
Tor project needs volunteers to help Iranian users access the internet - folz
https://lists.torproject.org/pipermail/tor-talk/2012-February/023070.html
======
andrewcooke
does anyone have a configured aws image? seems like that would help - people
could just deploy them to micro instances for free...

[i am about to try build this on an aws instance, but since i know very little
about images i am sure others will be better/quicker than me]

[update: if anyone else is doing this, you are best picking a new base distro
that is new enough to contain libevent 2]

~~~
andrewcooke
OK, i think (i have never done this before) that the following image should be
public - ami-a97eaec0

it contains a basic 64 bit amazon linux image, with the extra code generated
according to lgeek below <http://news.ycombinator.com/item?id=3579531>

to run, deploy the image, connect as ec2-user in the normal way and then:

\- modify ~/tor.sh to change the port on which obsproxy listens, if you want

\- change the security group to allow ports 9100 and 2189 (or whatever you
change 2189 to above) (you may need to restart the instance at this point to
apply the security group).

\- modify the bandwidth limit in /usr/local/etc/tor/torrc (ie sudo emacs -nw
/usr/local/etc/tor/torrc) - currently it's 50 KB/s which i _think_ comes out
as around $10-20 a month if it's fully used.

\- start with the tor.sh script.

\- check tor.log and note your external IP address.

\- check external access using something like "telnet xxx.xxx.xxx.xxx 2189"
(which generates a screenful of binary on success).

\- contact tor-assistants at torproject.org so they can give the bridge
location out to someone that needs it.

please post here or email me if there are any issues (a confirmation that you
can access the ami would be cool too :o). also, are AWS external IP addresses
permanent (if not, may need to use elastic IP + DNS)?

~~~
lgeek
It looks like you left your public key in authorized_keys. I guess it was an
honest mistake, but at the very least anyone using this AMI should remove it.

Now, please don't be offended, but this is one of the reasons I prefer
instructions or more generally an easy way to replicate a result - which is
easier to verify - rather than the built software/AMI/whatever. It's trivial
to offer a compromised system and nearly impossible to verify that a system is
secure.

On the other hand, tor and obfsproxy work for me using your AMI.

------
anigbrowl
Not to derail, but the depressing headlines from Syria suggest the need there
for secure communication with the outside world is particularly urgent at
present.

~~~
andrewcooke
they can already use tor. this call is for additional work needed because iran
is actively blocking access.

~~~
anigbrowl
I see your point; it just occurs to me that since Iran appears to be Syria's
sole reliable ally the same thing could happen in Syria at any time.

------
mrleinad
Here's the beauty of an interconnected world. You can actually help someone
else directly. People can easily organize around the globe to let those in
power know they can't just keep doing whatever they want. Keep up the good
fight!

------
mvip
After reading the post above, I reached out to our cloud vendors and got them
to sponsor us with Tor-servers. As of right now, we have five Tor server up
and running, and we are expecting more shortly (more here
[http://wireload.net/2012/02/were-helping-tor-project-
bypass-...](http://wireload.net/2012/02/were-helping-tor-project-bypass-
government-censorship/))

------
stingraycharles
Out of curiosity, what prevents Iran from just blocking all Tor end nods ?

If del.icio.us is able to do it[1], surely Iran must be able to too.

[1] <https://news.ycombinator.com/item?id=3567996>

~~~
aw3c2
Watch the very informative and entertaining talk by Roger and Jacob from 28c3
[http://mirror.fem-net.de/CCC/28C3/webm/28c3-4800-en-
how_gove...](http://mirror.fem-net.de/CCC/28C3/webm/28c3-4800-en-
how_governments_have_tried_to_block_tor.webm)

~~~
eneveu
YouTube link: <http://www.youtube.com/watch?v=DX46Qv_b7F4>

High Quality H264 link (720x576): [http://mirror.fem-
net.de/CCC/28C3/mp4-h264-HQ/28c3-4800-en-h...](http://mirror.fem-
net.de/CCC/28C3/mp4-h264-HQ/28c3-4800-en-
how_governments_have_tried_to_block_tor_h264.mp4) (found on the YouTube page)

------
steve8918
I only know a little bit about tor, but my understanding is that if you run a
relay, then you are basically proxying traffic for other people on the tor
network.

If this is true, and if someone is looking at kiddie porn through your
connection, could you get implicated?

~~~
brightsize
If you're running an intermediate node, then you're proxying an encrypted
datastream from one node to another. You don't know what's in the datastream,
who it's from (the endpoint), or where it's going (the other endpoint). See
here: <https://en.wikipedia.org/wiki/Onion_routing>

------
nachteilig
speaking of this, does anyone have the html/images of the iranian block page?
I collect them and would really appreciate it if someone was able to send that
along. Or does the iranian firewall just drop the connection without the
censorship notice?

~~~
drostie
They're dropping SSH too, so I'd just assume that they're dropping everything.
No block page for you. ^_^

The goal might not be censorship, even. Iran's most prominent recent actions
have been provocative trade threats and hacking a US drone -- and US
Presidential candidates have been discussing the possibility of eventually
invading Iran. Iran has plenty of paranoia to spare:

[http://www.juancole.com/2011/12/iran-has-us-surrounded-
all-r...](http://www.juancole.com/2011/12/iran-has-us-surrounded-all-
right.html)

I'm guessing that they're dropping connections in part based on that; fear of
spies rather than fear of speech. In which case they wouldn't really have any
motive for a blockpage, either.

~~~
mukyu
It is the anniversary of the overthrow of the Shah and they do something like
every time there is something politically sensitive going on.

It is clearly population/sentiment control and not 'fear of spies'.

------
corford
Would running through an unencrypted socat tunnel
(<http://freecode.com/projects/socat>) defeat the DPI?

If yes, you could setup a tunnel on port 80 and then run openvpn or tor
through it. Technically it works as I've done this for a friend in China (but
China wasn't doing DPI on SSL handshaking).

I posted this same question on the earlier Iran shutdown thread but was
probably too late to get a response
(<http://news.ycombinator.com/item?id=3577901>).

~~~
andrewcooke
why would it help? socat just sets up a tcp connection. whatever data you send
across it is going to look like data sent across any other tcp connection
(including the ones that browsers and servers use).

am i missing something?

~~~
corford
No I think you're probably right. Not knowing how exactly the DPI is done, I
was abstractly thinking that perhaps shoving the SSL handshake through another
TCP/UDP connection might defeat it but tbh I have no idea. Hence the question
:)

Edit: the reason I mentioned socat was because when I used it to help the guy
in China, it was because they were apparently filtering openvpn and we found
that when it went via socat the connection was much more stable and faster.

Edit 2: if TCP through a UDP socat wouldn't work, how about something totally
off the wall like an ipv6 tunnel over ipv4 (using
<http://en.wikipedia.org/wiki/Teredo_tunneling>) and then an ipv4 tunnel
within that ipv6 tunnel (through which the tor or openvpn connection would
go). Sorry if I'm spouting garbage but it's quite fun thinking about all the
random ways one might be able to tunnel one stream of data through another.
(although given the Iranians urgent predicament, my mental masturbation is
probably best saved for another day...)

------
Fargren
I know jack about tor except other than it's purpose, but shouldn't it be
possible to configure a virtual machine to do this and upload it, so that one
would "only" have to mount the machine and turn it on in order to help?

------
ck2
Might be good to ask this where major-league hosting providers hang out like
webhostingtalk?

