CN = nytimes3xbfgragh.onion
OU = Technology
O = The New York Times Company
Object Identifier (2 5 4 15) = Private Organization
DNS Name: nytimes3xbfgragh.onion
DNS Name: graylady3jvrrxbe.onion
DNS Name: *.graylady3jvrrxbe.onion
DNS Name: *.dev.graylady3jvrrxbe.onion
DNS Name: *.stg.graylady3jvrrxbe.onion
DNS Name: *.nytimes3xbfgragh.onion
DNS Name: *.api.nytimes3xbfgragh.onion
DNS Name: *.api.dev.nytimes3xbfgragh.onion
DNS Name: *.api.stg.nytimes3xbfgragh.onion
DNS Name: *.blogs.nytimes3xbfgragh.onion
DNS Name: *.blogs.stg.nytimes3xbfgragh.onion
DNS Name: *.blogs5.stg.nytimes3xbfgragh.onion
DNS Name: *.dev.nytimes3xbfgragh.onion
DNS Name: *.dev.blogs.nytimes3xbfgragh.onion
DNS Name: *.newsdev.nytimes3xbfgragh.onion
DNS Name: *.prd.nytimes3xbfgragh.onion
DNS Name: *.sbx.nytimes3xbfgragh.onion
DNS Name: *.stg.nytimes3xbfgragh.onion
DNS Name: *.stg.blogs.nytimes3xbfgragh.onion
DNS Name: *.stg.newsdev.nytimes3xbfgragh.onion
DNS Name: www.bestsellers.nytimes3xbfgragh.onion
DNS Name: www.homedelivery.nytimes3xbfgragh.onion
You aren't being attentive enough for high risk activities. You lack proper verification channels, to confirm authenticity, which matters in this context. You lack the situational awareness to proceed safely.
Admit that you might not be cut out for what it takes to maintain a secure posture on the internet, if that's what gets you. Just stop pretending to try.
And I never claimed I was good at anything. But I did intend to point out that with advanced persistent threats in the mix, and nation state actors operating with effectively unlimited resources, failing to notice the difference between two vaguely similar nonces (in a situation where it matters) is going to get you hanged, depending on what you're trying to fly below radar.
onion.nytimes.com CNAME nytimes3xbfgragh.onion
Edit to clarify - more a technical pondering than a solution to anything
I guess in theory a browser _could_ support something like that, but it'd be pretty unusual. I also think the idea of relying on DNS to resolve a hidden service would defeat a lot of the privacy and security guarantees associated with those services, so I don't think any browser serious about security would implement something like that.
Websites redirect all the time, there's 3 HTTP status codes for it.
If you visit https://onion.nytimes.com/ and it sends you a 301 redirect to https://nytimes3xbfgragh.onion/ then yes, I'm pretty sure that'd work fine. However, if you perform a DNS lookup on `onion.nytimes.com` and receive in response a CNAME record pointing to `nytimes3xbfgragh.onion`, I seriously doubt the browser is going to respond to that by establishing a new Tor circuit to the named hidden service. Rather, it's most likely just going to do what every other DNS client does when it receives a CNAME record; it'll try to look up `nytimes3xbfgragh.onion` in the DNS. (And fail, because `.onion` is not a valid TLD in the regular DNS system.)
I just generated "omen coins car hoof.onion" right now, in a couple of seconds, with my laptop CPU. With a couple of GTX1080s you could easily find some much better .onions than the ones NYT chose.
Lets pretend we've got a $5000 budget.
Quick back-of-the-envelope math shows that a 8xGTX1080¹ box will be able to generate ~3 onion addresses beginning with "nytimes" every second, we can afford 6.25 months of this.
Instead of waiting a really long time, we'll rent multiple boxes and squeeze all that into one month. In that month our servers will find approximately 44055283.1 onion addresses beginning with "nytimes".
At least with the wordlist² I use, without a prefix I discover approximately one "good" onion per 8 million random onions. Considering we've got a 7 character prefix for our 44 million onion candidates, so I'd expect a significantly better rate than just 1/8000000
So yeah, in a month you'd probably find at least 5 "better" onion addresses.
