Power of Details
DC: 相信好多网民都有微博发帖被删的经历。不少精彩的微博文章,都因被中国当局认为有政治敏感性而被删掉。很多人都以为,被删掉或看不到的帖都永远看不到。但最近有一个叫「微博视野」的搜寻引擎,却可以将这些被删或被封的帖起死回生,「微博视野」到底是什么来的?
李: 「微博视野」是香港大学新闻及传媒研究中心开发的搜寻引擎,香港大学的系统会在帖子未删除前就储存在香港大学的系统。因此,你在香港大学系统所找到的帖子会与你在新浪微博主机的帖子不同。
当然,有部分因涉及敏感政治字眼,从来未有机会在新浪微博上出现的话,那就不可能在「微博视野」上找到。
DC: 那「微博视野」又如何用?
李: 由于「微博视野」的资料有大量敏感词,很可能已经遭到中国当局封锁,因此要使用「微博视野」就需要先翻墙。
现时「微博视野」开放两项功能,「微博视野」能够显示过去廿四小时、四十八小时、一周或两周内经常被转贴的照片,由「微博视野」的排名,再与新浪官方的排名作出比较,你就能知道那些热门帖子因中国当局的审查被删去。
另一项「微博视野」搜寻功能,那并非一般的关键字搜寻,主要可以找到最新被删去或被中国当局封锁的帖子,部分维权事件的图片就能透过这功能找回来。以五月十六日云南省昆明反PX散步的相片为例,很多都在当日黄昏被新浪删除,但透过「微博视野」就可以把这些照片逐一寻回,等大家了解反PX散步的真相。
DC: 那「微博视野」这网站,对中国网民的维权运动上有什么意义?
李: 首先,有了「微博视野」,中国当局要藉删除帖子来封锁消息的难度大增,因为帖子只要曾经在新浪微博发表过,就很大机会在香港大学的主机上继续存在。对于一些比较大规模的示威或维权事件,外界可以透过香港大学的主机了解事情真相。而中国当局要隐暪疫症亦没有如过往这样容易,因为有些疫情新闻只要透过微博帖出,就很可能存在香港大学的主机内,并为世人所知。
另一方面,香港大学微博视野亦会选择一些微博帖子翻译成英文,这亦有助微博的文章传播到英语世界。换言之,日后不少维权事件并不会只获华文媒体的注意,亦有机会得到英语世界媒体的关注。
DC: 虽然「微博视野」功能这样强,但日后「微博视野」要抓取新浪微博的文章会否遇上麻烦,影响了微博敏感文章的传播。
李: 首先,中国当局或新浪都有可能会阻止香港大学的主机连接新浪微博,当然如果香港大学方面能够采取适当的策略,是可以避免到新浪或中国当局知道那些主机是香港大学的主机。
但新浪方面亦可能加强关键字封锁,遇上个别敏感词语可能更快删除文章,这亦可能减低香港大学主机成功取得文章的机会。因此,日后不排除与维权相关的微博发表的难度会大增。像PX这个化学名词,由于涉及多次维权事件,就有可能成为热门的敏感词。
微博视野的网址是http://research.jmsc.hku.hk/social/obs.py/sinaweibo/
DC: 多谢你李建军,这集翻墙问答时间又到,在下周同样时间,会继续解答听众对翻墙的问题,以及介绍最新的翻墙相关技术,欢迎各位留意收听,我们亦欢迎听众向我们作出提问,我们会尽力作出解答。在下周同样时间再会。
原文:http://www.rfa.org/cantonese/firewall_features/weiboscope-05172013105513.html?encoding=simplified
无界安卓Android手机版: 一点通2.0 正式版, 请反馈.
http://wujieliulan.com/download/um2.0.apk
sha1: faeaf22952654a02a8e341a513dc5a6c3d331c24
md5: 377d804f2e77fc63e106d86d406c7924
说明:
1. 安装准备工作:
安装此apk程序前需要首先对手机进行设置: 打开“菜单键”-settings(设置)-Applications(应用程序), 钩选”Unknown sources”(未知源).
2. 下载apk文件, 进行安装. 如已经安装了无界安卓旧版, 须先卸载旧版, 才能安装新版.
3. 运行开始时可能会出现一些安全提示,请选择”继续”。
谢谢!
原文:http://forums.internetfreedom.org/index.php?topic=18885.0
DC:相信有不少人,都会利用自己的iPhone或Android智能手机玩游戏,而一般而言,在iOS App Store获批核的都是比较安全。过往节目中提到,替iPhone进行越狱之所以有风险,都是怕黑客会植入一些立心不良的程式。只不过,近日有保安公司发现,有部分iOS App Store获批的游戏,内里有一些怀疑后门程式,那是否代表App Store的程式已非绝对安全?
李:最近Macworld发现,有一个叫Simply Find的程式,程式内里有个MP3档案,内里嵌入一个已经不再发挥效用的木马程式。虽然暂时这个木马不会对用户造成实质威胁,但反映出如果有部分程式开发公司立心不良的话,就有可能自己的手机被植入木马而懵然不知。现时未知是否有其他程式的MP3或其他资料档案中有可能植入木马。
DC:这种漏洞,又会对中国用户有什么潜在风险?
李:大部分西方国家的私营程式开发商,都不会随便植入木马,因为有可能触犯当地的私隐法例,甚至刑法,不单有可能令苹果永久停止在App Store出售程式的权利,更有可能令大批用户入禀法院索偿,这是相当得不偿失。
但中国的软件公司,由于不少是国营,或需要与政府合作才能够维持业务,因此有可能在政府压力之下被迫植入木马,一如中国版的Skype都有植入木马一样。一旦有App Store的程式可以成功回避苹果的审查植入木马,那日后中国政府可以在一些受欢迎的免费程式植入木马,藉此监视网民活动,甚至偷取网民的私人资讯,例如在即时通讯软件或游戏程式植入可疑程式,就能很快对网民活动作出监视,就算用了 VPN等,都避不了中国当局的监察。
DC:那身为中国网民,在App Store下载程式时,又要注意什么以策安全?
李:首先,要留意那些由中国软件公司开发的免费游戏程式,特别那些并非靠卖装备、武器之类的虚拟物品来赚钱的免费游戏,因为这类程式不单会附有大量广告,而且同时会载有不明来历的木马,否则实在很难解释这类程式怎样收回开发成本。不要因为游戏是免费的而掉以轻心,往往这类游戏才是最危险的。
除此以外,中国软件公司开发的即时讯息或其他免费程式亦要小心,天下间没有免费午餐,任何软件的开发都需要成本,特别苹果App Store的加盟公司,需要向苹果缴付九十九美元的年费,以及投资购买苹果Mac机作开发之用,这需要一笔投资。当这些软件并非依靠广告或售卖软件来得到收入时,那软件公司的收入从何而来,特别苹果的App Store机制并不大欢迎开放源码软件在App Store上出现。而中国的软件公司,不像谷歌之类的公司般,有其他的收入来源来支援在iOS平台上的程式开发。
当然,由各地地方政府或政府机关提供的软件都不宜下载,因为政府当局很容易以便民为名,在向网民提供的软件中附载不明不白的程式,那你就真的有如打开一道大门给政府当局所聘请的黑客们偷取资料。若你需要使用电子政府服务,使用电脑网页上的版本是相对安全一点。
DC:多谢你李建军,在下周同样时间,我们会继续有翻墙问答,回应各位在翻墙上的问题,以及提供回避当局封锁和监察的各类新技术,欢迎各位继续留意收听。如果有任何问题,可以透过Skype或电邮作出提问,我们会尽快解答。
原文:http://www.rfa.org/cantonese/firewall_features/firewallappmalware-05102013105520.html?encoding=simplified
无界安卓Android 2.0 测试版, 请反馈.
http://wujieliulan.com/download/um2.0a.apk
sha1: f45f04ae229005f2ebeda40c297556f8b53e96a7
md5: 619b9bf9497b3416a8c8782681aeec27
说明:
1. 安装准备工作:
安装此apk程序前需要首先对手机进行设置: 打开“菜单键”-settings(设置)-Applications(应用程序), 钩选”Unknown sources”(未知源).
2. 下载apk文件, 进行安装. 如已经安装了无界安卓旧版, 须先卸载旧版, 才能安装新版.
3. 运行开始时可能会出现一些安全提示,请选择”继续”。
谢谢!
原文:http://forums.internetfreedom.org/index.php?topic=18875.0
自由门安卓版2.0测试2已经升级为正式版。欢迎反馈使用情况。
自由门安卓版可以在安卓Android 2.1或以上的智能手机或平板电脑上使用。
下载:
http://dongtaiwang.com/loc/software/mobile/android/20/fgma20.apk
数字签名:
http://dongtaiwang.com/loc/software/mobile/android/20/fgma20.apk.asc
数字指纹:
md5: 56eb977dc8ee5c49a9fb1c84fc24995a
说明:
1. 安装准备工作:
安装此apk程序前需要首先对手机进行设置: 打开“菜单键”-settings(设置)-Applications(应用程序), 钩选”Unknown sources”(未知源).
2. 下载apk文件, 进行安装.
3. 运行开始时可能会出现一些安全提示,请选择”继续”。先点击“搜索服务器”,找到服务器后,点击“连接服务器”,这时可能出现”此网站的安全证书有问题”警告,这是正常的,点”继续浏览此网站”就能安全登陆动态网。点击下滑菜单可以选择不同的服务器。
原文:http://forums.internetfreedom.org/index.php?topic=18870.0
自由门安卓版可以在安卓Android 2.1或以上的智能手机或平板电脑上使用。欢迎反馈使用情况。
下载:
http://www.dongtaiwang.com/loc/software/mobile/android/fgma20.apk
数字签名:
http://www.dongtaiwang.com/loc/software/mobile/android/fgma20.apk.asc
数字指纹:
md5: 5fac3a28b1b87d989db518611828c9e4
说明:
1. 安装准备工作:
安装此apk程序前需要首先对手机进行设置: 打开“菜单键”-settings(设置)-Applications(应用程序), 钩选”Unknown sources”(未知源).
2. 下载apk文件, 进行安装.
3. 运行开始时可能会出现一些安全提示,请选择”继续”。先点击“搜索服务器”,找到服务器后,点击“连接服务器”,这时可能出现”此网站的安全证书有问题”警告,这是正常的,点”继续浏览此网站”就能安全登陆动态网。点击下滑菜单可以选择不同的服务器。
原文:http://forums.internetfreedom.org/index.php?topic=18855.0
DC:以往,中国当局都喜欢用电邮附件植入木马,藉此偷取目标电脑的资料,而目标电脑大多数是运用Windows作业系统,Mac OS X一向被视为比较安全的作业系统。但最近有电脑保安公司发现,连Mac OS X的电脑亦成为中国当局的木马攻击对象。有维吾尔族人的电脑被中国当局所编写的木马所攻击,到底中国当局所写的木马如何使用Mac OS X的系统的用户,日后Mac OS X的使用者,又应如何应对中国当局的袭击?
李:这个针对Mac OS X的新木马,是利用伪装成ZIP或Word文件档的附件,当用户开启附件后,便会将木马档案抄到RealPlayer支援档案的文件夹中,装成RealPlayer的更新档来执行。由于很多中国用户都需要RealPlayer来播放RMVB档案,就造成相当多维吾尔用户都会中招的状况。
因此,不论用什么作业系统,都不要随便打开来历不明来人士的附件,否则就有可能成为木马攻击的受害者。但由于Mac OS X的结构的关系,因此只要你在Application Support和Library目录中,移除木马相关档案便可以解除木马威胁,相比解决Windows的木马问题来得简单。
由于Mac OS X日益普及,因此日后有可能有更多木马针对Mac OS X,甚至连Linux亦会是中国当局的目标,要翻墙上网的各位,不要对中国当局的攻击掉以轻心,天真地以为换了作业系统便可逃避木马的威胁。
DC:近日多个国际性大传媒机构的推特户口,都遭到黑客的袭击,黑客在偷了户口后就利用这些大机构名义户口发表虚假信息。美联社的户口遇袭后,就用作发布总统奥巴马遇袭受伤的消息,导致纽约道指下跌过百点。对于一些较高调的异见人士,又会否成为中国黑客的目标?
李:一些较为高调的异见人士推特户口,肯定会成为中国黑客的目标,因为中国黑客可以在关键时刻利用偷来的户口,执行政治任务。因此,对活跃的推特用户,应保持警觉,特别一些含有木马,或诱使你提供推特户口密码的电邮,以免你的推特户口落入中国黑客之手而懵然不知。
推特公司已经表明,正努力开发二步认证技术,届时黑客就不会这样容易成功偷你的户口。一旦推特公司推出新的认证技术,就应尽早使用新认证技术,提高黑客偷取你户口的难度。但可以预期的是,在可见的将来,中国当局都仍然会持续攻击推特,希望成功偷到高调异见人士的推特户口作不法用途之用。
DC:现时谷歌都有二步认证,但对于中国用户而言,二步认证又是否代表绝对安全?
李:现时谷歌的二步认证,是透过手机传递一个只能短时间有效的第二密码,避免黑客成功入侵你的户口。问题在于中国的电讯公司都是国有企业,你的第二密码亦可能为中国当局所知悉,或被中国当局所拦截,令你用不了二步认证,因此,二步认证虽然会比较安全,我们亦推荐使用,但不要以为二步认证会百分百安全,除非能够有使用手机短信以外的第二密码传送方式,或你有海外登记的手机,并在中国启用漫游功能,由海外注册手机收取二步认证密码。
DC :多谢你李建军,本周翻墙问答的时间又到,在下周同样时间,我们会继续介绍翻墙新知识,并回应听众对翻墙的种种疑问,欢迎各位留意收听,在下周同样时间,我们再见。
DC:相信不少听众都用过VPN,但很多人都抱怨连接到海外的VPN需要另外付款,或VPN用了一段时间后会变得很慢,甚至被当局封锁。
最近,日本筑波大学研究院推出了VPN Gate服务,而这个服务标榜是免费VPN。究竟这个VPN Gate与一般的VPN有何分别?有什么过人之处?
李:传统的VPN服务,是一间公司,在固定的单一IP或一堆IP,透过固定的宽频提供服务。而在VPN的客户越来越多情况下,如果VPN公司不及时通知客户有新主机的话,个别主机会变得很多人用,因此很挤塞。而传统VPN公司,每建立一个新VPN主机,都要用户在电脑或手机中加入新主机相关设定,对用户而言,手机或电脑中有十多个VPN设定,亦会变得难于管理。
对于中国的翻墙用家而言,更大问题在于–若单一VPN主机的IP被防火长城所挡,你的VPN便得物无所用。而VPN公司亦不可能因为中国的特殊情况,无止境投资在大量主机和IP之上,回避中国当局的封锁。
而VPN Gate服务,正是针对传统VPN技术上缺点而设计,只要你透过任何一个VPN Gate成员主机连接VPN,就等于可以用全球所有VPN Gate成员主机的频宽连接互联网,而且不用注册和登记用户资料,亦不用担忧信用卡的注册问题。而日本筑波大学在VPN Gate的主页亦讲明,这技术是为了翻墙而设计。
DC:那设定VPN Gate又如何设定?
