc.d/rc.local file. If you don't know what that is then I'm afraid you're going to have to find out yourself.
Step Two
If you have a broadband connection you may need to configure your router to allow access to your Tor service. In most cases this means something like what I had to do with my own Zyxel prestige router. The instructions that follow are specific to my router but you should be able to do something similar with your own:
robert@darkstar ~> telnet 192.168.1.1 Trying 192.168.1.1... Connected to 192.168.1.1. Escape character is '^]'. Password:
Then I got this screen:
Copyright (c) 1994 - 2003 ZyXEL Communications Corp.
Prestige 623R-T1 Main Menu
Getting Started Advanced Management
1. General Setup 21. Filter Set Configuration
3. LAN Setup 22. SNMP Configuration
4. Internet Access Setup 23. System Password
24. System Maintenance
Advanced Applications 25. IP Routing Policy Setup
11. Remote Node Setup 26. Schedule Setup
12. Static Routing Setup
15. NAT Setup
99. Exit
Enter Menu Selection Number: 15
I selected 'NAT Setup'.
Menu 15 - NAT Setup
1. Address Mapping Sets
2. NAT Server Sets
Enter Menu Selection Number:2
I selected 'NAT Server Sets'.
Menu 15.2 - NAT Server Sets
1. Server Set 1 (Used for SUA Only)
2. Server Set 2
3. Server Set 3
4. Server Set 4
5. Server Set 5
6. Server Set 6
7. Server Set 7
8. Server Set 8
9. Server Set 9
10. Server Set 10
Enter Set Number to Edit: 1
I selected the first one.
Menu 15.2 - NAT Server Setup
Rule Start Port No. End Port No. IP Address
---------------------------------------------------
1. Default Default 0.0.0.0
2. 0 0 0.0.0.0
3. 9031 9031 192.168.1.2
4. 9001 9001 192.168.1.2
5. 0 0 0.0.0.0
6. 0 0 0.0.0.0
7. 0 0 0.0.0.0
8. 0 0 0.0.0.0
9. 0 0 0.0.0.0
10. 0 0 0.0.0.0
11. 0 0 0.0.0.0
12. 0 0 0.0.0.0
Press ENTER to Confirm or ESC to Cancel:
As you might guess the address of my pc is 192.168.1.2 and I'm running my Tor ORPort on 9001 and my Tor DirPort on 9031.You're probably doing the same.
That's it. Save your changes and exit the telnet session with the router.
Step Three
Your Tor server should now be reachable - unless you (or your distro) have done something exotic with your hosts.allow and hosts.deny files. Try starting your Tor server again from TorK and see what happens. If you are still experiencing problems try the Tor FAQ Entry for more possibilities.
How do I use TorK to anonymize applications?
The 'Anonymize' tab allows you to launch 'anonymized' instances of various applications with a single click.
How can I be sure it's working?
In the miniview, you should see the sites you are connecting to in their 'raw' form. For example, if you launched an 'Anonymous SSH session' and have typed the following in konsole:
ssh me@my.shell.net
You should see 'my.shell.net' in the miniview and not my.shell.net's IP address. If you see an IP address, that means your system has bypassed Tor to get the IP address for my.shell.net. This is a problem if you think someone might be using your domain name lookups to track your internet activity. If you are having this problem, you should delete all instance of libtsocks.so on your system and re-install TorK, that should ensure the correct library is being called to route all traffic through Tor.
How is it meant to work?
TorK uses two helper applications: 1. 'torify', a shell script installed with Tor; and 2. 'tsocks' a utility bundled and installed with TorK that ensures the application goes through Tor anonymously.
OK, how does it really work?
TorK launches the following command:
torify name-of-your-app-here.
The torify script calls a script called tsocks. This loads the libtsocks.so library dynamically linked to the application at runtime. The libtsocks.so library intercepts all of the application's TCP/IP calls and routes them through Tor, i.e. uses Tor as a SOCKS proxy.
This tsocks, it's the one available at http://tsocks.sf.net right?
No, it's a version of that one patched to intercept domain name resolutions as well as all other traffic. See this entry in the Tor FAQ to understand why this is desirable.
Security/Anonymity FAQs
Is Tor more secure than ordinary internet use?
No. In some ways it's less secure (though this is just an opinion).
Let me explain: The Tor network contains known eavesdroppers. These eavesdroppers are servers on the network that act as exit nodes (points in the Tor network where your traffic pops back out onto the internet proper). If you use plaintext authentication (e.g. type a name/password into a website that is not using a secure connection) and are using an eavesdropper as your exit node, that exit node can capture your username/password.
But isn't there a risk of this happening in the ordinary internet anyway?
Yes, of course there is. However, you do not know (for a fact) that there are computers listening to your ordinary internet connection - but you do know (now) that there are servers on the Tor network listening to traffic. And they could listen to yours if you do not behave securely. Put simply: Tor has a specific layer of exposure that is easily accessible to anyone who is interested in it. That is not true of non-Tor traffic.
This is not a widely accepted opinion, to paraphrase Nigel Tufnell 'it's a fine line between paranoid and stupid', so for more info see:
Tor Eavesdropping FAQ
Where are all the other Security/Anonymity answers?
I'll leave that to the experts: The Tor FAQ