¹ $800 a month https://selectel.com/solutions/gpu/ Shouldn't be a problem for NYT to get a few of these.
² which besides words contains some easily memorable fillers such as "aaa" "bbb" and so on
That's the idea. Of course, validation, while more thorough than for standard certs, still is not that reliable. My strong impression is that it could be fooled by anyone sufficiently motivated.
In my case they just needed me to put an entry in the Yellow Pages...
Also, never put this line in /etc/netgroup then rwall to it:
On a somewhat related topic, I worry a lot about things on the internet disappearing, most often simply due to neglect (domain expiry, companies being bought, et c.) I try to save everything I can that I find interesting, in fear of it never being available again.
That said, it makes me very happy to see emails from 1987 archived online--so happy that I've even saved a copy.
And Risks Digest: http://catless.ncl.ac.uk/Risks/4.73.html#subj10.1
I was one of the 743 people who received his rwall and immediately send him a message (which I've since lost) flaming about the evils of Sun RPC (and promising a longer flame). I saved his reply and some old email about it from the hackers_guild and tcp-ip mailing lists.
IIRC, the flame probably would have touched on the fact that among Sun RPC services, rcp.rwalld was hardly the worst offender: Sun's NFS rpc.mountd demon trusted the client's word on what its hostname is (it was passed from client to server as a parameter to the mount RPC call -- the server didn't check the ip address!), in order to authenticate the client's permission to mount a directory!
That's right, you actually could mount any NFS directory by going "hostname <hostname known to be in server's /etc/exports> ; mount server:/directory /mnt ; hostname <previous host name>". And you could usually use the equivalent of "tftp server:/etc/exports /tmp/server_exports" to discover a trusted hostname to use, because Suns were set up like that by default, out of the box!
Date: Tue, 31 Mar 87 12:02:53 PST
From: jkh%violet.Berkeley.EDU@berkeley.edu (Jordan K. Hubbard)
Subject: re: flame flame flame
Thanks, you were nicer than most.. Here's the stock letter I've been
sending back to people:
Thank you, thank you..
Now if I can only figure out why a lowly machine in a basement somewhere
can send broadcast messages to the entire world. Doesn't seem right
Yours for an annoying network.
P.S. I was actually experimenting to see exactly now bad a crock RPC was.
I'm beginning to get an idea. I look forward to your flame.
Jordan's rwall scribbled all over Dennis Perry's Interleaf windows (who Jordan incorrectly referred to as the Inspector General of the ARPAnet in the Pentagon, and who was "absolutely livid" and threatened to cut off UCB's ARPANET access). Things were pretty wide open back then, and Jordan's "little incident" really stirred up a hornet's nest!
There were some interesting followups from heavy duty dudes like Milo Medin and Dennis Perry on the h_g/tcp-ip mailing lists:
From: Milo S. Medin <email@example.com>
Actually, Dennis Perry is the head of DARPA/IPTO, not a pencil pusher
in the IG's office. IPTO is the part of DARPA that deals with all
CS issues (including funding for ARPANET, BSD, MACH, SDINET, etc...).
Calling him part of the IG's office on the TCP/IP list probably didn't
win you any favors. Coincidentally I was at a meeting at the Pentagon
last Thursday that Dennis was at, along with Mike Corrigan (the man
at DoD/OSD responsible for all of DDN), and a couple other such types
discussing Internet management issues, when your little incident
came up. Dennis was absolutely livid, and I recall him saying something
about shutting off UCB's PSN ports if this happened again. There were
also reports about the DCA management types really putting on the heat
about turning on Mailbridge filtering now and not after the buttergates
are deployed. I don't know if Mike St. Johns and company can hold them
off much longer. Sigh... Mike Corrigan mentioned that this was the sort
of thing that gets networks shut off. You really pissed off the wrong
people with this move!
Dennis also called up some VP at SUN and demanded this hole
be patched in the next release. People generally pay attention
to such people.