李:首先你浏览VPN Gate的网站取得参与VPN Gate计划的主机IP清单,这部分你可能需要翻墙。你在主机清单上挑选了任何一部主机的IP,然后一如你平常在作业系统设定VPN一样设定,用户名称和密码都是细楷英文字vpn,之后就可以成功连接。
在网页上的主机列表,有列明主机所在的国家、速度、连线用户人数等资料,你可以根据这项资料,挑选你满意的主机。
VPN Gate支援OpenVPN和L2TP、IPSec等技术,但不支援PPTP,因此惯用PPTP的朋友,要紧记VPN Gate在这方面的差别。而L2TP的速度亦会比OpenVPN快,需要比较快连线的朋友,可以考虑L2TP。VPN Gate在某程度上支援SSTP协定,但并非每一部主机都支援,你考虑用SSTP前,请留意主机清单中,有没有标明主机支援SSTP。
对Windows的用户,如果你无任何设定VPN的经验,最简单的做法是在VPN Gate主页上,下载连VPN Gate插件的Windows VPN客户端,安装后即时执行客户端软件,就可以挑选你心水的主机连接VPN,这很适合技术知识不高的用户。当然,你很有可能需要先翻墙,才能够下载VPN Gate的客户端。
有不少越南的有心人都参与了VPN Gate计划,所以你留意到有相当一部分主机是用越IP,但由于越南至今仍未是民主国家,言论自由亦谈不上绝对受保障,因此现阶段我们不推荐听众使用越南的VPN Gate主机,应尽量选择美国、日本、瑞典这些民主国家的主机。
另一方面,本台呼吁听众暂时放弃越南主机的原因,皆因不知这堆主机会否是中共安装的陷阱主机,或主机拥有人一旦被政府拘捕,有可能要交出主机资料,越南当局若然将资料转介中国方面,有可能对你的人身安全构成莫大威胁。
DC:多谢李建军介绍了这个公开VPN服务,协助大家翻墙。在下周同样时间,会继续有李建军于翻墙问答,解答各位对翻墙技术的疑问,亦会介绍最新的翻墙知识,欢迎各位留意收听。时间又到了,在下周继续会有翻墙问答。
VPNSS03注重用户体验、高速稳定、诚信专业、老牌资深的美国SSH代理服务提供商,
专注于给用户提供优质稳定的SSH代理和VPN代理服务。
注册地址:点我进入
注册很简单,打开注册页面,在页面下方左侧有免费VPN的链接,注册系统采用主机常用的WHMCS系统。
由于是中文界面,阿恒就不截图演示了哈。。。
声明: 本文采用 BY-NC-SA 协议进行授权 | 免费空间|国外免费空间|免费主机|免费VPS|免费域名|免费源码|免费资源
转载请注明转自《VPNSS提供美国免费SSH代理和VPN代理服务》
出现”vpn连接上了但是打不开Youtube”您首先必须确保您目前的连接处于活动状态,查看您的网络连接看是否数据包正在被传送,如果只见到已发送,但是已接收的数据包一直没有变化,就说明表面上您与vpn服务器之间的连接是通的,但实际已经掉线了。
如下图所示:
上面说的是与vpn服务器断开的情况,那么有些童鞋在使用免费vpn的时候也会出现通信正常能打开国内的网页,或者twitter都能打开但是唯独就打不开youtube,这种情况,您可以首先在本地ping一下youtube.com如果返回超时,那么很显然是dns没有将域名解析正确,所有这里建议大家使用Google的公共dns服务,因为vpn虽然服务器上设置了正确的dns,但是连接的客户端没有接受到正确的dns信息,所有导致网站没有正确解析。
绝大多数提供免费 PPTP VPN 服务的网站都是有广告(Google AdSense)的,例如Afreevpn、GetUSVPN、PPTPVPN、等等。 但是,也有例外的,例如这篇文章将要介绍的 ToyVPN,该网站不仅没有广告,而且还提供以下 5 个不同的免费 PPTP VPN 帐号: 1、US1 美国洛杉矶 US1 的帐号如下: 其中服务器的值 “us1.toyvpn.com” 也可以换成 IP 地址 “108.171.244.79″。 2、US2 美国达拉斯 US2 的帐号如下: 其中,”us2.toyvpn.com” 可以换成 “216.24.201.34″。 3、US3 美国亚特兰大 US3 的帐号如下: 其中,服务器的值 “us3.toyvpn.com” 可以改成 IP 地址 “198.8.81.208″。 4、UK 英国 UK 的帐号如下: 其中,”uk.toyvpn.com” 可以改成 “37.220.23.107″。 5、IT 意大利 IT 帐号如下: 服务器的值也可以从主机名 “it.toyvpn.com” 改成 IP 地址 “149.154.157.151″。 在以上 5 个帐号里面,不管是哪一个,它的服务器(不管是主机名还是 IP 地址) 和用户名都是固定不变的,但是密码会每两个小时更新一次,也就是说,两个小时之后 —— 不管是否正在使用,你将需要通过新的密码才能够连接得上。 根据个人的测试,US1 和 US2 这两个美国帐号都无法连接 —— 不管是通过主机名还是 IP 地址,但是其他三个都可以连接 —— 不管是通过主机名还是 IP 地址。
goagent 2.1.17 正式版下载 https://goo.gl/sxgfB
OpenDoor是一款手机浏览器,更是一款翻墙利器,其强大之处在于用户完全不用VPN翻墙或者任何代理可以直接登陆Twitter、Facebook、Youtube等网站,而且速度相当流畅。
创新工场CEO李开复17日在Twitter发文说”在新浪、腾讯都被禁言三天”,邀请粉丝关注其Twitter。李开复在新浪微博拥有3000多 万的粉丝数,在腾讯微博有2000多万的粉丝数,如此一来庞大的粉丝团们移步Twitter是个非常艰难的事情。对于国内的用户来说登陆Tiwtter可 谓是需要费尽周折,VPN翻墙的长篇教程、代理的高额费用的确让很多小白用户烦恼,今天笔者给大家带来一款无需VPN就可以直接翻墙的手机浏览器 OpenDoor。
OpenDoor是一款手机浏览器,但对于浏览器的设计来说完全谈不上任何创新,并且这款手机浏览器在界面下方还有 Banner广告,总体看上去OpenDoor是一款带有内置广告的粗糙手机浏览器。不过这款浏览器的看点并非用户体验,其强大之处在于用户完全不用 VPN翻墙或者任何代理可以直接登陆Twitter、Facebook、Youtube等网站,而且速度相当流畅。
从界面上来看,OpenDoor是一款非常简单的手机浏览器界面设计,在下方的书签中为用户提供Google、Facbook、Youtube、Twitter等一些网站的书签,方便用户一键登陆,页面的打开速度和浏览传统页面一样流畅。
在设置中,我们能够看到搜索引擎可以选择Google、Yahoo、Bing三种,如果用户想去除广告的话,需要付费,而笔者发现付费去除广告并非永久去除,最低支持6元人民币30天无广告使用权,最高支持60元人民币一年的无广告使用权。
事 实上,OpenDoor作为一款手机浏览器,在交互上没有任何创新,和一些主流的手机浏览器相比相差甚远,另外万恶的广告也出现在这款手机浏览器中,这让 一般用户会非常反感,但毋庸置疑的是,OpenDoor的确可以不利用任何VPN代理就可以直接登陆Facebook、Twitter等网站,轻松的让有 查看这些网站需求的用户登陆查看。之前像Puffin浏览器也曾实现过无需翻墙代理直接登陆功能,相信如果想轻松登录Twitter查看李开复老师的粉丝 们一定不会错过这款手机浏览器的。
OpenDoor在AppStore的免费下载链接:https://itunes.apple.com/cn/app/opendoor/id543808008?mt=8
本文来源:网易手机 作者:郝铎
可能很多朋友在本站发现了不少免费vpn,但是在手持移动设备中怎样使用,大家可能不是很清楚。这里得说下,水货iphone上使用vpn是没有任何障碍的,但是联通行货貌似在3G环境下无法使用。好吧,不多说了,还是来看我们的教程。
1、点iphone设置图标
2、进入通用设置
3、进入”网络设置”
4、点击vpn,进入”VPN设置”
5、添加vpn配置
6、这里要注意的就是这里如果支持PPTP您就选择pptp协议,L2tp选择l2tp协议。L2TP请记得输入预共享密钥。
7、激活VPN
如果要获得英国的免费 PPTP VPN 帐号,你可以访问这三个网站;如果要获得美国的,你可以访问这五个网站;如果要获得加拿大的,你可以访问这五个网站。 而如果要同时获得英国、美国和加拿大的,你则可以访问 Afreevpn 网站。 打开 Afreevpn.com 网站之后,你就可以看到三个免费的 PPTP VPN 帐号: 1. 英国的 英国的帐号如下: 你也可以把服务器的值从主机名 “uk.afreevpn.com” 改成 IP 地址 “83.170.84.216″。 2. 美国的 你也可以把 “us.afreevpn.com” 改成 “67.212.175.123″。 3. 加拿大的 你也可以把服务器的值从主机名 “ca.afreevpn.com” 改成 IP 地址 “184.107.164.107″。 在以上三个免费的 VPN 帐号之中,不管是哪一个,它的服务器 (不管是主机名还是 IP 地址)都是固定的(如上面提到的),而用户名都是 “afreevpn.com”,但是密码会不定期地更改,也就是说,下次再连接它的时候,你就可能需要访问 Afreevpn 网站并获取新密码。 根据个人的测试,以上三个免费的 PPTP VPN 帐号都可以连接(不管是以主机名还是 IP 地址作为服务器值),不过英国那个的速度很慢,几乎无法翻墙,但是另外两个的翻墙功夫确实不错。
DC: 阿里巴巴刚公布,会在今年八月停止雅虎中国的邮箱服务,并且呼吁用户将电邮整合到阿里巴巴的云端信箱服务。其实中国雅虎己经是阿里巴巴的旗下公司,为何阿里巴巴要多此一举,要求用户使用阿里巴巴的云端服务?
李: 对用户而言,表面上雅虎中国的邮箱服务只不过是阿里巴巴旗下其中一个服务,但在技术上,两者其实是有分别的。
因为雅虎中国的邮箱,是世界各地众多雅虎服务的其中一环,他们共享了登入系统,以至相当多技术环节都仍然掌握在雅虎手中。因此,阿里巴巴要百分百掌握用户的电邮资料的话,就不可能仍然依靠雅虎的系统。特别在师涛案于美国的官司后,雅虎不可能在网络审查上百分百与中国当局合作,中国当局不可以再像以往一般,在雅虎美国和香港的公司支援下,协助中国当局翻查电邮资料。中国政府要百分百掌握现有雅虎中国用户的邮箱资料的话,就只好迫用户将资料移去阿里巴巴在技术上百分百掌控的新系统,这亦是这次阿里巴巴关闭雅虎中国邮箱服务的其中一个诱因。
DC: 如果我真的有雅虎中国户口,是否只能将邮箱资料移到去阿里巴巴的旗下服务?
李: 阿里巴巴由于同时熟知雅虎中国和阿里巴巴云端邮箱服务,因此可以提供无缝交接,但根据阿里巴巴提供的资料,其实你可以藉这次机会,选择其他海外的邮箱服务,享受较为安全的服务。
而听众可以选择用Gmail、美国的雅虎服务,Gmail一向都是我们比较推荐中国听众使用的免费邮箱服务,暂时中国当局都未能成功入侵Gmail系统,而由于中国当局不断意图入侵Gmail,因此,谷歌亦一直有密切监察Gmail用户的活动,避免有黑客入侵帐户。对中国用户而言,Gmail的安全性相当高一些。但有时Gmail,可能受中国当局的网络封锁影响,而间歇性需要翻墙。而美国的雅虎服务,就比较适合习惯了雅虎原有介面的人。而由于受师涛案在美国官司的影响,雅虎美国等地服务,亦未必敢与中国政府合作。
但如果你需要使用中文介面的话,就可能比较适合用Gmail,因为Gmail不分地域提供不同语言的服务,对习惯简体字的中国网民,Gmail比较少适应上的问题。如果你想用雅虎沿用的介面,又想使用中文的话,现时台湾和香港的雅虎也是可以考虑的选择。
你在海外雅虎邮箱,或Gmail依中国雅虎网页提供的资料,利用POP功能去将你的雅虎中国邮件全部经POP技术送到你的海外邮箱,那在今年8月19日雅虎中国邮箱正式结束服务之前,你都可以收到你在雅虎中国的邮件,亦给予你充裕的时间去通知朋友新电邮信箱。
以Gmail为例,你先选设定,再选帐户和汇入,然后选择从其他帐户检查邮件,然后输入你的中国雅虎电邮地址,再输入密码,之后Gmail便会自动汇入邮件,并且定时检查中国雅虎邮箱上有没有新邮件,并转移到你Gmail户口。如果你想保留邮箱上的联络人清单,你可以选择Gmail帐户和汇入下的汇入邮件和联络人功能。
DC: 我利用海外的雅虎帐户,使用雅虎中国的邮箱服务,是否都同样受影响?
李: 这肯定是,因为这次阿里巴巴要割断与海外雅虎服务的关系,因此,你就算用海外的雅虎帐户,登记以及注册中国雅虎邮箱服务,中国雅虎都会中断你在中国的邮箱服务,亦由于你雅虎户口在海外登记,亦不能够过渡到阿里巴巴云端服务。你需要按中国雅虎的指示,将邮件资料移到你想要的地方。
DC: 多谢李建军,本周的翻墙问答时间又到,在下周同样时间,我们会继续有翻墙问答,回应听众对翻墙的技术疑难,并介绍翻墙技术知识,欢迎听众继续留意收听,下周再会。
goagent 2.1.16 正式版下载 https://goo.gl/sxgfB
ed2k://|file|GIFC_20130416_dweb_740.zip|5942092|5BEA921B810D66CC5D9283DD028B54BA|/
原文:http://forums.internetfreedom.org/index.php?topic=18803.0
自由门7.40测试版已经升级为正式版。自由门7.40版增强突破封锁能力。欢迎大家继续反馈。
如果不能使用,请上传反馈信息。谢谢。
专业版:
http://dongtaiwang.com/loc/software/fg/740/fg740p.exe
http://dongtaiwang.com/loc/software/fg/740/fg740p.zip
专家版:
http://dongtaiwang.com/loc/software/fg/740/fg740x.exe
http://dongtaiwang.com/loc/software/fg/740/fg740x.zip
原文:http://forums.internetfreedom.org/index.php?topic=18798.0
免费的美国 PPTP VPN 不少,例如之前介绍过的 SecurityKISS、Super Free VPN、JustFreeVPN、等等。 这篇文章将介绍另外一个 -- GetUSVPN。 打开 GetUSVPN.com 网站,你就会在左边栏上看到它所提供的免费美国 PPTP VPN 的帐号,例如: 在以上帐号信息中,服务器和用户名是固定不变的,但是密码会不定期的更改,也就是说,下次连接该 VPN 时,你可能需要先再次打开该网站,获取新密码并修改旧密码。 关于如何在电脑、手机以及平板电脑上设置并连接该 PPTP VPN,你可以参考这篇简易教程。 如果 “getusvpn.com” 这个域名被墙,那么你还可以把该 VPN 的服务器地址改为 “216.104.36.236″ 或者 “99.198.108.116″。 而根据我个人在中国移动网络上的测试,”getusvpn.com” 和 “216.104.36.236″ 都已经被墙,但是 “99.198.108.116″ 还没有,所以,我这里仍然可以而且也只能够通过 “99.198.108.116″ 这个服务器地址连接 GetUSVPN 翻墙。不知道你那边如何?
因为原文是英文的,我使用的google翻译大家能大概看懂吧 英国免费PPTP VPN服务,你可以检查出这3个美国的,你可以检查出这5和CA的,你可以检查出这5 。 下面将告诉你另一个服务- 获得免费的VPN帐户 ,为您提供免费的PPTP VPN帐户,英国,美国和CA。 打开Afreevpn.com网站,你可以看到所有的3个免费的PPTP VPN帐户在一个页面上。 对于英国,账户信息会像下面这样: 服务器:uk.afreevpn.com 对于美国,账户信息会像下面这样: 服务器:us.afreevpn.com 的CA之一,账户信息会像下面这样: 服务器:ca.afreevpn.com 对于每一个帐户的上述3,服务器的值(无论是主机名或IP)是固定的,用户名是”afreevpn.com”,但在不确定的时代,密码将被更新,这意味着你可能需要改变下一次连接的密码。 根据我自己的测试,所有上述3个免费PPTP VPN帐户可以连接在中国,无论是通过他们的服务器的主机名或IP地址,但英国是太慢而无法使用。 网站地址:http://afreevpn.com
用户名:afreevpn.com
密码:
,你可以改变服务器的值从主机名”uk.afreevpn.com”IP”83.170.84.216″。
用户名:afreevpn.com
密码:去官方网站获取
您可以更改”us.afreevpn.com”为”67.212.175.123″。
用户名:afreevpn.com
密码:去官方网站获取
您还可以,改变”ca.afreevpn.com”为”184.107.164.107″。
原文你地址:http://freenuts.com/get-a-free-vpn-account/
使用免费vpn的朋友可能经常会有这样的疑问,那么这里来综合一下解决各位朋友的疑问。 1、免费vpn服务商的服务器出了问题。 这种情况一般比较少 那么解决方法是怎样了,一般用的比较多的就是排除法、 ps: 1、目前使用wifi貌似连接不了,切换成联通3G试试,可以连接说明什么,说明网络问题。 2、手机不能上,那试试电脑上呢,电脑上连接出现的错误会比较直观,691就是密码问题,619就是本地支持问题···等等,大家需要举一反三。
2、国内网络问题。部分地区会屏蔽PPTP或者L2TP,如果这样,请使用openvpn模式;
3、中国网络抽风。曾经有几天,企业网络会发现出国的网络多数都上不了,如果是这种情况,您只能淡定的等待恢复,当然如果国内都局域网了,那么您除了肉身翻wall,别无他法;
4、Iphone ios4.3的bug。这个情况最常见,而且这个bug还很怪异。如果遇到这种情况,你只能更换机房,更换到能连的那个服务器。这不是服务器配置的bug,因为同一个服务器,同样iphone,有的能连,有的不能连接。我自己的iphone4在公司用电信ADSL都能连,在家联通3G就只有部分能连。
DC:近日苹果在中国的App Store中,开始删除部分被中国当局视为惹火的软件,像程式“经典书城”最近在中国的App Store消失,怀疑在中国当局压力下被撤回,因为这软件可以看到不少禁书。苹果iOS不像Android平台可以随便跳过App Store安装软件,中国用户除了要替手机越狱外,还有什么方法可以继续用一些内容比较敏感的软件?
李:由于苹果的App Store可以做到不让个别软件在个别国家的App Store出现,因此,要解决这个问题的方法,那就是你的Apple ID不再选择登记在中国,而是登记在别的国家。或你常用作翻墙之用的iPhone或iPad手机,尽量采用海外登记的Apple ID买软件,而你买Mac机之类的硬件,就照旧用中国登记的ID方便送货。这样,你就不用冒替手机越狱带来的各类风险,特别在中国的特殊环境下,替手机越狱有可能让当局更容易对你作出监控,这是相当得不偿失。
DC:对中国用户而言,是否可以选择任何一个国家的App Store来登记?
李:由于App Store还配合个别公司对版权的管制,因此,有部分国家你是需要当地发出的信用咭,以及相对应的地址作登记。例如美国的iTunes户口,就必须要持有美国信用咭或扣账咭,而且拥有一个美国地址。当然,你曾经在海外留学,并且拥有海外的信用咭或扣账咭,这是一件很容易的事,你只不过需要定期把钱汇到海外户口,确保你的海外信用咭或扣账咭可以继续使用。
对于未曾出过国,或未因在海外留学、工作而拥有海外信用咭或扣账咭的人,那可以考虑选择登记香港iTunes户口,因为香港iTunes户口接受没有持有信用咭来登记。亦由于香港iTunes户口不用连著信用咭或扣账咭,你可以用香港一些你熟悉的地址,例如朋友的住址,或你来香港旅游住过酒店地址来登记,你用香港户口,就可以跳过中国当局的限制。
DC:但没有香港信用咭或扣账咭,又怎样可以登记自己的App Store户口成香港户口?
李:在香港的便利店,以及香港的苹果商店,都有香港版,以港币计算的iTunes储值咭出售,你只要将户口转成香港户口时,利用储值咭把钱注入户口,就可以转成香港户口。而香港版的iTunes咭,可以托朋友在香港买,或利用其他渠道买也可以。
苹果亦有网上购买虚拟iTunes礼品咭服务,如果你有住在香港或拥有香港信用咭的朋友,亦可以托他在网上买一张,然后透过电邮把虚拟礼品咭送过来给你,这方法亦相当简单。
DC:拥有了香港户口后,又是否代表可以不用翻墙,随心所欲在App Store下载一些已经不可以在中国版App Store下载的软件?