From: Jordan K. Hubbard <firstname.lastname@example.org>
Well, I hope Sun patches the holes, Milo. I'm sorry that certain people chose
to react as strongly as they did in our esteemed government offices, but
I am glad that it raised enough fuss to possibly get the problem fixed. No
data was destroyed, lost, or infiltrated, but some people got a whack on the
side of the head for leaving the back door open. I'm not sure I can say that
I'm all that sorry that this happened. rwall is certainly going to change on
my machines, I can only hope that people concerned about being rwall'd over
the net will tighten up their RPC. Those that don't care, should at least be
aware of it.
From: Dennis G. Perry <PERRY@vax.darpa.mil>
Jordan, you are right in your assumptions that people will get annoyed
that what happened was allowed to happen.
By the way, I am the program manager of the Arpanet in the Information
Science and Technology Office of DARPA, located in Roslin (Arlington), not
I would like suggestions as to what you, or anyone else, think should be
done to prevent such occurances in the furture. There are many drastic
choices one could make. Is there a reasonable one? Perhaps some one
from Sun could volunteer what there action will be in light of this
revelation. I certainly hope that the community can come up with a good
solution, because I know that when the problem gets solved from the top
the solutions will reflect their concerns.
Think about this situation and I think you will all agree that this is
a serious problem that could cripple the Arpanet and anyother net that
lets things like this happen without control.
Sorry about the mixup on your location and position within DARPA. I got
the news of your call to Richard Olson second hand, and I guess details
got muddled along the way. I think the best solution to this problem (and
other problems of this nature) is to tighten up the receiving ends. Assuming
that the network is basically hostile seems safer than assuming that it's
benign when deciding which services to offer.
I don't know what Sun has in mind for Secure RPC, or whether they will move
the release date for 4.0 (which presumably incorporates these features)
closer, but I will be changing rwalld here at Berkeley to use a new YP
database containing a list of "trusted" hosts. If it's possible to change
RPC itself, without massive performance degradation, I may do that as well.
My primary concern is that people understand where and why unix/network
security holes exist. I've gotten a few messages from people saying that
they would consider it a bug if rwall didn't perform in this manner, and
that hampering their ability to communicate with the rest of the network
would be against the spirit of all it stands for. There is, of course, the
opposite camp which feels that IMP's should only forward packets from hosts
registered with the NIC. I think that either point of view has its pros and
cons, but that it should be up to the users to make a choice. If they wish
to expose themselves to potential annoyance in exchange for being able to,
uh, communicate more freely, then so be it. If the opposite is true, then
they can take appropriate action. At least an informed choice will have been
Yours for a secure, but usable, network.
Jordan, thanks for the note. I agree that we should discover and FIX holes
found in the system. But at the same time, we don't want to have to
shut the thing down until such a fix can be made. Misuse of the system
get us all in a lot of trouble. The Arpanet has succeeded because of
the self policing community. If this type of potential for disruption
gets used by very many people, I guarentee that we all will not like the
solution or fix proposed.
Lawyers are good at verifying identities. It's a core part of their work. More critically, in-person fraud scales differently from electronic fraud.
EV ensures that the entity (person, corp, org, whatever) is in fact in control of the domain and is who they say they are.
Notably, Onion services tend to have URLs that are _very_ difficult for humans to remember (they're essentially just gibberish), and they're anonymous by default, meaning without an EV cert there's no easy way to check whether the service you're visiting is legitimate or not.
DV certs are also pretty useless for Onion services, since your connection is already encrypted and authenticated by Tor.
There's a couple of other differences with .onion certs too: https://certsimple.com/help/tor-support
Did you notice that I changed the nytimes URL a tiny bit up there? nytimes3xbfgragh.onion is the real one. (Yes, there's no guarantee that someone else would be able to generate a specific alternate address, but one that also starts with nytimes is probably possible for a well-resourced attacker.)
EV lets you assure that you are connected to the New York Times.
If you fetch web pages from http://abc123.onion you bascially tell tor "connect me to whoever holds the certificate with fingerprint abc123". Any domain validated certificates on top of that is superfluous since you already know which certificate you are talking to. What you don't know is who holds it. This is where organizationally validated certificates can help.