李:由于中国当局的网络,不止于利用各种政策工具,迫苹果妥协这么简单,当App Store软件介绍页的内容有一些敏感字时,中国当局可以利用网络长城令你的互联网连结中断,你就无法下载软件。因此,纵使你的iTunes户口转成香港登记户口都好,都仍然应该先翻墙才去下载软件。同样的,如果你的软件在政治上具敏感性,你在iTunes或手机进行软件更新时,亦应该先翻墙才展开,确保你软件更新过程顺畅。
原文:http://www.rfa.org/cantonese/firewall_features/firewall-appstore-04122013113559.html?encoding=simplified
DC:多谢你李建军,今日翻墙问答时间又到,在下周同样时间,我们会继续有翻墙问答,回应大家对翻墙的各类疑难,并且教导大家如何克服中国当局网络审查成构成的技术难题,欢迎各位下周继续留意收听,再会。
最新的几种解决goagent用不了的办法 goagent用不了了怎么办(最新的几种解决办法) 最近由于某些原因,goagent不能用了。用不了了怎么办? 提供两种解决方法: 备用地址:goagent 2.1.9-11 正式版下载 http://goo.gl/sxgfB 方法二、如果不愿意升级,另一种就是在老版本的proxy.ini中把所有的 203.208.46.X 替换成 203.208.47.160|203.208.47.161|203.208.47.162|203.208.47.163|203.208.47.164|203.208.47.165|203.208.47.166|203.208.47.167,重启goagent就搞定。 如果还不行,就将google_cn字段改成google_hk,这样就行了。 其它问题: 解决方法:win7系统需要在GoAgent上右键选择”以管理员方式运行”。 修改你的hosts文件,删除”# 127.0.0.1localhost” 以下的所有部分,因为它可能给GoAgent进行了不正确的解析。HOSTS文件是在”c:\windows\system32\drivers\etc。 或者将[google_hk]段中的mode = http改为mode = https 解决办法是:chrome证书验证功能发现twiter提供的证书不是信任机构发布的证书。会在url前加s保护,所以打不开连接,你可以使用其他浏览器,或在chrome里更改安全设置,在管理证书选项里,把goagent提供的证书添加到信任机构发行的证书里面。 GoAgent项目地址:http://code.google.com/p/goagent/ Goagent最新版2.0.2主要更改: ————————————————————————————— 欢迎大家在推特或者腾讯微博上面关注我,及时最新的信息。 推特:http://twitter.com/freevpssh (需鄱墙)
GoAgent是一个非常给力的软件,也是目前使用最多,最广泛的谷歌应用之一,介绍了不少GoAgent的文章,但即使我们如何努力,也不可能兼顾到在所有的环境中均进行goagent的测试。这也导致了很多童鞋提出异议,当然也有不少的童鞋解决了问题后给出了反馈。基于GoAgent的使用情况及收到的反馈信息,针对GoAgent无法访问的请况,收集整理如下:
方法一、升级软件最新版。
下载地址:https://code.google.com/p/goagent
win7系统GoAgent启动后无法使用!
如果运行GoAgent,出现resolve common .google_hosts domian=字样。
如果goagent能上国外网站,但是不能上youtube、twitter、facebook,提示证书有问题:Google的代理工具Goagent最新版2.0.2发布
Goagent最新版2.0.2下载地址:http://goo.gl/sxgfB
重写协议
提高普通网页加载速度
优化视频网站兼容性(youku/sina/acfun/bilibil)
优化 PAAS
实践表明,利用GoAgent翻墙是目前最稳定的一种免费翻墙方法。使用方法已经在网上转载泛滥了。
1.首先到 https://appengine.google.com/ 注册一下,创建一个新的应用(CreateApplication)。记着应用的名字,这个名字是唯一的,也就是AppID。
2.下载goagent最新版本,GoogleCode那里经常上不去,GitHub一般是不会被封的。到这个地址,点击ZIP那个就好了。https://github.com/goagent/goagent。
3.下载文件解压后,使用文本编辑器打开 goagent/local/proxy.ini,修改第8行的 appid = 为刚申请的应用名。
4.运行 goagent/server/uploader.bat 文件,根据提示输入 appid 以及 Gmail 的邮箱、密码等来进行上传。
5.运行 goagent/local/goagent.exe 程序。
6.运行 Chrome浏览器,我用的猎豹浏览器也是一样的。安装Proxy SwitchySharp插件。
7.在 SwitchySharp 选项中,选择【导入导出】分页卡中最下面,导入此设置 https://raw.github.com/phus/phus-config/master/SwitchyOptions.bak ,也是GitHub的链接。
8.在 SwitchSharp 选项中,选择【切换规则】选项卡,点击立即更新列表来获得最新的自动代理规则列表。
9.点击浏览器上插件的图标,选择自动切换模式。OK!现在应该已经可以用了。
10.以后当然不需要每次上传:1.确保第5步的这个程序运行着(改程序有个黑框的界面,不能关,左键单击右下角托盘图标可以隐藏);2.检测浏览器插件,那个地球图标是亮的或者是自动切换模式。
正如它的名字, PPTPVPN是一个网站,提供免费的PPTP VPN服务。 打开PPTPVPN网站,你可以看到在右侧的2个PPTP VPN帐户,一个是来自英国 ,另一种是从美国 。 对于英国 ,连接数据将像下面这样: ,你可以改变服务器的值从主机名”uk.pptpvpn.org”IP”77.92.68.65″。 对于美国 ,连接数据将像下面这样: 和服务器的值,你也可以改变它从主机名”us.pptpvpn.org”IP”67.212.175.124″。 以上2,服务器的值(无论是主机名或IP)是固定的,提到对于每个帐户,用户名始终是”pptpvpn.org”,但在不确定的时代,密码将被更新,这意味着你可能需要连接下一次更改密码。 根据我的测试,上述2个免费PPTP VPN帐户可以连接在中国,无论是通过他们的服务器的主机名或IP地址,但相同的为Afreevpn ,英国是太慢而无法 使用。
原理说明:
1.使用library.ini库中的流量,每次启动,随机抽取10个。目前流量800G/DAY
2.使用goagent2.1.15
3.每次启动给goagent标题赋诗一首(给翻墙的你一个好心情)
4.没了…
关于为什么项目停止,只是因为工作的原因,羊羊被工作吞噬了,我被工作压垮了,但是自己还是因为工作的习惯会编写一些工具,有的是临时上传上去的,以前发布了很多所谓版本的软件,但是都是没有什么技术含量,前几天看到一个wowBrowser 的项目的软件,能随机读取几个appid 分配给goagent,于是兴趣一来,就编写了这个低调版,这是我自己用的,流量一部分来自我创建的appid,一部分来自他人,但是总是断流,看来别人总是不可靠啊!软件没有最好的,只有适合自己的!谢谢那些关注本项目的人!如果你那天无法穿墙而出,我很乐意帮助那些掏钱使用vpn的国人,让你们使用上一款免费又快速的穿墙软件,一直是我的追求!如果你有疑问可以给我来邮件,onionhacker@gmail.com 免费公共的个人项目会因为各种原因停止或延迟发布软件,请大家担待,以宽宏的心态对待!推荐三个有实力的项目,作为你备用翻墙的工具
发挥我们的激情和精力,加入创建appid 计划的大军中来!亲们!我们的流量告罄,华北危机,北平危机!如果你还是一个人孤单奋斗,那么就加入我们的队伍吧,这里没有锦衣玉食,却有战友间的温情! qq 群:223572205
香蕉升级程序2000G.rar 248 KB
來源: https://code.google.com/p/onion-project/
真的感觉自己挺失败的,代理服务器第二次被人家盗用, 都怪自己不小心, 没把服务器的防火墙加到开机启动, 同时squid的也没有去加密码认证 感觉还是要细心, 运维就是要小心细心, 于是今中午抽出点时间给squid设定下密码这样以后即使防火墙忘记关闭,也不至于被人家白白盗用去干坏事 squid的配置如下: 当然这个squid是自己编译安装的,网上的都是使用yum 要么是apt-get install 安装的 所以路径不同,我们的 auth_param 路径实在/usr/local/squid/libexec 中 后面的用户名认证文件我们使用httpd-tools 工具生成的 在centos上可以使用 然后: 接下来输入二次密码,确认。 最后就ok了 , 以后做任何事情一定要小心,要细心; 相信自己随着时间 会慢慢老练起来!
# Recommended minimum configuration: # # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed visible_hostname ad1 acl ip1 myip 192.168.1.50 tcp_outgoing_address 192.168.1.50 ip1 # Squid normally listens to port 3128 http_port 192.168.1.50:54321 # Uncomment and adjust the following to add a disk cache directory. request_header_access Allow allow all request_header_access Authorization allow all request_header_access WWW-Authenticate allow all request_header_access Proxy-Authorization allow all request_header_access Proxy-Authenticate allow all request_header_access Cache-Control allow all request_header_access Content-Encoding allow all request_header_access Content-Length allow all request_header_access Content-Type allow all request_header_access Date allow all request_header_access Expires allow all request_header_access Host allow all request_header_access If-Modified-Since allow all request_header_access Last-Modified allow all request_header_access Location allow all request_header_access Pragma allow all request_header_access Accept allow all request_header_access Accept-Charset allow all request_header_access Accept-Encoding allow all request_header_access Accept-Language allow all request_header_access Content-Language allow all request_header_access Mime-Version allow all request_header_access Retry-After allow all request_header_access Title allow all request_header_access Connection allow all request_header_access Proxy-Connection allow all request_header_access User-Agent allow all request_header_access Cookie allow all auth_param basic program /usr/local/squid/libexec/ncsa_auth /usr/local/squid/libexec/passwd acl auth_user proxy_auth REQUIRED http_access allow auth_user
yum -y install httpd-tools
接着生成密码文件:
htpasswd -c /usr/local/squid/libexec/passwd user1
在线代理原理是接收到浏览器(如ie,火狐等)对远程网站的浏览需求时候(浏览器客户端提交网址的时候),代理程序开始在当前服务器寻找远程网站的网站,找到目标网站后,代理程序马上将网站数据返回到用户的浏览器客户端。如果当前服务器没有该远程服务器的缓存,代理程序则会自动读取远程网站,将远程网站的资料提交给客户端,同时将资料缓存以提供给下一次的浏览需求。代理程序会根据缓存的时间、大小和提取记录自动删除缓存。 无法打开站点:可能是需要访问的站点禁止使用此代理来进行浏览,更换一个重新试试。 打开网站以后出现乱码,是目标网页编码问题,可以勾选”网页编码”,可以有效解决乱码。 无法进行视频播放,可以尝试去除” allow cookies”和”remove scripts”复选 请勿登录你的重要账号信息,在线代理使用公共形式发送你的密码,很容易被不法之徒获取 全匿名代理(high anonymity): 不改变你的request fields,使服务器端看来就像有个真正的客户浏览器在访问它。 当然,你的真实IP是隐藏起来的。服务器的网管不会认为你使用了代理。 普通匿名代理(anonymous): 能隐藏你的真实IP,但会更改你的request fields,有可能会被认为使用了代理,但仅仅是可能,一般说来是没问题的。 不过不要受它的名字的误导,其安全性可能比全匿名代理更高,有的代理会剥离 你的部分信息(就好比防火墙的stealth mode),使服务器端探测不到你的操作系统版本和浏览器版本。 透明代理(transparent): 改编你的request fields,并会传送真实IP 在线代理使用不同的复杂的脚本,以便绕过防火墙等的来访问者被屏蔽或封锁的网站,用户使用在线代理服务非常简单,不需要设置浏览器,也不需要安装额外的软件,只要访问在线代理网站,然后输入要访问网站的网址,然后就可以享受免费的代理服务。在我国,有部分网站被屏蔽掉,如果你想访问,就可以使用在线代理进行访问。
在线代理分类与区别
DC:现在智能手机和平板电脑普及,人们越来越依赖流动装置上网。由于Android平台的装置比较多,价钱亦很便宜,因此在中国,越来越多人用Android的装置翻墙上网。
最近有一只叫“穿越浏览器”,可以帮助用家在不用安装VPN等服务情况下,光靠浏览器就可以翻墙,这浏览器到底有什么功能?
李:“穿越浏览器”是内置类似VPN功能的浏览器,浏览器本身会绕过中国当局的防火长城来浏览互联网,让你浏览像本台网站、香港苹果日报、或维基百科一类被中国当局封锁的网站。而这类浏览器,由于使用内置独特设定来翻墙,因此,不用再作任何技术设定,几乎一安装了便可以用,很适合技术水平不高的用户。
由于浏览器内已经内置了这类“敏感”网站的书签,你就不用死记网址,或在手机有限空间输入网址,只要在浏览器书签内选择心仪的网站就可以了。
DC:那要安装穿越浏览器,又应该怎样做?\
李:要安装“穿越浏览器”,步骤很简单,只要在Google Play上找“穿越浏览器”,你找到后再安装便可以。但要注意的是,你的Android作业系统必须是2.2或以上。如果你在用2.1或以前版本的装置,你应该更新你手机或平板电脑的作业系统,甚至换一部新机。而这只软件是免费软件,不用付钱买的。
如果你打“穿越浏览器”出现断线现象,或者你一直都未能成功下载软件,这可能是中国当局的防火墙作怪。你可以先用手机翻墙再安装软件,或在电脑翻墙下载软件后,再将软件抄进SD咭。但你日后更新软件时,就要同样先翻墙再更新,或在电脑下载更新版后,再将软件抄入SD Card。
如果你使用电脑来安装,你必须要留意你下载的网站的安全性,避免在来历不明网站下载,因为中国当局有可能利用带有病毒的软件,伪装成穿越浏览器来意图在你的手机或平板电脑内植入木马。在Google Play内,开发公司有列出替代网址让你下载软件,你可以先翻墙,再在Google Play名列的替代网址下载软件,那就不怕有来意不善的软件入侵到你的手机里去。
DC:那现时“穿越浏览器”,在技术上又有什么限制?
李:通常纯粹以浏览器来翻墙,都有一定技术限制,例如部分不经浏览器连上互联网的应用程式,并未能透过浏览器来翻墙,还得需要VPN之类的技术去协助。而“穿越浏览器”因为纯粹是浏览器,因此在翻墙方面有一定的先天限制。
此外,现时“穿越浏览器”还有一些缺陷,包括未能成功连入Twitter,以及不能播放YouTube的片段。如果你想翻墙发推或看推特,你应用VPN、其他的浏览器,或者使用可以支援翻墙技术的Twitter阅读软件。而YouTube,可以使用其他支援YouTube的浏览器,有部分浏览器内带的代理主机设定,可以让你翻墙去看YouTube视频。
我相信Twitter和YouTube相关的问题,在未来可以得到解决,因此要留意一下未来浏览器开发者推出的更新版。
除此以外,一如其他翻墙软件,中国当局可以针对软件经常连结的主机作出封锁。如果你发现浏览器翻墙失败的话,很可能因为中国当局特别封锁浏览器软件所依赖的主机地址所致,届时你需要等待新版,才可以继续翻墙上网。
DC:多谢 你李建军,在下周同样时间,我们继续有翻墙问答,回应各位对翻墙的问题,欢迎大家留意收听。节目时间已经到了,下周再见。
Whonix,即以前的TorBOX,是一个基于Virtual Box、Debian GNU/Linux和tor 的匿名通用操作系统。美博园 根据官方介绍翻译简介如下。据项目开发者adrelanos声称:Whonix的设计使IP和DNS的泄露变得不可能,即使是有root权限的恶意软件也不能发现用户真正的IP地址信息。这是因为Whonix是由两个虚拟机构成的,其中一个虚拟机只运行Tor,充当网关,称之为Whonix-Gateway;另一个虚拟机,称之为Whonix-Workstation,工作在一个完全隔离的网络上,连接全部经过Tor中转。Whonix目前处于alpha测试阶段。 项目主页:http://sourceforge.net/projects/whonix/ 下载: whonix-0.5.6 2013-03-30 更新 简要使用说明: 1、下载上述两个文件,Whonix-Workstation.ova 有操作系统,比较大,有 1.3 GB Whonix-Gateway.ova 432.8 MB 2、把上述二个文件导入 Virtual Box中 运行 VirtualBox,”管理”——”导入虚拟电脑”,定位到下载的.ova文件就行了。 3、启动 Whonix-Gateway. 4、启动 Whonix-Workstation. ========= 网友 mrma 补充的使用方法 谢谢 ========================= 美博园没有验证该方法,请网友反馈使用效果。 Whonix将加密在WhonixWorkstaion内产生的一切网络流量 下载Whonix的两个虚拟机文件后,用VirtualBox导入。 导入时候不要对虚拟机任何设置,不要改网卡! Gateway启动后,输入sudo nano /etc/tor/torrc,回车,输入密码,回车。 转到第66行,看见#UseBridges 1,将前面的#号去掉,同时去掉第67的#号,另取一新行输入类似Bridge obfs2 128.31.0.34:1051格式的网桥。最后保存:按下CRTL+x,按下y,再按回车,即保存刚才编辑过的文本。如果网桥正确,不久之后有提示能上网了。 注意: Gateway除了更新torrc以外不要做任何改动 上文指的网桥是obfs:https://bridges.torproject.org/?transport=obfs2 获取正确的网桥可能靠运气 如果升级WorkStation里的TOR,要用桌面上的升级工具(不要再运行另一个完整的TOR) 导入后可以改变某些除网卡之外的设置 更多安全提示请访问Whonix网站
via 美博园 http://feedproxy.google.com/~r/allinfa/~3/roiOiLsF9-s/whonix-v056-anonymous-operating-system.html
你妹这篇文章写好了突然不再了, fuck 又得重新写,真的不知道什么原因; 前两天以前的一个大学同学突然qq问到我有没有弄过dd-wrt,这个路由器固件也听说过很久,但是一直也没空去关注 于是就决定弄一下,起初远程进去看了一下同学路由器的配置都和网上标准一个样,就是看不到连接上了pptpvpn了没有 于是我就登录telnet 进入命令终端去看看, 毕竟做为一个中级以上的Linux运维,linux的日常调试这些没任何问题,刚好 dd-wrt也是基于linux开发的命令这些差不多都有, 发现日志没有出什么问题,于是就手动pptp /tmp/pptpclient/pptp.conf 这个配置文件 发现也没反应,在进去一看配置文件貌似有问题,于是叫同学又去弄了一个版本换上去,这个版本对了,直接按照网上的标注配置上去就能ok ,但是还是不能上twitter, 于是又登录进去,发现在网络接口出现了ppp0 这个接口, 在route 看一下原来是路由没有加, 在跑到web界面的管理->命令中去看 ,发现粘帖网上的shell启动脚本有问题, 空格很多都变成了乱码 ,终于发现问题了, 这个启动脚本有问题, 可能是粘帖时候编码之类的原因到处出现乱码, 所以修改一下配置脚本 重启动路由器,等了90秒 终于能上twitter了 启动后等90秒主要是那个sleep 90 决定,其实可以修改为sleep 20 ,因为这个脚本貌似是在路由器启动好了后才开始运行; 忙活了将近一天终于搞定了,能帮到同学忙,感觉也不错, 由于昨天说了下 说现在国内的流量其实可以走国内线路,没必要走vpn速度慢死了 svn下来之后,我们只需要根目录的vpnup.sh 这个文件从里面提取出 的条目,有将近3k条,于是马上就想通过web界面的管理保存到启动脚本里面,无奈,可能是太多了吧,直接保存卡死了,保存不完 ,然后上网一查,才知道 http://2955941.blog.51cto.com/2945941/910748 这文章说的就是,我们可以把路由表文件写成一个启动脚本类型,然后放到远程的一台路由器能够访问到的服务器上面, 这样在路由器启动时候 ,我们保存 这样就ok了,每次启动了自动执行,忙活了将近2天,这下可以解决一套东西 也挺不错,以后自己有公司了 ,全部选择开源的路由软件,节约成本 ,哈哈,开源的东西
sleep 90 OLDGW=$(nvram get wan_gateway) VPNSRV=$(nvram get pptpd_client_srvip) VPNSRVSUB=$(nvram get pptpd_client_srvsub) PPTPDEV=$(route -n | grep ^${VPNSRVSUB%.[0-9]*} | awk '{print $NF}'| head -n 1) VPNGW=$(ifconfig $PPTPDEV | grep -Eo "P-t-P:([0-9.]+)" | cut -d: -f2) route add -host $VPNSRV gw $OLDGW route del default gw $OLDGW route add default gw $VPNGW
,其实原理和网上的chnroutes 项目差不多,就是指定路由表的方式, 让国内线路走default gateway 出去,其它的流量全部走vpn出去, 导入的路由表也是
国内所有的地址和网段,
其实Google上也有个项目autoaddvpn ,地址如下:
svn checkout http://autoddvpn.googlecode.com/svn/trunk/ autoddvpn-read-only
route add -net *.*.*.*/*
要打开挂载jffs2 这个 ,但是进入管理也没看没有开启jffs2 这个选项,原来是路由器不支持,这样没办法 ,没法直接保存到路由器上面了
难道只有手动的每次断电后去粘帖这个路由表麽,这样肯定不行, 于是在网上看到一篇文章:
一个启动指令自动下载远程服务器的文件,并运行就ok了, 这让我想到了思科交换机路由器也有这个功能, 开源的东西就是自定义操作强,命令如下:
if [ ! -e "/tmp/startup.sh" ];then cd /tmp/; wget https://blog.4u45.com/startup.sh ./startup.sh fi
很稳定的;
文章來源:http://fqrouter.tumblr.com/post/46941141938/android-fqrouter-1-3-0
检测GFW的干扰,在Manager界面的jamming-events中可以查看
无线中继启动之后可以通过http://192.168.49.1:8888查看Manager界面
无线中继启动失败之后尽最大可能恢复启动之前的状态
report error时附带dmesg.log
特别说明:
目前对无线中继的支持是测试阶段, SSID和密码都不可以配置, SSID写死了是spike, 密码是12345678
下载链接:
项目主页:
goagent 2.1.15 正式版下载 https://goo.gl/sxgfB
iPPOTV Ver.12(0937)主要是针对目前的封锁特点做了一些改进.在中国大陆,使用的人越多,突破封锁效果越好。从观察的数据看”低带宽视频直播”及“音频直播”栏目中的频道带宽较低,在中国大陆也能流畅收看。其他视频频道带宽在450-550kbps之间,海外收看非常流畅,但在中国大陆由于受到网络封锁的干扰,不同地区和时段收视效果有所不同。
iPPOTV安装后第一次运行时,一定要关闭翻墙软件或网络代理,否则IPPOTV将无法正确初始化突破封锁的功能,收视效果就无法保证。
如果拿不到频道列表,而又不是防火墙设置问题,请用海外邮箱,如gmail, 或hotmail 给ippotv.abcd@gmail.com发一封电子邮件,主题为abcd, 以获得新的结点文件。详细说明请参看如下网页:
http://forums.internetfreedom.org/index.php?topic=8572.0
由于封锁严重,有时会出现点击频道列表没有反应的情况,此时可以试一试播放不同的频道,如果都没有反应,请关闭IPPOTV等十几分钟后再打开。请大家广泛传播IPPOTV,因为用的人越多,越容易突破封锁。
如有技术问题,可发邮件给: support@starp2p.com
感谢各位网友的支持和建议!
iPPOTV Ver.12(0937):
http://www.ippotv.com/download/iPPOTV_Setup_Ver12Build937.exe
电驴下载链接:
ed2k://|file|iPPOTV_Setup_Ver12Build937.zip|2842671|F16194A1CBBFB442E065968F5E424246|h=HPNRQMDA2FAPN5Y346J6LY6NN7SED445|/
BT下载链接:
http://www.ippotv.com/download/iPPOTV_Setup_Ver12Build937.torrent
MD5:cf465a3e2d92323034164182292e088b
SHA1:1ddfe87518d5dce4bcf2e9b9bde1af09d68201db
IPPOTV
原文:http://forums.internetfreedom.org/index.php?topic=18740.0
穿越浏览器[5.8]
一款专为全球华人打造的具有穿越功能的云浏览器。此浏览器与一般浏览器(如QQ浏览器,UC浏览器)的不同之处在于:
1.内置类VPN功能,无须ROOT即可使用
2.独具特色的首页导航,除了国内主流网站,还收集了大量国外优质手机网站,如香港报纸甚至全球其他各国当地华人报纸,让你上网更方便
3.支持独创穿越功能,瞬间可以让你”穿越”到全球各地,让你身临其境
4.书签功能同系统浏览器同步,使用更方便
5.支持全屏浏览,小屏幕阅读也能很方便
历史版本更新记录:
版本V5.7.0更新以下功能:
1.海外报纸栏目增加光华日报,当今大马
2.增加繁体语言显示
3.修正车辆违章查询页面显示乱码问题
版本V5.6.0更新以下功能:
1.增加新语丝,纽约时报等网站
2.针对老用户提升访问速度
V5.5.0
1.海外栏目增加更多全球热门华文网站如留学园,万维网读者等
2.新闻栏目增加更多新闻网站如星岛日报,华尔街等
V5.4.0
1.修正苹果日报网站访问问题
2.新闻栏目增加更多新闻网站
如有软件使用或下载问题,请加官方微信号反馈:cybrowser
安全监测:通过 应用汇 安卓市场 谷歌电子市场 应用工具安全检测通过。豌豆荚认证的「优质应用开发者」提供
更新
1月10日
版本
5.8.0
要求
Android 2.2.x 以上
装载和卸载文件系统
读取基于网络的粗略位置
下载链接1: http://www.mumayi.com/android-271647.html
下载链接2: http://www.wandoujia.com/apps/com.qingshui.browser
SecurityKISS之前是我一直介绍的一个比较好的免费的VPN,小moe我也用了很长的时间,当然我一直都是使用着收费的版本,不过上学期 到期后就没有继续使用免费的版本了~~~~~没办法虚荣心强,今天又可以撸上这个SecurityKISS高级账户3个月了~~~ 软件名称:SecurityKISS 软件语言:英文 软件价格:本次赠送的为JADEITE2 plan价值16.99美元 操作系统:Win7(亲测),Vista,XP 活动地址: 进入活动页面有输入邮箱和验证码即可~~~~收到邮件下载你的证书安装即可~~~~ 使用教程:http://www.xzymoe.com/securitykiss/ 最后对这个SecurityKISS进行说明一下,之前有人留言告诉我说免费版本的已经在天朝无法使用了,但是当时收费版本的在天朝还是可以继续使用,当然现在呢我也不知道这个收费版本是否可以使用,最好自己试一试吧~~~~~~
软件信息:
前面一篇本博客已经提到–OpenVZ VPS怎样搭建PPTP VPN 今天在这里给大家介绍下l2tp ipsec vpn的搭建教程。下面说下我们需要的一些载体: 运行环境:centos 5.7 32bit【redhat系都可以用】 1、首先安装必要的包。
2、下载安装openswan.
3、安装xl2tpd。[这里可能有的筒子们用的编译的,不过安装扩展源之后直接安装岂不是更方便]
4、各种修改配置文件了。编辑 /etc/ipsec.conf 注意$vpsip替换成你机器的ip,贴出配置文件,大家修改就好了。
5、编辑 /etc/ipsec.secrets注意$vpsip替换成你机器的ip, $psk缓存你想设置的密钥
6、修改/etc/sysctl.conf,添加转发补丁等功能。注意这里的你参照你文件内容的改,没有的添加。
7、修改完成后,运行如下命令使之生效。
8、验证ipsec运行。
输出以下内容就表示配置成功了
9、编辑 /etc/xl2tpd/xl2tpd.conf
10、编辑 /etc/ppp/options.xl2tpd
11、设置用户名,密码:编辑 /etc/ppp/chap-secrets
12、重启xl2tpd
13、设置iptables。
好吧,搭建完成,现在测试一下吧,有条件的筒子们可以把有限的资源提供给无尽的网络,提供免费vpn哦,如果有任何配置上的问题,可以联系我,我们共同研究!yum install -y ppp iptables make gcc gmp-devel xmlto bison flex xmlto libpcap-devel lsof vim-enhanced
wget http://www.openswan.org/download/openswan-2.6.24.tar.gztar zxvf openswan-2.6.24.tar.gz cd openswan-2.6.24 make programs install
rpm -ivh http://dl.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm [centos 5x] rpm -ivh http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-7.noarch.rpm [centos 6x]
yum install xl2tpd
config setup nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 oe=off protostack=netkey conn L2TP-PSK-NAT rightsubnet=vhost:%priv also=L2TP-PSK-noNAT conn L2TP-PSK-noNAT authby=secret pfs=no auto=add keyingtries=3 rekey=no ikelifetime=8h keylife=1h type=transport left=$vpsip leftprotoport=17/1701 right=%any rightprotoport=17/%any
$vpsip %any: PSK "$psk"
net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.all.log_martians = 0 net.ipv4.conf.default.log_martians = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.icmp_ignore_bogus_error_responses = 1
sysctl -p
ipsec setup restart ipsec verify
Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Linux Openswan U2.6.24/K2.6.32.16-linode28 (netkey) Checking for IPsec support in kernel [OK] NETKEY detected, testing for disabled ICMP send_redirects [OK] NETKEY detected, testing for disabled ICMP accept_redirects [OK] Checking for RSA private key (/etc/ipsec.secrets) [OK] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for NAT-T on udp 4500 [OK] Two or more interfaces found, checking IP forwarding [OK] Checking NAT and MASQUERADEing Checking for 'ip' command [OK] Checking for 'iptables' command [OK] Opportunistic Encryption Support [DISABLED]
[global] ipsec saref = yes listen-addr = $vpsip [lns default] ip range = 10.1.88.2-10.1.88.254 local ip = 10.1.88.1 refuse chap = yes refuse pap = yes require authentication = yes ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes
require-mschap-v2 ms-dns 208.67.222.222 ms-dns 208.67.220.220 asyncmap 0 auth crtscts lock hide-password modem debug name l2tpd proxyarp lcp-echo-interval 30 lcp-echo-failure 4
# user server password ip username * userpass * #改成你的用户名 密码
service xl2tpd restart
iptables --table nat --append POSTROUTING --jump MASQUERADE
service iptables save service iptables restart
chkconfig xl2tpd on chkconfig iptables on chkconfig ipsec on
Bob的私钥只有自己知道, 有一天, 送信的 后来,
(Bob) 有两个密钥,
(Bob的公钥)和
(Bob的私钥)。 (Bob的公钥)可以让所有人都知道:
(Pat)、
(Doug)、
(Susan) 。公钥和私钥是由特殊算法生成的,都可以用来把明文加密成不可读的密文,用相反的密钥可以把密文解密成可读的明文。
(Susan) 写了一封信,”Hey Bob, how about lunch at Taco Bell. I hear they have free refills!”,然后通过(Bob的公钥)进行加密,变成”HNFmsEm6Un BejhhyCGKOK JUxhiygSBCEiC 0QYIh/Hn3xgiK BcyLK1UcYiY lxx2lCFHDC/A”,她可以放心的把信交给其他人,帮忙把信送给Bob。(Bob)看到信之后,用 (Bob的私钥),解密这封信,就能看到Susan写的原话了。其他送信的人是完全看不懂的。 (Bob)打算给Susan回信,他并不害怕别人知道他说什么,所以他不需要对全文加密,但是他害怕有人偷偷修改他的内容,所以他首先给全文生成一个摘要信息。
。然后对摘要进行加密,经过 (Bob的私钥)的加密,就变成了一个独一无二的数字签名
。数字签名被附加到信件的结尾,一起发给 (Susan)
。(Susan)用 (Bob的公钥)解密数字签名,得到当时的信件摘要。然后自己再计算一次信息摘要,如果相同,那么证明信件没有被别人修改过。
(Doug)有一次偷偷的使用(Susan)的电脑,用自己的 (Doug的公钥)替换了 (Bob的公钥),没有人去刻意记忆公钥,所以Susan当时没有发现,她给Bob写信的时候使用了她认为是Bob的公钥(实际上是Doug的公钥)对信件进行加密.现在(Doug)既可以读到Susan的信,也可以冒充 (Bob)制作数字签名,真正Bob的数字签名却被认为是错的。
(Bob)发现了问题,他找到”证书中心”(certificate authority,简称CA),CA用(CA的私钥),把Bob的 (Bob的公钥)加密一次,这个就是数字证书。带数字证书和Bob的数字签名的信件发给(Susan)后,Susan先用 (CA的公钥)对数字证书解密,拿到一个一定真实的Bob公钥,进而证明的数字签名是否是真的,进而证明信件有没有被改动过。
DC:有听众在九鼎茶居那边问到,他想在iPhone上收听本台的即时广播,但总是开不到,就算成功翻了墙都听不到,他想在iPhone上即时收听我们的广播,那应该怎做?
李:要收听网站上本台的即时广播,那是需要另行安装软件,如果你的App Store户口是香港或其他国家的话,你打RFA三字,应该会找到本台粤语组的App,只要你安装了就可以收听我们的广播。只不过,在中国的App Store,有可能找不到这软件。就算你持有海外的App Store户口,你亦应先翻墙才搜寻,因为RFA始终属于中国当局的敏感词。
若然你没有海外App Store户口的话,那你需要下载一些支援MMS协定的应用程式。这类应用程式,有部分是免费,亦有些要收费的,你可以视乎你的预算和需求去决定安装那一只。通常免费软件的用户介面比较简单,例如未必有书签之类功能,而收费版本,就可以预期有多一点功能,可以方便你收听本台的广播。
在App Store上,亦有一些收听网络收音机的软件,有部分亦有预载本台的串流连结,例如TuneIn Radio便是当中的例子,大家可以利用这类软件,搜寻Radio Free Asia。当然你亦都要先翻墙,才去搜寻本台的广播,否则就可能会中途断线。
DC:假如我用Android的手机和平板电脑,那应怎样做?
李:由于Google Play上暂时未有本台粤语组的应用软件,因此,你需要安装支援MMS协定的应用软件,或你安装TuneIn Radio之类的软件,透过这些软件收听本台的即时直播串流。你安装了有关软件后,先翻墙,然后再浏览本台网页收听直播,或搜寻本台的串流来收听直播。只不过,这类软件并非百分百可以配合本台的广播,有时有可能会收听失败。
DC:近年有些透过Wi-Fi收听网络广播的收音机,那听众就可以不用对著电脑或手机收听本台的广播,如果用这些收音机,又能否收听到本台粤语组的广播?
李:首先,你要肯定你所买的收音机是支援MMS协定,如果无法支援MMS协定的话,那就什么都不用谈了。
由于听网络广播用的收音机,一般而言技术上都比较简单,以及并无预计在中国这种特殊情况下使用,因此,并无内置支援VPN、代理主机,让你翻墙收听广播。这对一些技术水平较差的用户,这是颇为麻烦的一件事。
如果你想用Wi-Fi网络收音机收听本台广播,那你的路由器必须支援VPN翻墙,在路由器用硬件来翻墙后,那收音机就透过路由器翻了墙,再在收音机内输入本台MMS的串流网址。有部分收音机已经预先输入了本台的MMS串流网址,那你只要找一找RFA或Radio Free Asia,就应该找到了粤语组的广播,那就不用费神去输入地址。有部分网络收音机,可以配合电脑的TuneIn软件运作,你在TuneIn软件内设好的电台网址,会同步到收音机上,但不一定每一部收音机都支援TuneIn之类软件。
有时候,你的网络收音机未必能收听到本台广播的原因,并非你翻墙失败,而是因为你的网络收音机软件太旧,未能与本台广播配合,那你定时更新软件,是可以提高收听的成功率。
DC:多谢你李建军,本集翻墙问答时间又到,在下周同样时间,我们继续有翻墙问答,解答各位翻墙的疑难。我们十分欢迎网友的提问,而我们亦会尽力在节目中,回应听众各类疑难,欢迎各位多加利用。在下周同样时间再见。
ed2k://|file|GIFC_20130328_ultra_1301.zip|1936803|DDC246048B57D7721945677BF63965BB|/
原文:http://forums.internetfreedom.org/index.php?topic=18734.0
无界浏览测试版13.01a升级为正式版 13.01, 欢迎反馈.