Single onion services are a thing now for quiet some time actually: https://web.archive.org/web/20161219230314/https://blog.torp... (had to use archive.org since images are broken on their blog currently)
People wanting to access NYT site via Tor, can just navigate to https://www.nytimes.com/ and it'll be significantly faster than the .onion equivalent.
This isn't true, exits are currently in short supply. And onion services don't use exits, so it will result in a faster speed, especially since they may have made it as a single onion service.
 : https://web.archive.org/web/20161219230314/https://blog.torp...
Handy graph for anyone curious about the benefits of Tor 
If so, they're leaving their users-who-want-to-stay-relatively-anonymous open to attack via the advertisement vector. Members of that group would be considered high-value targets simply due to their anonymity desires.
I can't see the number of daily users being large enough that they'd lose significant profit by closing that attack vector. Hell, if there was a way to pay NYT enough to disable ads on all their services, I'd do it.
In this case the relevant preference is privacy.firstparty.isolate = true. Another worth pointing out pref is privacy.resistFingerprinting = true.
Note that containers provide similar functionality but in a less rigid manner. On the other hand first party isolation has the advantage that it also applies on navigation within a single tab while containers are fixed within a single tab. Currently neither is a superset of the other. If bug 1323873  gets implemented then containers + some scripting by extensions could act as a superset of first party isolation.
Tor also gives you a way to choose a specific exit node based on the country it is in, but I have no idea how reliable that is.
It is worth noting that with hidden services no exit nodes are required, since your traffic's final destination is running its own Tor-compatible node.
What do you think an untrustworthy system is doing that would make it give a not-good-enough answer?
I considered these actors before deciding to ask the question instead of immediately connecting directly: available computer systems, internet pipes, the NYT website, and the bevy of third party ad-services hosted through the website.
The Tor Browser Bundle (desktop) has different defaults than Orfox (phone), and I think both will connect to non-onion URLs when connecting to an onion site. Same for JS, ad-block, etc.
There are zero good web browsers with socks5 support. (which is needed for tor)
 : https://trac.torproject.org/projects/tor/wiki/doc/meek
 : https://trac.torproject.org/projects/tor/wiki/doc/Snowflake
Onion websites should be isolated and should not initiate any connections to vanilla internet.
Edit: it also loads scripts from www.google.com, tags.bluekai.com, cdn.optimizely.com...
Tor can also hide where Bob's servers are, but not sure if the New York Times would need that bit.
I forgot there are other governments too... shame, I'm not even from the US.
It’s possible that Tor makes it harder to enforce the rule that you can’t read more than X articles per month (which I believe is enforced using cookies and your IP address) but at this early stage, I’m not sure that’s key: people who know how to use Tor generally can easily go around that limitation on https.
If too many people use that loophole to read without a subscription, that means NYTimes would have been instrumental in making Tor mainstream. That would be a major achievement in itself. Enforcing similar consumption limits through Tor would probably be rather experimental, but sounds hardly difficult (especially with the goodwill NYTimes would have most likely gained from Tor developers & supporters).
Their current X (which I think is 10) articles per month limit is enforced via cookies. If you're like me and have your browser set to automatically clear all cookies and persistent state on close, you never even notice it exists.
A hidden service is set for information can not be safely presented on the public Internet. Like what The Daily Stormer did.
If one just wanted to bypass blocking or hide himself from evil third parties, he could just use tor browser to open NYT's regular domain instead of the hidden service domain, no?
There are also some security benefits, since connections to hidden services are automatically encrypted and authenticated, no HTTPS or trust in Certificate Authorities required (though HTTPS with EV certs can still be useful for identification purposes).
As well as this blog post: https://blog.torproject.org/cooking-onions-names-your-onions
See also this ticket for following the progress: https://trac.torproject.org/projects/tor/ticket/10747
Easy to remember.
I ran 3x 4 GPU cloud instances on AWS on the old Teslas - which aren't very fast at SHA. IIRC it was doing 15GH/s total
Today you can get ~7GH/s on an Nvidia 1080 so you should be able to find an all-alpha 10 char onion in about a week.