执行版:
http://wujieliulan.com/download/u1301.exe
SHA1: 5084a35f359b1d9dee0fc57096a9ba9c91d93fec
MD5: e1a49c030ca2f679b70d92ec3637bf1e
压缩版:
http://wujieliulan.com/download/u1301.zip
SH1: 79d3773b2e9ad9ec6e2df7645105f5a254219a69
MD5: 3c07654c214df1d5ddb37d26ea324957
请检查数字签名.
无界浏览有数字签名(安全认证), 帮助用户确认所下载的无界浏览软件是正版, 并非假冒。
验证方法:
右击无界浏览执行文件,选择其”属性”菜单,然后在弹出的窗口内选择”数字签名”页。这时您应该看到 “Ultrareach Internet Corp.”的签名。 点击”详细信息”按键,进入下一个窗口,您应该看到”该数字签名正常”的字样。
如果”数字签名”页不存在,或签发者不是 “Ultrareach Internet Corp.”,可能此文件下载不完整, 或属假冒, 请立即删除此文件, 从新下载。
谢谢!
原文:http://forums.internetfreedom.org/index.php?topic=18730.0
无界浏览测试版13.01a, 请帮助测试并反馈。
如果偶尔连接不上, 请关闭所有翻墙软件, 等几分钟后再运行。如能更换IP, 则无须等待, 便可重新运行。
执行版:
http://wujieliulan.com/download/u1301a.exe
SHA1: 5084a35f359b1d9dee0fc57096a9ba9c91d93fec
MD5: e1a49c030ca2f679b70d92ec3637bf1e
压缩版:
http://wujieliulan.com/download/u1301a.zip
SH1: 3c851a5dd55642a538d9a0e8dc0923bcecf18d03
MD5: ac9dabcac63af2648133673f1a0ae8c3
请检查数字签名.
谢谢!
原文:http://forums.internetfreedom.org/index.php?topic=18723.0
DC:相信很多听众都对中国当局的木马电邮有应对的经验,很多听众亦知道如何辨别可疑电邮。只不过,互联网技术日新月异,现时黑客也好,中国当局也好,发放钓鱼信息方法亦有所改进。近日有不少Android用户都发现自己收到了一些可疑短信后,网上银行密码和用户名都被偷。其实现时短信病毒之类,发展成怎样?
李:黑客利用短信令用户蒙受损失,这早不是新闻。在以往,这类短信多数会令黑客可在你的手机暗中打大量长途电话,骗徒藉此骗取长途电话收益。但由于Android作业系统收紧拨出电话的限制,加上执法机关以至电讯公司对相关的电话号码多加留意,令黑客改变了手段,改为向用户的手机理财或网上理财密码埋手,希望获取更多收益。
现在的钓鱼短信,原理与钓鱼电邮大同小异,都是寄出含有可疑网址的短信,当你打开了有关可疑网址,手机内的一些机密资料就可能被盗走,而这种骗案之所以能够成事,因为智能手机越来越像电脑,在电脑上会出现的漏洞,亦一样会在短信上出现。
DC:那用户怎样可以判断收到的短信可能是钓鱼短信?光靠短信发出人资料,可以肯定短信内容安全吗?
李:短信是一种很古老的技术,现时不少人透过电脑,已经可以发出并无来源号码,甚至伪装另一个人发出的短信。甚至用户要验证短信的真确性,比验证电邮更难,因为电邮还有一些技术信息,可以让懂得相关技术的人追查来源。但短信只有电讯公司的技术人员,才能够追查到真实来源。
因此,只要短信内包含一些不寻常内容,例如一些奇怪的链结,就算短信声称来自你朋友也好,都不要随便打开。例如中国的黑客,都经常伪装个别民运人士或组织来发出钓鱼电邮一样。
DC:如果不使用短信,而是使用Whatsapp之类的即时信息系统,又能否避免钓鱼党的问题?
李:由于Whatsapp之类系统,比起相当原始的短信有较好的认证功能,很难伪冒个别用户来发出短信,因此,不会出现电邮和短信中有人冒认你朋友发钓鱼信息的问题。
但近年中国都有些透过Whatsapp发放垃圾信息的人,因此,如果你收到不认识的人,透过Whatsapp发出可疑链结,应该避免打开。就算你熟悉的朋友,如果发现你朋友发了一些奇怪链结,亦应提高戒备。特别你的朋友手机被偷,或他被公安、国保等人员拘留的话,你朋友的手机有可能被当局利用作不法用途。因此,不要因你改用了Whatsapp、iMessage等技术,而对手机的资讯安全掉以轻心。
DC:现时很多有问题的钓鱼连结都是针对Android平台,那使用其他平台又会否代表免疫呢?
李:虽然iOS的保安规则比较严格,直至暂时为止,钓鱼网站不易成功得手,但不代表可以掉以轻心,因为黑客不断研究不同作业系统的漏洞,更何况iOS本身亦有不少漏洞可让黑客使用。因此,对于一些来历不明,由短信送来的链结,应采取处处提防的态度,甚至见到立即删除,避免自己成为下一个受害者。
DC:多谢你李建军,本周翻墙问答的时间,又很快去到尾声,在下周同样时间,我们会继续有翻墙问答,解答各位对翻墙的问题,以及介绍与翻墙相关的知识,欢迎各位留意收听。
原文:http://www.rfa.org/cantonese/firewall_features/virus-sms-03222013115127.html?encoding=simplified
DC:以往我们都介绍过TOM-Skype怀疑有过滤机制。在中国下载的Skype,都几乎是TOM-Skype版本,与海外的原装正版有所不同。由于微软会放弃MSN Messenger的服务,迫用户全数过渡到Skype,所以我相信不少中国用户都有安装Skype。最近有研究人员发现TOM-Skype的过滤机制的实际操作方式,究竟什么版本的Skype是有特定过滤机制?
李:根据新墨西哥大学研究人员的论文,除了很多人知道,在中国下载的Windows版Skype内有特定过滤机制之外,在中国下载的Android版Skype,一样有与Windows相同的过滤机制。因此,除了Windows版用家要小心TOM-Skype外,Android用家都不要对TOM-Skype掉以轻心。
至于Mac和iOS版,由于并非新墨西哥大学的研究对象,所以我们暂时无从得知中国下载的Skype会否与Windows一样有过滤和监视机制。
DC:那根据研究人员的研究成果,TOM-Skype是怎样实现对用家信息的监控?
李:这次新墨西哥大学的研究,发现TOM-Skype的监控机制主要针对文字信息,而整个机制有监视文字信息,以及过滤文字信息两部分。
在每个版本的TOM-Skype,都有一份敏感字表,在敏感字表内的用字,都不能够传送到对方手上,例如提及六四、法轮功等等,一触及这敏感字表,便会删除。而你每一次登入Skype时,系统都会下载最新的敏感字表,这亦解释到有部分政治信息可以在Skype当中成为漏网之鱼,未被过滤。
除了敏感字表,在监视文字信息的部分,程式会不动声色,将被监视者的文字信息内容、传送时间、收件人身份等资料传到中国当局所设的神秘主机,这样中国当局就掌握到你在Skype的文字信息内容。
在研究人员发表的结果中,暂时未发现TOM-Skype当中有任何部分过滤及截取VoIP的通讯,只不过,由于大家对中国截取VoIP实际能力有多少未有掌握,所以都不可以假设话音和视像通讯部分是百分百安全。
DC:根据这份研究结果,中国用户要怎样用Skype才会真的安全,不容易令自己与友人对话的内容被中国当局截取,以及可以在Skype上畅所欲言,不受敏感字表的影响?
李:首先,你应该翻墙,在海外下载正版的Skype,避免使用中国主机下载的TOM-Skype,因为海外的正版Skype,暂时未发现类似TOM-Skype的监控机制的存在。
此外,如果你曾经安装TOM-Skype,或正使用TOM-Skype,都不应该透过文字信息进行交流,因为文字信息几乎肯定会送到中国当局手上,中国当局凭信息内容对付你是相当容易。最安全的方法,那是使用正版的Skype,与对方进行语音或视像交谈,如果可以的话,还同时采用VPN加密翻墙,那中国当局就最难把你的Skype通话内容截取或过滤。
DC:在可见将来,微软都会将Skype整合在Windows作业系统之中,一如以往将MSN Messenger整合在作业系统之中。那会否对中国用户取得安全版本的Skype有所影响?
李:如果Skype真的整合到,由于Skype变成类似MSN Messenger,属于作业系统一部分,随作业系统附赠的Skype,由于已经与作业系统紧密整合在一起,很可能难以移除,就算安装了海外版本的Skype,亦很难摆脱作业系统内Skype系统的监控。因此对用户而言,最安全的做法,那是寻求Skype以外,并非中国软件开发的短信和VoIP软件。
DC:多谢李建军,在下周同样时间,会继续有翻墙问答,回应各位对翻墙的疑问,并且带来最新的技术知识,欢迎各位准时收听。到时间又差不多,再会。
原文:http://www.rfa.org/cantonese/firewall_features/skype-03152013104427.html?encoding=simplified
翻墙软件,在线代理ip,翻墙vpn,在线翻墙网站,相信很多人都再找特备是喜欢上facebook的朋友们,可是我觉的大家可能更加希望有,免费翻墙软件,免费翻墙网站,免费在线代理服务器,废话不多说,今天和大家来说说Green网络加速器。 GreenVPN成立于08年,推出VPN服务已经有4年时间了,GreenVPN提供VPN代理服务,包括免费VPN和付费VPN两种服务,其付费用户同时提供北美/英国/德国/法国/俄罗斯/河南/台湾/香港/日本/韩国以及六条国内代理服务,VIP用户有专门的游戏专线,免去咱游戏玩家延迟和掉线的苦恼,免费用户可使用7条北美线路,流量200M/月。 产品介绍 1.绿色上网、保护隐私 使用Green网络加速器可以确保您的上网安全,保证您的真实IP地址不被泄露,有效保护个人隐私,通过加密通道来保护您的所有网络通信,避免的QQ、Email通信记录被黑客截取利用。 2.联网加速、外服畅游 Green网络加速器具备优秀的加速功能,可以在您上网浏览、网络游戏和个人通讯时实现加速效果,使您不再因为网速慢而烦恼不已。 3.智能路由、畅通访问 网络适应性好。适合有本地局域网有防火墙限制的情况,例如公司、网吧、学校等。 同时支持多种协议,兼容性强。 4.终端覆盖、全面支持 全面支持Windows XP, Win7/Vista, Mac OS, Linux, iPhone/iPad/iPod Touch, Android等多类终端,如果您有多种终端,可以一号多用。 GreenVPN新用户拥有200M免费流量(可使用免费线路)。免费线路比较繁忙,可能会出现不太稳定或链接速度较慢的情况,购买VIP套餐后可使用全球VIP线路,获得更稳定优质的服务,并且不受流量和时长限制。 所有VIP套餐均不限流量、不限使用时长,订购后立即生效,并同时支持PPTP和L2TP,支持多种终端。 Green网络加速器,是我最新发现的一款免费翻墙软件,也是付费翻墙软件,可能使用没有在线代理方便,可是在线代理使用起来确实不爽啊,因为广告太多了,呵呵,老样子,在线代理之家,还是推荐翻墙动态网,动态网翻墙软件,免费在线翻墙好帮手!
一、鲨鱼加速器免费政策: 免费注册会员,即可享受每月300M的免费流量,需要邮箱验证。免费的是以美国为主的三条线路。免费账户有限期为一个月。 网页浏览:可以访问全球任一地点的网站,包括不限于youtub,fb,推特等! 鲨鱼加速器官网地址: https://www.shayunet.net 推荐理由一:速度非常快,包括免费线路。 推荐理由二:客服服务好,QQ在线。另外被有和谐的情况下,反应时间快。 二、鲨鱼加速器注册与使用: 1、鲨鱼加速器注册:这个没有什么好说的了。点击上面的鲨鱼加速器官网地址。按一般的网站注册账号就行。其中注册的账号与密码就是VPN连接的账号与密码,是相同的。特别要注意到注册用的邮箱里激活一下链接。 a、用官网提供的客户端使用,只适合于WINDOWS用户。点我下载软件 如失效,请到官方下载最新版本! b、自行在各种设备上设置VPN,如手机,平板等。需要服务器IP,用户名与密码。各种教程,请查看本博客上的VPN设置图文教程。 VIP美国线路01 1000M带宽,禁BT下载,支持PPTP、L2TP模式 VIP会员可查看 正常 三、鲨鱼加速器测评及其它 鲨鱼加速器的速度真是不错的。免费账号300M看FB,推特等网页是足够,如果是看视频还是不够的,不怕麻烦要多注册几个账号了。如果大家觉得他们的免费VPN服务还不错的话,推荐使用他们的收费VPN服务,毕竟现在的免费VPN都不怎么靠谱了。想稳定快速可靠的,还是适当付费的好。包年也只要一百多。另外需要指出的是此款加速器推荐有礼,如推荐下线,有积累积分可以换VIP。宣传推广也有佣金可收15%,当然前提是你有网站博客空间等。
网络游戏:可以支持美国,香港,日本等地网络游戏,支持暗黑破坏神3,混沌与秩序等
2、鲨鱼加速器使用:
提示:如不特殊标注,所有线路均支持PPTP以及L2TP连接模式,L2TP密钥为shayu,有需要者可自行设置。如PPTP连接不上请尝试使用L2TP模式连接。
免费线路(共3条)
线路名称 说明 服务器地址 线路状态
免费美国线路01 100M带宽,禁BT下载,支持PPTP、L2TP模式 108.166.200.128 拥挤
免费美国线路02 100M带宽,禁BT下载,支持PPTP、L2TP模式 108.166.200.48 拥挤
免费美国线路03 100M带宽,禁BT下载,支持PPTP、L2TP模式 198.148.112.172 拥挤
VIP美国线路02 1000M带宽,禁BT下载,支持PPTP、L2TP模式 VIP会员可查看 正常
VIP美国线路03 1000M带宽,禁BT下载,支持PPTP、L2TP模式 VIP会员可查看 正常
VIP美国线路04 1000M带宽,禁BT下载,支持PPTP、L2TP模式 VIP会员可查看 正常
VIP美国线路05 1000M带宽,禁BT下载,支持PPTP、L2TP模式 VIP会员可查看 正常
VIP美国线路06 1000M带宽,禁BT下载,支持PPTP、L2TP模式 VIP会员可查看 正常
VIP美国线路07 100M带宽,禁BT下载,支持PPTP、L2TP模式 VIP会员可查看 正常
VIP美国线路08 100M带宽,禁BT下载,支持PPTP、L2TP模式 VIP会员可查看 正常
VIP美国线路09 100M带宽,禁BT下载,支持PPTP、L2TP模式 VIP会员可查看 正常
VIP美国线路10 100M带宽,禁BT下载,支持PPTP、L2TP模式 VIP会员可查看 正常
VIP美国线路11 100M带宽,禁BT下载,支持PPTP、L2TP模式 VIP会员可查看 正常
VIP美国线路12 100M带宽,禁BT下载,支持PPTP、L2TP模式 VIP会员可查看 正常
VIP香港线路01 网页及游戏专用,禁下载、禁视频,支持PPTP、L2TP模式 VIP会员可查看 正常
VIP日本线路01 100M带宽,禁BT下载,支持PPTP、L2TP模式 VIP会员可查看 正常
The Tor 0.2.3 release series is dedicated to the memory of Len “rabbi”
Sassaman (1980-2011), a long-time cypherpunk, anonymity researcher,
Mixmaster maintainer, Pynchon Gate co-designer, CodeCon organizer,
programmer, and friend. Unstinting in his dedication to the cause of
freedom, he inspired and helped many of us as we began our work on
anonymity, and inspires us still. Please honor his memory by writing
software to protect people’s freedoms, and by helping others to do so.
Tor 0.2.3.25, the first stable release in the 0.2.3 branch, features
significantly reduced directory overhead (via microdescriptors),
enormous crypto performance improvements for fast relays on new
enough hardware, a new v3 TLS handshake protocol that can better
resist fingerprinting, support for protocol obfuscation plugins (aka
pluggable transports), better scalability for hidden services, IPv6
support for bridges, performance improvements like allowing clients
to skip the first round-trip on the circuit (“optimistic data”) and
refilling token buckets more often, a new “stream isolation” design
to isolate different applications on different circuits, and many
stability, security, and privacy fixes.
(I apologize for the delay in announcing the release to this list:
I was waiting for the Tor Browser Bundles with it to stabilize a bit,
but with the new integration to Firefox 17, it’s become clear that TBB
will be in flux a while more.)
https://www.torproject.org/download/download
Changes in version 0.2.3.25 – 2012-11-19
Major features (v3 directory protocol):
– Clients now use microdescriptors instead of regular descriptors
to build circuits. Microdescriptors are authority-generated
summaries of regular descriptors’ contents, designed to change very
rarely (see proposal 158 for details). This feature is designed
to save bandwidth, especially for clients on slow internet
connections. Use “UseMicrodescriptors 0″ to disable it.
– Caches now download, cache, and serve microdescriptors, as well
as multiple “flavors” of the consensus, including a flavor that
describes microdescriptors.
o Major features (build hardening):
– Enable gcc and ld hardening by default. Resolves ticket 5210.
o Major features (relay scaling):
– When built to use OpenSSL 1.0.1, and built for an x86 or x86_64
instruction set, take advantage of OpenSSL’s AESNI, bitsliced, or
vectorized AES implementations as appropriate. These can be much,
much faster than other AES implementations.
– When using OpenSSL 1.0.0 or later, use OpenSSL’s counter mode
implementation. It makes AES_CTR about 7% faster than our old one
(which was about 10% faster than the one OpenSSL used to provide).
Resolves ticket 4526.
– Use OpenSSL’s EVP interface for AES encryption, so that all AES
operations can use hardware acceleration (if present). Resolves
ticket 4442.