The new cards and some of the password cracking rigs (i'm building a new one now) are able to do SHA1 so quickly that they're a real threat to generating phishing addresses for onions - which is why the DigiCert certificates are required
There were many discussions before settling on Medium and alternatives were considered (such as dogfooding our own CMS). We have a lot of work in-flight to modernize and simplify our publishing stack, and the timing wasn't right to rely on internal tools to publish a new blog.
This action is not supported over Onion yet, sorry.
I know DuckDuckGo has their own hidden service, but it seems that site only returns results from the regular internet, not from other hidden services.
I think you responded to your own question.
Besides that there are lists of onion services. Apparently there are also search services like https://ahmia.fi/
But for services on Tor that are fine with being identified but who wish there users to be opaque to third parties it seems to have some value.
 without a radically different CA infrastructure which has no chance of getting preloaded into browsers.
Why would anyone run a legal onion service?
Thanks Alec Muffett (OP) for the following summary copied from this comment
Understandably folk tend to think "Anonymity!" when talking about Tor Onions, but in rolling out the Facebook onion we established several clear benefits:
1. better and safer experience for people accessing over Tor: no interference by exit nodes, no bandwidth-contention for exit nodes, no use of exit nodes at all.
2. "good neighbour" - reciprocally, popular sites can unload themselves from eating up scarce exit-node bandwidth.
3. "a peace offering" - people (continue to) use Facebook over Tor; 3 years ago we saw 500,000/month, more recently ~1 million. Overwhelmingly we found (through measurement and assessment) that people using Facebook over Tor were ordinary folk wanting to do ordinary things. especially in times of political crisis. Providing a metaphorical "olive branch" showed that we value their use of the site.
4. Discretion & Trust. Onion Sites are considered to be about "Anonymity", but really they offer two more features: Discretion (eg: your employer or ISP cannot see what you are browsing, not even what site) and trust (if you access facebookcorewwwi.onion you are definitely connected to Facebook, because of the nature of Onion addressing; no DNS or CA shenanigans are applicable.)
In the U.S., the Times published Chelsea Manning's leaked State Dept documents, it broke the story on Hilary Clinton's email sever, it reported the Wikileaks' DNC emails for months up to the US presidential election, and now it aggressively goes after Trump. While it's imperfect, I don't see which part of the establishment it so strongly supports.
The State Department. NYT is vital in fabricating the history of conflicts and internal problems that have ever affected the United States.
to name a few : Syria, Iraq, Afghanistan, the War on Drugs, the Indochina wars, Cuba, Mexico, outside-of-country extradition, continual abuse and outright breaking of UN laws and sanctions, etc.
That's not even mentioning their (the NYT) history of character assassination with regards to civil rights leaders, activists, authors, speakers, and alternative thinkers.
...OR you get the Chomsky treatment, and they pretend that you don't exist for a few decades.
I didn't bother with citations, there are plenty to read through with just a cursory search engine query, but since I already invoked the name of the beast, i'll let him tell you about NYT.
NYT's is systematically biased in who or what it chooses to illuminate for the public to digest. Don't be surprised when they do good by you -- it's all character building -- just like this news that they're embracing tor.
Boy, aren't they just keen!
Noam Chomsky: The New York Times is pure propaganda: https://www.salon.com/2015/05/25/noam_chomsky_the_new_york_t...
.onion is not for sites being blocked in China, you can just use tor and access the nytimes.com web site from there. .onion is for websites that get their domain confiscated by their domain providers or the feds, very unlikely to happen to the NYT. See what happened to sites such as the pirate bay or more recently the neo-nazi site dailystormer https://en.wikipedia.org/wiki/The_Daily_Stormer#Site_hosting...
A significant portion of the dossier has been corroborated so far.
The GOP funded it originally.
The FBI funded it after.
In either case, the NYT loves Trump. Their "feud" is for show only. Trump is the establishment.
notably: it's not the GOP the organization that initial funded the oppo, but a private news org with conservative leanings. and the FBI did not fund the dossier, but were provided it during its creation. (side note: who cares)
When it comes to corroboration: I would think the special investigation is good enough evidence that the claims of Russian cooperation are being taken seriously, no? Significant is a weasel word but there is actual smoke here.