– Unconditionally use OpenSSL’s AES implementation instead of our
old built-in one. OpenSSL’s AES has been better for a while, and
relatively few servers should still be on any version of OpenSSL
that doesn’t have good optimized assembly AES.
o Major features (blocking resistance):
– Update TLS cipher list to match Firefox 8 and later. Resolves
ticket 4744.
– Remove support for clients falsely claiming to support standard
ciphersuites that they can actually provide. As of modern OpenSSL
versions, it’s not necessary to fake any standard ciphersuite,
and doing so prevents us from using better ciphersuites in the
future, since servers can’t know whether an advertised ciphersuite
is really supported or not. Some hosts — notably, ones with very
old versions of OpenSSL or where OpenSSL has been built with ECC
disabled — will stand out because of this change; TBB users should
not be affected. Implements the client side of proposal 198.
– Implement a new handshake protocol (v3) for authenticating Tors to
each other over TLS. It should be more resistant to fingerprinting
than previous protocols, and should require less TLS hacking for
future Tor implementations. Implements proposal 176.
– Allow variable-length padding cells, to disguise the length of
Tor’s TLS records. Implements part of proposal 184.
– While we’re trying to bootstrap, record how many TLS connections
fail in each state, and report which states saw the most failures
in response to any bootstrap failures. This feature may speed up
diagnosis of censorship events. Implements ticket 3116.
o Major features (pluggable transports):
– Clients and bridges can now be configured to use a separate
“transport” proxy. This approach makes the censorship arms race
easier by allowing bridges to use protocol obfuscation plugins.
Implements proposal 180 (tickets 2841 and 3472).
o Major features (DoS resistance):
– Now that Tor 0.2.0.x is completely deprecated, enable the final
part of “Proposal 110: Avoiding infinite length circuits” by
refusing all circuit-extend requests that do not use a relay_early
cell. This change helps Tor resist a class of denial-of-service
attacks by limiting the maximum circuit length.
– Tear down the circuit if we get an unexpected SENDME cell. Clients
could use this trick to make their circuits receive cells faster
than our flow control would have allowed, or to gum up the network,
or possibly to do targeted memory denial-of-service attacks on
entry nodes. Fixes bug 6252. Bugfix on the 54th commit on Tor –
from July 2002, before the release of Tor 0.0.0.
o Major features (hidden services):
– Adjust the number of introduction points that a hidden service
will try to maintain based on how long its introduction points
remain in use and how many introductions they handle. Fixes
part of bug 3825.
– Add a “tor2web mode” for clients that want to connect to hidden
services non-anonymously (and possibly more quickly). As a safety
measure to try to keep users from turning this on without knowing
what they are doing, tor2web mode must be explicitly enabled at
compile time, and a copy of Tor compiled to run in tor2web mode
cannot be used as a normal Tor client. Implements feature 2553.
o Major features (IPv6):
– Clients can now connect to private bridges over IPv6. Bridges
still need at least one IPv4 address in order to connect to
other relays. Note that we don’t yet handle the case where the
user has two bridge lines for the same bridge (one IPv4, one
IPv6). Implements parts of proposal 186.
o Major features (directory authorities):
– Use a more secure consensus parameter voting algorithm. Now at
least three directory authorities or a majority of them must
vote on a given parameter before it will be included in the
consensus. Implements proposal 178.
– Remove the artificially low cutoff of 20KB to guarantee the Fast
flag. In the past few years the average relay speed has picked
up, and while the “top 7/8 of the network get the Fast flag” and
“all relays with 20KB or more of capacity get the Fast flag” rules
used to have the same result, now the top 7/8 of the network has
a capacity more like 32KB. Bugfix on 0.2.1.14-rc. Fixes bug 4489.
o Major features (performance):
– Exit nodes now accept and queue data on not-yet-connected streams.
Previously, the client wasn’t allowed to send data until the
stream was connected, which slowed down all connections. This
change will enable clients to perform a “fast-start” on streams
and send data without having to wait for a confirmation that the
stream has opened. Patch from Ian Goldberg; implements the server
side of Proposal 174.
– When using an exit relay running 0.2.3.x, clients can now
“optimistically” send data before the exit relay reports that
the stream has opened. This saves a round trip when starting
connections where the client speaks first (such as web browsing).
This behavior is controlled by a consensus parameter (currently
disabled). To turn it on or off manually, use the “OptimisticData”
torrc option. Implements proposal 181; code by Ian Goldberg.
– Add a new TokenBucketRefillInterval option to refill token buckets
more frequently than once per second. This should improve network
performance, alleviate queueing problems, and make traffic less
bursty. Implements proposal 183; closes ticket 3630. Design by
Florian Tschorsch and Björn Scheuermann; implementation by
Florian Tschorsch.
– Raise the threshold of server descriptors needed (75%) and exit
server descriptors needed (50%) before we will declare ourselves
bootstrapped. This will make clients start building circuits a
little later, but makes the initially constructed circuits less
skewed and less in conflict with further directory fetches. Fixes
ticket 3196.
o Major features (relays):
– Relays now try regenerating and uploading their descriptor more
frequently if they are not listed in the consensus, or if the
version of their descriptor listed in the consensus is too
old. This fix should prevent situations where a server declines
to re-publish itself because it has done so too recently, even
though the authorities decided not to list its recent-enough
descriptor. Fix for bug 3327.
o Major features (stream isolation):
– You can now configure Tor so that streams from different
applications are isolated on different circuits, to prevent an
attacker who sees your streams as they leave an exit node from
linking your sessions to one another. To do this, choose some way
to distinguish the applications: have them connect to different
SocksPorts, or have one of them use SOCKS4 while the other uses
SOCKS5, or have them pass different authentication strings to the
SOCKS proxy. Then, use the new SocksPort syntax to configure the
degree of isolation you need. This implements Proposal 171.
– There’s a new syntax for specifying multiple client ports (such as
SOCKSPort, TransPort, DNSPort, NATDPort): you can now just declare
multiple *Port entries with full addr:port syntax on each.
The old *ListenAddress format is still supported, but you can’t
mix it with the new *Port syntax.
o Major features (bufferevents):
– Tor can now optionally build with the “bufferevents” buffered IO
backend provided by Libevent 2. To use this feature, make sure you
have the latest possible version of Libevent, and pass the
–enable-bufferevents flag to configure when building Tor from
source. This feature will make our networking code more flexible,
let us stack layers on each other, and let us use more efficient
zero-copy transports where available.
– Add experimental support for running on Windows with IOCP and no
kernel-space socket buffers. This feature is controlled by a new
“UserspaceIOCPBuffers” config option (off by default), which has
no effect unless Tor has been built with bufferevents enabled,
you’re running on Windows, and you’ve set “DisableIOCP 0″. In the
long run, this may help solve or mitigate bug 98.
o Major features (path selection):
– The EntryNodes option can now include country codes like {de} or IP
addresses or network masks. Previously we had disallowed these
options because we didn’t have an efficient way to keep the list up
to date. Addresses ticket 1982, but see bug 2798 for an unresolved
issue here.
o Major features (port forwarding):
– Add support for automatic port mapping on the many home routers
that support NAT-PMP or UPnP. To build the support code, you’ll
need to have the libnatpnp library and/or the libminiupnpc library,
and you’ll need to enable the feature specifically by passing
“–enable-upnp” and/or “–enable-natpnp” to ./configure. To turn
it on, use the new PortForwarding option.
o Major features (logging):
– Add a new ‘Heartbeat’ log message type to periodically log a message
describing Tor’s status at level Notice. This feature is meant for
operators who log at notice, and want to make sure that their Tor
server is still working. Implementation by George Kadianakis.
– Make logging resolution configurable with a new LogTimeGranularity
option, and change the default from 1 millisecond to 1 second.
Implements enhancement 1668.
o Major features (other):
– New “DisableNetwork” config option to prevent Tor from launching any
connections or accepting any connections except on a control port.
Bundles and controllers can set this option before letting Tor talk
to the rest of the network, for example to prevent any connections
to a non-bridge address. Packages like Orbot can also use this
option to instruct Tor to save power when the network is off.
– Try to use system facilities for enumerating local interface
addresses, before falling back to our old approach (which was
binding a UDP socket, and calling getsockname() on it). That
approach was scaring OS X users whose draconian firewall
software warned about binding to UDP sockets regardless of
whether packets were sent. Now we try to use getifaddrs(),
SIOCGIFCONF, or GetAdaptersAddresses(), depending on what the
system supports. Resolves ticket 1827.
– Add experimental support for a “defaults” torrc file to be parsed
before the regular torrc. Torrc options override the defaults file’s
options in the same way that the command line overrides the torrc.
The SAVECONF controller command saves only those options which
differ between the current configuration and the defaults file. HUP
reloads both files. Implements task 4552.
o New directory authorities:
– Add Faravahar (run by Sina Rabbani) as the ninth v3 directory
authority. Closes ticket 5749.
o Security/privacy fixes:
– Avoid read-from-freed-memory and double-free bugs that could occur
when a DNS request fails while launching it. Fixes bug 6480;
bugfix on 0.2.0.1-alpha.
– Reject any attempt to extend to an internal address. Without
this fix, a router could be used to probe addresses on an internal
network to see whether they were accepting connections. Fixes bug
6710; bugfix on 0.0.8pre1.
– Close any connection that sends unrecognized junk before the TLS
handshake. Solves an issue noted in bug 4369.
– The advertised platform of a relay now includes only its operating
system’s name (e.g., “Linux”, “Darwin”, “Windows 7″), and not
its service pack level (for Windows) or its CPU architecture
(for Unix). Also drop the “git-XYZ” tag in the version. Packagers
can insert an extra string in the platform line by setting the
preprocessor variable TOR_BUILD_TAG. Resolves bug 2988.
– Disable TLS session tickets. OpenSSL’s implementation was giving
our TLS session keys the lifetime of our TLS context objects, when
perfect forward secrecy would want us to discard anything that
could decrypt a link connection as soon as the link connection
was closed. Fixes bug 7139; bugfix on all versions of Tor linked
against OpenSSL 1.0.0 or later. Found by Florent Daignière.
– Tor tries to wipe potentially sensitive data after using it, so
that if some subsequent security failure exposes Tor’s memory,
the damage will be limited. But we had a bug where the compiler
was eliminating these wipe operations when it decided that the
memory was no longer visible to a (correctly running) program,
hence defeating our attempt at defense in depth. We fix that
by using OpenSSL’s OPENSSL_cleanse() operation, which a compiler
is unlikely to optimize away. Future versions of Tor may use
a less ridiculously heavy approach for this. Fixes bug 7352.
Reported in an article by Andrey Karpov.
o Major bugfixes (crashes and asserts):
– Avoid a pair of double-free and use-after-mark bugs that can
occur with certain timings in canceled and re-received DNS
requests. Fixes bug 6472; bugfix on 0.0.7rc1.
– Fix a denial of service attack by which any directory authority
could crash all the others, or by which a single v2 directory
authority could crash everybody downloading v2 directory
information. Fixes bug 7191; bugfix on 0.2.0.10-alpha.
– Fix an assert that directory authorities could trigger on sighup
during some configuration state transitions. We now don’t treat
it as a fatal error when the new descriptor we just generated in
init_keys() isn’t accepted. Fixes bug 4438; bugfix on 0.2.1.9-alpha.
– Avoid segfault when starting up having run with an extremely old
version of Tor and parsing its state file. Fixes bug 6801; bugfix
on 0.2.2.23-alpha.
o Major bugfixes (clients):
– If we are unable to find any exit that supports our predicted ports,
stop calling them predicted, so that we don’t loop and build
hopeless circuits indefinitely. Fixes bug 3296; bugfix on 0.0.9pre6,
which introduced predicted ports.
– Check at each new consensus whether our entry guards were picked
long enough ago that we should rotate them. Previously, we only
did this check at startup, which could lead to us holding a guard
indefinitely. Fixes bug 5380; bugfix on 0.2.1.14-rc.
– When fetching a bridge descriptor from a bridge authority,
always do so anonymously, whether we have been able to open
circuits or not. Partial fix for bug 1938; bugfix on 0.2.0.7-alpha.
This behavior makes it *safer* to use UpdateBridgesFromAuthority,
but we’ll need to wait for bug 6010 before it’s actually usable.
o Major bugfixes (directory voting):
– Check more thoroughly to prevent a rogue authority from
double-voting on any consensus directory parameter. Previously,
authorities would crash in this case if the total number of
votes for any parameter exceeded the number of active voters,
but would let it pass otherwise. Partially fixes bug 5786; bugfix
on 0.2.2.2-alpha.
– When computing weight parameters, behave more robustly in the
presence of a bad bwweightscale value. Previously, the authorities
would crash if they agreed on a sufficiently broken weight_scale
value; now, they use a reasonable default and carry on. Fixes the
rest of bug 5786; bugfix on 0.2.2.17-alpha.
– If authorities are unable to get a v2 consensus document from other
directory authorities, they no longer fall back to fetching
them from regular directory caches. Fixes bug 5635; bugfix on
0.2.2.26-beta, where routers stopped downloading v2 consensus
documents entirely.
o Major bugfixes (relays):
– Fix a bug handling SENDME cells on nonexistent streams that could
result in bizarre window values. Report and patch contributed
pseudonymously. Fixes part of bug 6271. This bug was introduced
before the first Tor release, in svn commit r152.
– Don’t update the AccountingSoftLimitHitAt state file entry whenever
tor gets started. This prevents a wrong average bandwidth
estimate, which would cause relays to always start a new accounting
interval at the earliest possible moment. Fixes bug 2003; bugfix
on 0.2.2.7-alpha. Reported by Bryon Eldridge, who also helped
immensely in tracking this bug down.
– Fix a possible crash bug when checking for deactivated circuits
in connection_or_flush_from_first_active_circuit(). Fixes bug 6341;
bugfix on 0.2.2.7-alpha. Bug report and fix received pseudonymously.
– Set the SO_REUSEADDR socket option before we call bind() on outgoing
connections. This change should allow busy exit relays to stop
running out of available sockets as quickly. Fixes bug 4950;
bugfix on 0.2.2.26-beta.
o Major bugfixes (blocking resistance):
– Bridges no longer include their address in NETINFO cells on outgoing
OR connections, to allow them to blend in better with clients.
Removes another avenue for enumerating bridges. Reported by
“troll_un”. Fixes bug 4348; bugfix on 0.2.0.10-alpha, when NETINFO
cells were introduced.
– Warn the user when HTTPProxy, but no other proxy type, is
configured. This can cause surprising behavior: it doesn’t send
all of Tor’s traffic over the HTTPProxy — it sends unencrypted
directory traffic only. Resolves ticket 4663.
o Major bugfixes (hidden services):
– Improve hidden service robustness: when an attempt to connect to
a hidden service ends, be willing to refetch its hidden service
descriptors from each of the HSDir relays responsible for them
immediately. Previously, we would not consider refetching the
service’s descriptors from each HSDir for 15 minutes after the last
fetch, which was inconvenient if the hidden service was not running
during the first attempt. Bugfix on 0.2.0.18-alpha; fixes bug 3335.
– Hidden services now ignore the timestamps on INTRODUCE2 cells.
They used to check that the timestamp was within 30 minutes
of their system clock, so they could cap the size of their
replay-detection cache, but that approach unnecessarily refused
service to clients with wrong clocks. Bugfix on 0.2.1.6-alpha, when
the v3 intro-point protocol (the first one which sent a timestamp
field in the INTRODUCE2 cell) was introduced; fixes bug 3460.
– When one of a hidden service’s introduction points appears to be
unreachable, stop trying it. Previously, we would keep trying
to build circuits to the introduction point until we lost the
descriptor, usually because the user gave up and restarted Tor.
Fixes part of bug 3825.
o Changes to default torrc file:
– Stop listing “socksport 9050″ in torrc.sample. We open a socks
port on 9050 by default anyway, so this should not change anything
in practice.
– Stop mentioning the deprecated *ListenAddress options in
torrc.sample. Fixes bug 5438.
– Document unit of bandwidth-related options in sample torrc.
Fixes bug 5621.
– Fix broken URLs in the sample torrc file, and tell readers about
the OutboundBindAddress, ExitPolicyRejectPrivate, and
PublishServerDescriptor options. Addresses bug 4652.
o Minor features (directory authorities):
– Consider new, removed or changed IPv6 OR ports a non-cosmetic
change when the authority is deciding whether to accept a newly
uploaded descriptor. Implements ticket 6423.
– Directory authorities are now a little more lenient at accepting
older router descriptors, or newer router descriptors that don’t
make big changes. This should help ameliorate past and future
issues where routers think they have uploaded valid descriptors,
but the authorities don’t think so. Fix for ticket 2479.
– Authority operators can now vote for all relays in a given
set of countries to be BadDir/BadExit/Invalid/Rejected.
– Provide two consensus parameters (FastFlagMinThreshold and
FastFlagMaxThreshold) to control the range of allowable bandwidths
for the Fast directory flag. These allow authorities to run
experiments on appropriate requirements for being a “Fast” node.
The AuthDirFastGuarantee config value still applies. Implements
ticket 3946.
o Minor features (bridges / bridge authorities):
– Make bridge SSL certificates a bit more stealthy by using random
serial numbers, in the same fashion as OpenSSL when generating
self-signed certificates. Implements ticket 4584.
– Tag a bridge’s descriptor as “never to be sent unencrypted”.
This shouldn’t matter, since bridges don’t open non-anonymous
connections to the bridge authority and don’t allow unencrypted
directory connections from clients, but we might as well make
sure. Closes bug 5139.
– The Bridge Authority now writes statistics on how many bridge
descriptors it gave out in total, and how many unique descriptors
it gave out. It also lists how often the most and least commonly
fetched descriptors were given out, as well as the median and
25th/75th percentile. Implements tickets 4200 and 4294.
o Minor features (IPv6):
– Make the code that clients use to detect an address change be
IPv6-aware, so that it won’t fill clients’ logs with error
messages when trying to get the IPv4 address of an IPv6
connection. Implements ticket 5537.
– Relays now understand an IPv6 address when they get one from a
directory server. Resolves ticket 4875.
o Minor features (hidden services):
– Expire old or over-used hidden service introduction points.
Required by fix for bug 3460.
– Reduce the lifetime of elements of hidden services’ Diffie-Hellman
public key replay-detection cache from 60 minutes to 5 minutes. This
replay-detection cache is now used only to detect multiple
INTRODUCE2 cells specifying the same rendezvous point, so we can
avoid launching multiple simultaneous attempts to connect to it.
– When a hidden service’s introduction point times out, consider
trying it again during the next attempt to connect to the
HS. Previously, we would not try it again unless a newly fetched
descriptor contained it. Required by fixes for bugs 1297 and 3825.
o Minor features (relays):
– Relays now include a reason for regenerating their descriptors
in an HTTP header when uploading to the authorities. This will
make it easier to debug descriptor-upload issues in the future.
– Turn on directory request statistics by default and include them in
extra-info descriptors. Don’t break if we have no GeoIP database.
– Replace files in stats/ rather than appending to them. Now that we
include statistics in extra-info descriptors, it makes no sense to
keep old statistics forever. Implements ticket 2930.
– Relays that set “ConnDirectionStatistics 1″ write statistics on the
bidirectional use of connections to disk every 24 hours.
– Add a GeoIP file digest to the extra-info descriptor. Implements
ticket 1883.
o Minor features (new config options):
– New config option “DynamicDHGroups” (disabled by default) provides
each bridge with a unique prime DH modulus to be used during
SSL handshakes. This option attempts to help against censors
who might use the Apache DH modulus as a static identifier for
bridges. Addresses ticket 4548.
– New config option “DisableDebuggerAttachment” (on by default)
to prevent basic debugging attachment attempts by other processes.
Supports Mac OS X and Gnu/Linux. Resolves ticket 3313.
– Ordinarily, Tor does not count traffic from private addresses (like
127.0.0.1 or 10.0.0.1) when calculating rate limits or accounting.
There is now a new option, CountPrivateBandwidth, to disable this
behavior. Patch from Daniel Cagara.
o Minor features (different behavior for old config options):
– Allow MapAddress directives to specify matches against super-domains,
as in “MapAddress *.torproject.org *.torproject.org.torserver.exit”.
Implements issue 933.
– Don’t disable the DirPort when we cannot exceed our AccountingMax
limit during this interval because the effective bandwidthrate is
low enough. This is useful in a situation where AccountMax is only
used as an additional safeguard or to provide statistics.
– Add port 6523 (Gobby) to LongLivedPorts. Patch by intrigeri;
implements ticket 3439.
– When configuring a large set of nodes in EntryNodes, and there are
enough of them listed as Guard so that we don’t need to consider
the non-guard entries, prefer the ones listed with the Guard flag.
– If you set the NumCPUs option to 0, Tor will now try to detect how
many CPUs you have. This is the new default behavior.
– The NodeFamily option — which let you declare that you want to
consider nodes to be part of a family whether they list themselves
that way or not — now allows IP address ranges and country codes.
o Minor features (new command-line config behavior):
– Slightly change behavior of “list” options (that is, config
options that can appear more than once) when they appear both in
torrc and on the command line. Previously, the command-line options
would be appended to the ones from torrc. Now, the command-line
options override the torrc options entirely. This new behavior
allows the user to override list options (like exit policies and
ports to listen on) from the command line, rather than simply
appending to the list.
– You can get the old (appending) command-line behavior for “list”
options by prefixing the option name with a “+”.
– You can remove all the values for a “list” option from the command
line without adding any new ones by prefixing the option name
with a “/”.
o Minor features (controller, new events):
– Extend the control protocol to report flags that control a circuit’s
path selection in CIRC events and in replies to ‘GETINFO
circuit-status’. Implements part of ticket 2411.
– Extend the control protocol to report the hidden service address
and current state of a hidden-service-related circuit in CIRC
events and in replies to ‘GETINFO circuit-status’. Implements part
of ticket 2411.
– Include the creation time of a circuit in CIRC and CIRC2
control-port events and the list produced by the ‘GETINFO
circuit-status’ control-port command.
– Add a new CONF_CHANGED event so that controllers can be notified
of any configuration changes made by other controllers, or by the
user. Implements ticket 1692.
– Add a new SIGNAL event to the controller interface so that
controllers can be notified when Tor handles a signal. Resolves
issue 1955. Patch by John Brooks.
o Minor features (controller, new getinfo options):
– Expose our view of whether we have gone dormant to the controller,
via a new “GETINFO dormant” value. Torbutton and other controllers
can use this to avoid doing periodic requests through Tor while
it’s dormant (bug 4718). Resolves ticket 5954.
– Add a new GETINFO option to get total bytes read and written. Patch
from pipe, revised by atagar. Resolves ticket 2345.
– Implement new GETINFO controller fields to provide information about
the Tor process’s pid, euid, username, and resource limits.
o Minor features (controller, other):
– Allow controllers to request an event notification whenever a
circuit is cannibalized or its purpose is changed. Implements
part of ticket 3457.
– Use absolute path names when reporting the torrc filename in the
control protocol, so a controller can more easily find the torrc
file. Resolves bug 1101.
– When reporting the path to the cookie file to the controller,
give an absolute path. Resolves ticket 4881.
o Minor features (log messages):
– Add more information to a log statement that might help track down
bug 4091. If you’re seeing “Bug: tor_addr_is_internal() called with a
non-IP address” messages (or any Bug messages, for that matter!),
please let us know about it.
– If EntryNodes are given, but UseEntryGuards is set to 0, warn that
EntryNodes will have no effect. Resolves issue 2571.
– Try to make the introductory warning message that Tor prints on
startup more useful for actually finding help and information.
Resolves ticket 2474.
– When the system call to create a listener socket fails, log the
error message explaining why. This may help diagnose bug 4027.
o Minor features (other):
– When we fail to initialize Libevent, retry with IOCP disabled so we
don’t need to turn on multi-threading support in Libevent, which in
turn requires a working socketpair(). This is a workaround for bug
4457, which affects Libevent versions from 2.0.1-alpha through
2.0.15-stable.
– When starting as root and then changing our UID via the User
control option, and we have a ControlSocket configured, make sure
that the ControlSocket is owned by the same account that Tor will
run under. Implements ticket 3421; fix by Jérémy Bobbio.
– Accept attempts to include a password authenticator in the
handshake, as supported by SOCKS5. This handles SOCKS clients that
don’t know how to omit a password when authenticating. Resolves
bug 1666.
– Check for and recover from inconsistency in the microdescriptor
cache. This will make it harder for us to accidentally free a
microdescriptor without removing it from the appropriate data
structures. Fixes issue 3135; issue noted by “wanoskarnet”.
– Shorten links in the tor-exit-notice file. Patch by Christian Kujau.
o Minor bugfixes (code security):
– Prevent a null-pointer dereference when receiving a data cell
for a nonexistent stream when the circuit in question has an
empty deliver window. We don’t believe this is triggerable,
since we don’t currently allow deliver windows to become empty,
but the logic is tricky enough that it’s better to make the code
robust. Fixes bug 5541; bugfix on 0.0.2pre14.
– Fix a (harmless) integer overflow in cell statistics reported by
some fast relays. Fixes bug 5849; bugfix on 0.2.2.1-alpha.
– Fix our implementation of crypto_random_hostname() so it can’t
overflow on ridiculously large inputs. (No Tor version has ever
provided this kind of bad inputs, but let’s be correct in depth.)
Fixes bug 4413; bugfix on 0.2.2.9-alpha. Fix by Stephen Palmateer.
– Add a (probably redundant) memory clear between iterations of
the router status voting loop, to prevent future coding errors
where data might leak between iterations of the loop. Resolves
ticket 6514.
o Minor bugfixes (wrapper functions):
– Abort if tor_vasprintf() fails in connection_printf_to_buf() (a
utility function used in the control-port code). This shouldn’t
ever happen unless Tor is completely out of memory, but if it did
happen and Tor somehow recovered from it, Tor could have sent a log
message to a control port in the middle of a reply to a controller
command. Fixes part of bug 3428; bugfix on 0.1.2.3-alpha.
– Fix some (not actually triggerable) buffer size checks in usage of
tor_inet_ntop(). Fixes bug 4434; bugfix on Tor 0.2.0.1-alpha. Patch
by Anders Sundman.
– Fix parsing of some corner-cases with tor_inet_pton(). Fixes
bug 4515; bugfix on 0.2.0.1-alpha; fix by Anders Sundman.
– Enforce correct return behavior of tor_vsscanf() when the ‘%%’
pattern is used. Fixes bug 5558. Bugfix on 0.2.1.13.
– Make our replacement implementation of strtok_r() compatible with
the standard behavior of strtok_r(). Patch by nils. Fixes bug 5091;
bugfix on 0.2.2.1-alpha.
– Find more places in the code that should have been testing for
invalid sockets using the SOCKET_OK macro. Required for a fix
for bug 4533. Bugfix on 0.2.2.28-beta.
o Minor bugfixes (code correctness):
– Check return value of fputs() when writing authority certificate
file. Fixes Coverity issue 709056; bugfix on 0.2.0.1-alpha.
– When building Tor on Windows with -DUNICODE (not default), ensure
that error messages, filenames, and DNS server names are always
NUL-terminated when we convert them to a single-byte encoding.
Fixes bug 5909; bugfix on 0.2.2.16-alpha.
– Fix a memory leak when trying to launch a DNS request when the
nameservers are unconfigurable. Fixes bug 5916; bugfix on Tor
0.1.2.1-alpha.
– Correct file sizes when reading binary files on Cygwin, to avoid
a bug where Tor would fail to read its state file. Fixes bug 6844;
bugfix on 0.1.2.7-alpha.
– Make sure to set *socket_error in all error cases in
connection_connect(), so it can’t produce a warning about
errno being zero from errno_to_orconn_end_reason(). Bugfix on
0.2.1.1-alpha; resolves ticket 6028.
– Initialize conn->addr to a valid state in spawn_cpuworker(). Fixes
bug 4532; found by “troll_un”.
o Minor bugfixes (clients):
– Allow one-hop directory-fetching circuits the full “circuit build
timeout” period, rather than just half of it, before failing them
and marking the relay down. This fix should help reduce cases where
clients declare relays (or worse, bridges) unreachable because
the TLS handshake takes a few seconds to complete. Fixes bug 6743;
bugfix on 0.2.2.2-alpha, where we changed the timeout from a static
30 seconds.
– Ensure we don’t cannibalize circuits that are longer than three hops
already, so we don’t end up making circuits with 5 or more
hops. Patch contributed by wanoskarnet. Fixes bug 5231; bugfix on
0.1.0.1-rc which introduced cannibalization.
o Minor bugfixes (relays):
– Don’t publish a new relay descriptor when we reload our onion key,
unless the onion key has actually changed. Fixes bug 3263 and
resolves another cause of bug 1810. Bugfix on 0.1.1.11-alpha.
– When relays refuse a “create” cell because their queue of pending
create cells is too big (typically because their cpu can’t keep up
with the arrival rate), send back reason “resource limit” rather
than reason “internal”, so network measurement scripts can get a
more accurate picture. Bugfix on 0.1.1.11-alpha; fixes bug 7037.
– Exit nodes don’t need to fetch certificates for authorities that
they don’t recognize; only directory authorities, bridges,
and caches need to do that. Fixes part of bug 2297; bugfix on
0.2.2.11-alpha.
o Minor bugfixes (directory authority / mirrors):
– Avoid O(n^2) performance characteristics when parsing a large
extrainfo cache. Fixes bug 5828; bugfix on 0.2.0.1-alpha.
– Authorities no longer include any router in their microdescriptor
consensuses for which they couldn’t generate or agree on a
microdescriptor. Fixes the second piece of bug 6404; fix on
0.2.2.6-alpha.
– When checking for requested signatures on the latest consensus
before serving it to a client, make sure to check the right
consensus flavor. Bugfix on 0.2.2.6-alpha.
– Fix an edge case where TestingTorNetwork is set but the authorities
and relays all have an uptime of zero, so the private Tor network
could briefly lack support for hidden services. Fixes bug 3886;
bugfix on 0.2.2.18-alpha.
– Directory caches no longer refuse to clean out descriptors because
of missing v2 networkstatus documents, unless they’re configured
to retrieve v2 networkstatus documents. Fixes bug 4838; bugfix on
0.2.2.26-beta. Patch by Daniel Bryg.
– Don’t serve or accept v2 hidden service descriptors over a relay’s
DirPort. It’s never correct to do so, and disabling it might
make it more annoying to exploit any bugs that turn up in the
descriptor-parsing code. Fixes bug 7149.
o Minor bugfixes (hidden services, client-side):
– Assert that hidden-service-related operations are not performed
using single-hop circuits. Previously, Tor would assert that
client-side streams are not attached to single-hop circuits,
but not that other sensitive operations on the client and service
side are not performed using single-hop circuits. Fixes bug 3332;
bugfix on 0.0.6.
– Avoid undefined behaviour when parsing the list of supported
rendezvous/introduction protocols in a hidden service descriptor.
Previously, Tor would have confused (as-yet-unused) protocol version
numbers greater than 32 with lower ones on many platforms. Fixes
bug 6827; bugfix on 0.2.0.10-alpha. Found by George Kadianakis.
– Don’t close hidden service client circuits which have almost
finished connecting to their destination when they reach
the normal circuit-build timeout. Previously, we would close
introduction circuits which are waiting for an acknowledgement
from the introduction point, and rendezvous circuits which have
been specified in an INTRODUCE1 cell sent to a hidden service,
after the normal CBT. Now, we mark them as ‘timed out’, and launch
another rendezvous attempt in parallel. This behavior change can
be disabled using the new CloseHSClientCircuitsImmediatelyOnTimeout
option. Fixes part of bug 1297; bugfix on 0.2.2.2-alpha.
o Minor bugfixes (hidden services, service-side):
– Don’t close hidden-service-side rendezvous circuits when they
reach the normal circuit-build timeout. This behaviour change can
be disabled using the new
CloseHSServiceRendCircuitsImmediatelyOnTimeout option. Fixes the
remaining part of bug 1297; bugfix on 0.2.2.2-alpha.
– Don’t launch more than 10 service-side introduction-point circuits
for a hidden service in five minutes. Previously, we would consider
launching more introduction-point circuits if at least one second
had passed without any introduction-point circuits failing. Fixes
bug 4607; bugfix on 0.0.7pre1.
o Minor bugfixes (config option behavior):
– If the user tries to set MyFamily on a bridge, refuse to
do so, and warn about the security implications. Fixes bug 4657;
bugfix on 0.2.0.3-alpha.
– The “–quiet” and “–hush” options now apply not only to Tor’s
behavior before logs are configured, but also to Tor’s behavior in
the absense of configured logs. Fixes bug 3550; bugfix on
0.2.0.10-alpha.
– Change the AllowDotExit rules so they should actually work.
We now enforce AllowDotExit only immediately after receiving an
address via SOCKS or DNSPort: other sources are free to provide
.exit addresses after the resolution occurs. Fixes bug 3940;
bugfix on 0.2.2.1-alpha.
– Make “LearnCircuitBuildTimeout 0″ work more reliably. Specifically,
don’t depend on the consensus parameters or compute adaptive
timeouts when it is disabled. Fixes bug 5049; bugfix on
0.2.2.14-alpha.
– After we pick a directory mirror, we would refuse to use it if
it’s in our ExcludeExitNodes list, resulting in mysterious failures
to bootstrap for people who just wanted to avoid exiting from
certain locations. Fixes bug 5623; bugfix on 0.2.2.25-alpha.
– When told to add a bridge with the same digest as a preexisting
bridge but a different addr:port, change the addr:port as
requested. Previously we would not notice the change. Fixes half
of bug 5603; fix on 0.2.2.26-beta.
o Minor bugfixes (controller):
– Allow manual ‘authenticate’ commands to the controller interface
from netcat (nc) as well as telnet. We were rejecting them because
they didn’t come with the expected whitespace at the end of the
command. Bugfix on 0.1.1.1-alpha; fixes bug 2893.
– Report a real bootstrap problem to the controller on router
identity mismatch. Previously we just said “foo”, which probably
made a lot of sense at the time. Fixes bug 4169; bugfix on
0.2.1.1-alpha.
– When we receive a SIGHUP and the controller __ReloadTorrcOnSIGHUP
option is set to 0 (which Vidalia version 0.2.16 now does when
a SAVECONF attempt fails), perform other actions that SIGHUP
usually causes (like reopening the logs). Fixes bug 5095; bugfix
on 0.2.1.9-alpha.
– Correctly handle checking the permissions on the parent
directory of a control socket in the root directory. Bug found
by Esteban Manchado Velázquez. Fixes bug 5089; bugfix on Tor
0.2.2.26-beta.
– End AUTHCHALLENGE error messages (in the control protocol) with
a CRLF. Fixes bug 5760; bugfix on 0.2.2.36.
o Minor bugfixes (network reading/writing):
– Disable writing on marked-for-close connections when they are
blocked on bandwidth, to prevent busy-looping in Libevent. Fixes
bug 5263; bugfix on 0.0.2pre13, where we first added a special
case for flushing marked connections.
– Make sure that there are no unhandled pending TLS errors before
reading from a TLS stream. We had checks in 0.1.0.3-rc, but
lost them in 0.1.0.5-rc when we refactored read_to_buf_tls().
Bugfix on 0.1.0.5-rc; fixes bug 4528.
– Detect SSL handshake even when the initial attempt to write the
server hello fails. Fixes bug 4592; bugfix on 0.2.0.13-alpha.
– If the client fails to set a reasonable set of ciphersuites
during its v2 handshake renegotiation, allow the renegotiation to
continue nevertheless (i.e. send all the required certificates).
Fixes bug 4591; bugfix on 0.2.0.20-rc.
o Minor bugfixes (other):
– Exit nodes now correctly report EADDRINUSE and EADDRNOTAVAIL as
resource exhaustion, so that clients can adjust their load to
try other exits. Fixes bug 4710; bugfix on 0.1.0.1-rc, which
started using END_STREAM_REASON_RESOURCELIMIT.