How would you tell the claims being taken seriously from the investigators trying to use the legal system to get dirt on Donald Trump?
At this point, the investigation has been ongoing for around 10 months, and currently they've only found anything on Paul Manafort, who was Trump's campaign manager for a few months.
The charges against Manafort are essentially failing to disclose lobbying for foreign agents, tax evasion, and money laundering . The lobbying was done while Manafort was working for the Podesta Group, which was founded by Hillary Clinton's campaign manager .
On a side note, I find it interesting how Wikipedia doesn't have any information on Manafort's involvement with the Podesta Group.
The reason most political stories aren't a good fit here isn't that they aren't about tech or startups (both tech and startups overlap with politics quite a bit). It's because they inevitably lead to battles that destroy what HN is for. We can't be both, the same way a park can't be a war zone.
> "Some readers choose to use Tor to access our journalism because they’re technically blocked from accessing our website; or because they worry about local network monitoring; or because they care about online privacy; or simply because that is the method that they prefer."
Also, there are large populations where network monitoring and/or content restrictions are part of everyday life. The New York Times experienced this directly with respect to their iOS app in China.
Edit to add: To turn it around, why shouldn't the NYT do this? That isn't snark: I'm interested in hearing substantial reasons for the skepticism implicit in 'pbarnes_1 original question. Granted, I haven't read all of the comments for this submission, I haven't seen any that convincingly argue this isn't a useful thing.
A news outlet with a "one size fits most" attitude. That is, they offer a product which caters to people who could be described as "average". Typically companies focus their energy only on (potential) customers, not those who aren't a good fit for the product in the first place. There probably are more profit-promising people out there for the NYT than those who are somewhat crypto-nerds. They don't like clicking ads, some may even feel uneasy using typical payment methods to buy a subscription.
> Also there are large populations where network monitoring and/or content restrictions are part of everyday life.
yeah, that's reasonable.
 - https://open.nytimes.com/
Nothing to hide except when the wrong guy gets in power then you feel naked
And if yes, does their adoption of https in 2014\ then imply that they were equally suspicious of the previous administration?
[...]and they provide additional guarantees that readers are connected securely to our website.[...]
> So is it now "guaranteed", that TOR is secure?
Your quote does not imply that
What're the equivalent or similar features in other browsers (e.g. Chrome)? Incognito mode?
Safe browsing guys
//edit: if you want extra security. Launch TOR from a remote desktop. And I am not talking about the ones you buy from known VPN providers like NordicVPN or amazon web services.
a) Infiltrating chats where people are more likely to share sensitive information / trust the people they're talking to
b) Poor configurations/ setups on either the client or server (client browser bundle has noscript, but it's not on the strictest settings, js is enabled iirc)
c) Exploitation of client or server due to out of date versions, things like that
Historically I think it's always fallen into one of these cases - and not just what the FBI etc say publicly but we've seen these exploits ITW. I wouldn't be surprised if the NSA and other agencies have the power to deanonymize TOR users but if it were trivial why is the majority of TOR traffic still going towards illegal content? Last I read (a paper a year ago) TOR is still primarily all about drugs, followed by child pornography (mostly drugs though iirc). If they can track all of these people by breaking TOR completely... why don't they?
Remember, Silk Road was finally found and taken down because Ross Ulbrich messed up his OpSec on a Stack Overflow question.
Here’s a Reddit discussion: https://www.reddit.com/r/webdev/comments/1nln17/the_stackove...
Basically, he posted to stack Overflow using his own name and email address with code that was Silk Road was using. He quickly changed his username, but it was too late.
Can you provide evidence for this claim? I'm a huge conspiracy nut, this has me excited.
That said, it's still the most reliable limited-anonymity provider I know of.
No, if you want extra security use Qubes OS with Whonix (it comes with it by default) for isolating the Tor process in a single VM and the browser in another - thereby prohibiting any leaks, unless an adversary has a VM escape RCE.
Really? Perhaps you could explain how every single one of us found out it is true? Maybe every single one of us has a friend working in the NSA who was willing to tell us, even though he could go to jail for giving away such a secret?
Or maybe you are just making things up.