– Don’t check for whether the address we’re using for outbound
connections has changed until after the outbound connection has
completed. On Windows, getsockname() doesn’t succeed until the
connection is finished. Fixes bug 5374; bugfix on 0.1.1.14-alpha.
– Don’t hold a Windows file handle open for every file mapping;
the file mapping handle is sufficient. Fixes bug 5951; bugfix on
0.1.2.1-alpha.
– Fix wrong TCP port range in parse_port_range(). Fixes bug 6218;
bugfix on 0.2.1.10-alpha.
– If we fail to write a microdescriptor to the disk cache, do not
continue replacing the old microdescriptor file. Fixes bug 2954;
bugfix on 0.2.2.6-alpha.
o Minor bugfixes (log messages, path selection):
– Downgrade “set buildtimeout to low value” messages to “info”
severity; they were never an actual problem, there was never
anything reasonable to do about them, and they tended to spam logs
from time to time. Fixes bug 6251; bugfix on 0.2.2.2-alpha.
– Rate-limit the “Weighted bandwidth is 0.000000″ message, and add
more information to it, so that we can track it down in case it
returns again. Mitigates bug 5235.
– Check CircuitBuildTimeout and LearnCircuitBuildTimeout in
options_validate(); warn if LearnCircuitBuildTimeout is disabled and
CircuitBuildTimeout is set unreasonably low. Resolves ticket 5452.
– Issue a log message if a guard completes less than 40% of your
circuits. Threshold is configurable by torrc option
PathBiasNoticeRate and consensus parameter pb_noticepct. There is
additional, off-by-default code to disable guards which fail too
many circuits. Addresses ticket 5458.
o Minor bugfixes (log messages, client):
– Downgrade “Got a certificate, but we already have it” log messages
from warning to info, except when we’re a dirauth. Fixes bug 5238;
bugfix on 0.2.1.7-alpha.
– Fix the log message describing how we work around discovering
that our version is the ill-fated OpenSSL 0.9.8l. Fixes bug
4837; bugfix on 0.2.2.9-alpha.
– When logging about a disallowed .exit name, do not also call it
an “invalid onion address”. Fixes bug 3325; bugfix on 0.2.2.9-alpha.
– Fix a log message suggesting that people contact a non-existent
email address. Fixes bug 3448.
– Rephrase the log message emitted if the TestSocks check is
successful. Patch from Fabian Keil; fixes bug 4094.
– Log (at debug level) whenever a circuit’s purpose is changed.
– Log SSL state transitions at log level DEBUG, log domain
HANDSHAKE. This can be useful for debugging censorship events.
Implements ticket 3264.
– We now log which torrc file we’re using on startup. Implements
ticket 2444.
– Rate-limit log messages when asked to connect anonymously to
a private address. When these hit, they tended to hit fast and
often. Also, don’t bother trying to connect to addresses that we
are sure will resolve to 127.0.0.1: getting 127.0.0.1 in a directory
reply makes us think we have been lied to, even when the address the
client tried to connect to was “localhost.” Resolves ticket 2822.
o Minor bugfixes (log messages, non-client):
– Downgrade “eventdns rejected address” message to LOG_PROTOCOL_WARN.
Fixes bug 5932; bugfix on 0.2.2.7-alpha.
– Don’t log that we have “decided to publish new relay descriptor”
unless we are actually publishing a descriptor. Fixes bug 3942;
bugfix on 0.2.2.28-beta.
– Log which authority we’re missing votes from when we go to fetch
them from the other auths.
– Replace “Sending publish request” log messages with “Launching
upload”, so that they no longer confusingly imply that we’re
sending something to a directory we might not even be connected
to yet. Fixes bug 3311; bugfix on 0.2.0.10-alpha.
– Warn when Tor is configured to use accounting in a way that can
link a hidden service to some other hidden service or public
address. Resolves ticket 6490.
– Fix a minor formatting issue in one of tor-gencert’s error messages.
Fixes bug 4574.
o Testing:
– Update to the latest version of the tinytest unit testing framework.
This includes a couple of bugfixes that can be relevant for
running forked unit tests on Windows, and removes all reserved
identifiers.
– Avoid a false positive in the util/threads unit test by increasing
the maximum timeout time. Fixes bug 6227; bugfix on 0.2.0.4-alpha.
– Make it possible to set the TestingTorNetwork configuration
option using AlternateDirAuthority and AlternateBridgeAuthority
as an alternative to setting DirServer. Addresses ticket 6377.
– Add a unit test for the environment_variable_names_equal() function.
– A wide variety of new unit tests by Esteban Manchado Velázquez.
– Numerous new unit tests for functions in util.c and address.c by
Anders Sundman.
– The long-disabled benchmark tests are now split into their own
./src/test/bench binary.
– The benchmark tests can now use more accurate timers than
gettimeofday() when such timers are available.
– Use tt_assert(), not tor_assert(), for checking for test failures.
This makes the unit tests more able to go on in the event that
one of them fails.
o Build improvements:
– Use the dead_strip option when building Tor on OS X. This reduces
binary size by almost 19% when linking openssl and libevent
statically, which we do for Tor Browser Bundle.
– Provide a better error message about possible OSX Asciidoc failure
reasons. Fixes bug 6436.
– Detect attempts to build Tor on (as yet hypothetical) versions
of Windows where sizeof(intptr_t) != sizeof(SOCKET). Partial
fix for bug 4533. Bugfix on 0.2.2.28-beta.
– On Windows, we now define the _WIN32_WINNT macros only if they
are not already defined. This lets the person building Tor decide,
if they want, to require a later version of Windows.
– Our autogen.sh script now uses autoreconf to launch autoconf,
automake, and so on. This is more robust against some of the failure
modes associated with running the autotools pieces on their own.
– Running “make version” now displays the version of Tor that
we’re about to build. Idea from katmagic; resolves issue 4400.
– Make ‘tor –digests’ list hashes of all Tor source files. Bugfix
on 0.2.2.4-alpha; fixes bug 3427.
– New –enable-static-tor configure option for building Tor as
statically as possible. Idea, general hackery and thoughts from
Alexei Czeskis, John Gilmore, Jacob Appelbaum. Implements ticket
2702.
– Limited, experimental support for building with nmake and MSVC.
o Build requirements:
– Building Tor with bufferevent support now requires Libevent
2.0.13-stable or later. Previous versions of Libevent had bugs in
SSL-related bufferevents and related issues that would make Tor
work badly with bufferevents. Requiring 2.0.13-stable also allows
Tor with bufferevents to take advantage of Libevent APIs
introduced after 2.0.8-rc.
– Our build system requires automake 1.6 or later to create the
Makefile.in files. Previously, you could have used 1.4.
This only affects developers and people building Tor from git;
people who build Tor from the source distribution without changing
the Makefile.am files should be fine.
– Detect when we try to build on a platform that doesn’t define
AF_UNSPEC to 0. We don’t work there, so refuse to compile.
o Build fixes (compile/link):
– Format more doubles with %f, not %lf. Patch from grarpamp to make
Tor build correctly on older BSDs again. Fixes bug 3894; bugfix on
Tor 0.2.0.8-alpha.
– When building with –enable-static-tor on OpenBSD, do not
erroneously attempt to link -lrt. Fixes bug 5103.
– Set _WIN32_WINNT to 0×0501 consistently throughout the code, so
that IPv6 stuff will compile on MSVC, and compilation issues
will be easier to track down. Fixes bug 5861.
– Fix build and 64-bit compile warnings from –enable-openbsd-malloc.
Fixes bug 6379. Bugfix on 0.2.0.20-rc.
– Make Tor build correctly again with -DUNICODE -D_UNICODE defined.
Fixes bug 6097; bugfix on 0.2.2.16-alpha.
o Build fixes (other):
– Use the _WIN32 macro throughout our code to detect Windows.
(Previously we had used the obsolete ‘WIN32′ and the idiosyncratic
‘MS_WINDOWS’.)
– Properly handle the case where the build-tree is not the same
as the source tree when generating src/common/common_sha1.i,
src/or/micro-revision.i, and src/or/or_sha1.i. Fixes bug 3953;
bugfix on 0.2.0.1-alpha.
– During configure, search for library containing cos function as
libm lives in libcore on some platforms (BeOS/Haiku). Linking
against libm was hard-coded before. Fixes the first part of bug
4727; bugfix on 0.2.2.2-alpha. Patch and analysis by Martin Hebnes
Pedersen.
– Prevent a false positive from the check-spaces script, by disabling
the “whitespace between function name and (” check for functions
named ‘op()’.
o Packaging (RPM) changes:
– Update our default RPM spec files to work with mock and rpmbuild
on RHEL/Fedora. They have an updated set of dependencies and
conflicts, a fix for an ancient typo when creating the “_tor”
user, and better instructions. Thanks to Ondrej Mikle for the
patch series. Fixes bug 6043.
– On OpenSUSE, create the /var/run/tor directory on startup if it
is not already created. Patch from Andreas Stieger. Fixes bug 2573.
o Code refactoring (safety):
– Do not use SMARTLIST_FOREACH for any loop whose body exceeds
10 lines. Also, don’t nest them. Doing so in the past has
led to hard-to-debug code. The new style is to use the
SMARTLIST_FOREACH_{BEGIN,END} pair. Addresses issue 6400.
– Use macros to indicate OpenSSL versions, so we don’t need to worry
about accidental hexadecimal bit shifts.
– Use tor_sscanf() in place of scanf() in more places through the
code. This makes us a little more locale-independent, and
should help shut up code-analysis tools that can’t tell
a safe sscanf string from a dangerous one.
– Convert more instances of tor_snprintf+tor_strdup into tor_asprintf.
– Use the smartlist_add_asprintf() alias more consistently.
o Code refactoring (consolidate):
– A major revision to our internal node-selecting and listing logic.
Tor already had at least two major ways to look at the question of
“which Tor servers do we know about”: a list of router descriptors,
and a list of entries in the current consensus. With
microdescriptors, we’re adding a third. Having so many systems
without an abstraction layer over them was hurting the codebase.
Now, we have a new “node_t” abstraction that presents a consistent
interface to a client’s view of a Tor node, and holds (nearly) all
of the mutable state formerly in routerinfo_t and routerstatus_t.
– Move tor_gettimeofday_cached() into compat_libevent.c, and use
Libevent’s notion of cached time when possible.
– Remove duplicate code for invoking getrlimit() from control.c.
– Use OpenSSL’s built-in SSL_state_string_long() instead of our
own homebrewed ssl_state_to_string() replacement. Patch from
Emile Snyder. Fixes bug 4653.
– Change the symmetric cipher interface so that creating and
initializing a stream cipher are no longer separate functions.
o Code refactoring (separate):
– Make a new “entry connection” struct as an internal subtype of “edge
connection”, to simplify the code and make exit connections smaller.
– Split connection_about_to_close() into separate functions for each
connection type.
– Rewrite the listener-selection logic so that parsing which ports
we want to listen on is now separate from binding to the ports
we want.
o Code refactoring (name changes):
– Rename a handful of old identifiers, mostly related to crypto
structures and crypto functions. By convention, our “create an
object” functions are called “type_new()”, our “free an object”
functions are called “type_free()”, and our types indicate that
they are types only with a final “_t”. But a handful of older
types and functions broke these rules, with function names like
“type_create” or “subsystem_op_type”, or with type names like
type_env_t.
– Rename Tor functions that turn strings into addresses, so that
“parse” indicates that no hostname resolution occurs, and
“lookup” indicates that hostname resolution may occur. This
should help prevent mistakes in the future. Fixes bug 3512.
– Use the name “CERTS” consistently to refer to the new cell type;
we were calling it CERT in some places and CERTS in others.
– Use a TOR_INVALID_SOCKET macro when initializing a socket to an
invalid value, rather than just -1.
– Rename the bench_{aes,dmap} functions to test_*, so that tinytest
can pick them up when the tests aren’t disabled. Bugfix on
0.2.2.4-alpha which introduced tinytest.
o Code refactoring (other):
– Defensively refactor rend_mid_rendezvous() so that protocol
violations and length checks happen in the beginning. Fixes
bug 5645.
– Remove the pure attribute from all functions that used it
previously. In many cases we assigned it incorrectly, because the
functions might assert or call impure functions, and we don’t have
evidence that keeping the pure attribute is worthwhile. Implements
changes suggested in ticket 4421.
– Move the replay-detection cache for the RSA-encrypted parts of
INTRODUCE2 cells to the introduction point data structures.
Previously, we would use one replay-detection cache per hidden
service. Required by fix for bug 3460.
– The helper programs tor-gencert, tor-resolve, and tor-checkkey
no longer link against Libevent: they never used it, but
our library structure used to force them to link it.
o Removed features and files:
– Remove all internal support for unpadded RSA. We never used it, and
it would be a bad idea to start.
– Remove some workaround code for OpenSSL 0.9.6 (which is no longer
supported).
– Remove some redundant #include directives throughout the code.
Patch from Andrea Gelmini.
– Remove some old code to remember statistics about which descriptors
we’ve served as a directory mirror. The feature wasn’t used and
is outdated now that microdescriptors are around.
– Remove some old code to work around even older versions of Tor that
used forked processes to handle DNS requests. Such versions of Tor
are no longer in use as relays.
– The “torify” script no longer supports the “tsocks” socksifier
tool, since tsocks doesn’t support DNS and UDP right for Tor.
Everyone should be using torsocks instead. Fixes bugs 3530 and
5180. Based on a patch by “ugh”.
– Remove the torrc.bridge file: we don’t use it for anything, and
it had become badly desynchronized from torrc.sample. Resolves
bug 5622.
o Documentation:
– Begin a doc/state-contents.txt file to explain the contents of
the Tor state file. Fixes bug 2987.
– Clarify the documentation for the Alternate*Authority options.
Fixes bug 6387.
– Document the –defaults-torrc option, and the new semantics for
overriding, extending, and clearing lists of options. Closes
bug 4748.
– Add missing man page documentation for consensus and microdesc
files. Resolves ticket 6732.
– Fix some typos in the manpages. Patch from A. Costa. Fixes bug 6500.
o Documentation fixes:
– Improve the manual’s documentation for the NT Service command-line
options. Addresses ticket 3964.
– Clarify SessionGroup documentation slightly; resolves ticket 5437.
– Document the changes to the ORPort and DirPort options, and the
fact that {OR/Dir}ListenAddress is now unnecessary (and
therefore deprecated). Resolves ticket 5597.
– Correct a broken faq link in the INSTALL file. Fixes bug 2307.
– Clarify that hidden services are TCP only. Fixes bug 6024.
DC:相信不少网民,特别是想向本台报料的听众,都希望隐藏自己的IP,避免中国当局会追查来源再秋后算账。除了要防范中国当局的木马,单凭VPN或代理主机,又能否隐藏到IP来源?
李:先避免自已的IP不会被追踪,首先要肯定自己的系统并无感染任何木马。若你的电脑感染了木马,任凭你用多高超的技术,都很难成功隐藏你自已的IP。
一般而言,无论VPN也好,代理主机也好,都要经过第三者主机,因此,你要肯定你所使用的VPN或代理主机是安全的,如果你未能够肯定VPN或代理主机的安全性,就不要随便使用这些主机。
在正常情况下,你用VPN或代理主机,都足以避免你的真实IP被暴露出来,但有部分软件,会绕过浏览器对代理主机的设定,或作业系统对VPN网络流量的设定,令你的真实IP暴露出来。而Flash插件,以及由中国公司出产的软件,经常都有这类问题。所以,你不可以完全依靠代理主机或VPN来隐藏你的真实IP来避免当局的清算。
DC:那如果一定要使用有可能绕过作业系统VPN设定,或浏览器代理主机设定的软件,那又怎算好?
李:遇上这种情况,你可以考虑使用虚拟机器。在虚拟机器安装Windows,要执行中国公司出产软件时,全部透过虚拟机器内Windows进行。
使用虚拟机器时,最好使用VPN连线,设定虚拟机器强制使用作业系统的VPN连线,就算中国公司出产的软件绕过虚拟机器内Windows的设定,但由于虚拟机器本身只是真实作业系统内的应用程式,因此不可能绕过真实作业系统的VPN连线设定,这样就可以确保你的真实IP不会被暴露。
使用虚拟机器除了可以确保真实IP不会暴露外,就算你的虚拟机器不幸受木马感染,只要删除整个虚拟机器影像,加上你不让虚拟机器的Windows可以接触真实作业系统的档案,那就不会让木马控制你的电脑。一如之前翻墙问答所讲,现时中国当局使用多重木马感染策略,要彻底清除木马并不容易。
如果你平日的工作并不一定要使用Windows作业系统,虚拟机器还可以让你在个别情况下仍然使用Windows,但日常使用上,使用Linux和Mac等比较少受中国当局木马针对的作业系统。
DC:在平板电脑或智能手机的情况又如何?
李:在iOS平台,由于并无Flash软件,所以唯一要担心是部分中国公司出产的软件会绕过VPN或代理主机,将你的IP暴露。在Android平台,在你使用部分可以用Flash功能的浏览器时,有可能暴露真实IP。
由于平板电脑或智能手机并不可以执行虚拟机,所以部分需要使用中国公司软件,又要隐藏IP的操作,并不适合使用平板电脑或智能手机。如能够在桌面电脑上进行,应尽量在桌面电脑上执行。
而在Android平台,部分软件有可能内藏木马,这些木马亦有可能令你的IP暴露。苹果iOS平台由于经过苹果官方审批,只要你没装只有越狱后才能安装的软件,并不会有受木马感染而令行踪暴露。在Android平台,如果你曾安装不明来历软件,那你就算如何使用VPN或代理主机,你仍然会暴露你的真实IP。
DC:多谢你李建军,本集翻墙问答时间又到,在下周同样时间,会继续有翻墙问答,回应听众关于翻墙的提问,并且介绍最新的翻墙知识,欢迎大家继续收听。时间又差不多,下周再会。
原文:http://www.rfa.org/cantonese/firewall_features/hidden-ip-03082013094657.html?encoding=simplified
最新评论