pickaproxy.com blog

There has been lots of recent coverage about the major DNS vulnerability found by researcher Dan Kaminsky earlier this year: see doxpara.com, news.oreilly.com, and CERT for examples.

We wanted to let you know that one of the very few DNS servers/services that has NOT been vulnerable to this "DNS cache poisoning" exploit is OpenDNS, which has been the DNS server/service we use at pickaproxy.com and our other privacy-ecosystem.com sites for quite some time.

If you are trying out our proxies and get an error indicating there are "Too many open files" we apologize, but this is an indication that our server is running at maximum capacity.  Best to retry or come back later when things will be less busy.  Our web accelerator cache is also hitting capacity at times, and we are currently working on a better design to address this.  Eventually we expect to have much greater capacity - perhaps even unlimited capacity - as we move to a "cloud computing" infrastructure.

If you are using our PAC files, and Google Desktop Search, you will notice you no longer get an error message, because we no longer try to proxy anything where "127.0.0.1" or "localhost" are the domain name. Our PAC file now looks like this (for the us.proxy.pac file), which is just a bit of Javascript:

function FindProxyForURL(url, host) {
if ((host == '127.0.0.1') || (host == 'localhost')) 
  return "DIRECT";
else 
  return "PROXY us.pickaproxy.com:8125";
}

"DIRECT" in this context means do not use the proxy, but rather make a direct connection.

On another note, we also are now showing a list of all Tor proxy servers ("exit nodes") that we never use, for reasons of security and/or reliability.  You will have to be looking at the "Tor speak" version of our site (at http://www.pickaproxy.com/?speak=tor) to see this list, but it is shown below the "Top 10 Fastest (Running)" list.  And you will notice that we have added "AoF" to this list because of reliability problems we have noticed in the last few days.  Any changes to our "ExcludeList" will now be shown automatically in this way, so we will not be announcing each and every change on this blog or in our RSS feed.

You can now use our pre-set "PAC" files to specify your proxy settings, which simplifies things a bit. Instead of setting your proxy to tryout.pickaproxy.com and port 8123, you can now specify the "Use automatic configuration script" option (if using Internet Explorer) or the "Automatic proxy configuration URL" option (if using Firefox) or the "Use automatic proxy configuration" option (if using Opera) and use https://www.pickaproxy.com/tryout.proxy.pac as the Address and name and location of the script file. 

• us.proxy.pac is equivalent to us.pickaproxy.com and port 8125
• uk.proxy.pac is equivalent to uk.pickaproxy.com and port 8126
• fr.proxy.pac is equivalent to fr.pickaproxy.com and port 8129
• ru.proxy.pac is equivalent to ru.pickaproxy.com and port 8130
• cn.proxy.pac is equivalent to cn.pickaproxy.com and port 8131
• ca.proxy.pac is equivalent to ca.pickaproxy.com and port 8132
• de.proxy.pac is equivalent to de.pickaproxy.com and port 8133
• nonCN.proxy.pac is equivalent to nonCN.pickaproxy.com and port 18231
• nonDE.proxy.pac is equivalent to nonDE.pickaproxy.com and port 18233
• nonUS.proxy.pac is equivalent to nonUS.pickaproxy.com and port 18225

We will add more functionality and flexibility to our PAC file support at a later time. The plan is for subscribers to be able to define multiple proxy options within a single PAC file for their own use, and to allow PAC files to be updated from our https://www.pickaproxy.com web site so that you do not have to muck about with proxy settings on your computer, other than to do the initial, one-time change to use your PAC file.

So I sent an email to the contact Ben Wilber for the Tor network proxy named "desync", getting the IP Address wrong in the process: "I wonder if you would mind giving me some information about your intentions with the Desync Tor exit node you ostensibly operate at 63.230.230.230? I run the pickaproxy.com site and noticed that you are the 2nd fastest node in the Tor network http://www.pickaproxy.com/?speak=tor and the only one owned by Reliable Web Services and using ISP Neucom. I am generally suspicious of fast nodes, so please do not take offence if your intentions are worthy :)"

And I got a reply: "Our node is intended to support the Tor project's efforts to preserve anonymity on the Internet.  No transmitted information or logs concerning circuit construction are monitored or recorded within our scope of control, both for clients' privacy and our own legal protection. The node is physically located in Tampa, FL and is operated by desync.com out of Desync's network, AS30217."

I replied: "Thanks, Ben. I would be glad to remove this node from our pickaproxy.com ExcludeNodes list based on this information. Would you mind if we posted your email reply on our pickaproxy.com blog?"

And he said: "Sure, go ahead."

So desync is in, and as of today it is the fastest of all computers in the Tor network with a throughput measured to be consistently around 6 GB per second for at least the last week. Considering that the average proxy server ("exit node") in the Tor network has a throughput of about 243 KB per second, and the mean throughput is only about 50 KB per second, Ben is to be thanked for adding so much horsepower for all to use!

We have now excluded 2 more proxies from our service: Webdvdr and desync.

Webdvdr is currently the fastest computer in the entire Tor network by a considerable margin, and the operator of this computer continues to regularly change their "exit policy", indicating some sort of experimentation and possibly analysis of traffic flowing through it. Located geographically in Paris, France at dedibox.fr, the operator has also not identified themself with a Tor Contact name, the IP address 88.191.79.196 does not have a DNS host name, is listed on spamhaus.org's XBL composite block list, and is listed on uceprotect.net Level 1 spam list. We think all this warrants protecting our users from this proxy, and so are adding it to our "ExcludeNodes" list effective immediately until further notice.  The operator of this proxy is certainly welcome to contact us at any time.

Desync is currently the second fastest in the Tor network, geographically located in Placentia, California, USA, with Contact name Ben Wilber, and the only computer in the Tor network using ISP Neucom and owned by Reliable Web Services.  It's IP address 66.230.230.230 likewise does not have a DNS host name, and although it is not an obvious candidate for our ExcludeNodes list, we are being cautious in doing this, and in addition we will be attempting email contact with the operator to learn more about him and his intentions with this proxy.

Further to our May 22 blog posting, Paranoia part 1, the names of the 5 proxy servers owned and operated by PSI in Washington, DC, USA are bettyboop, croeso, jalopy, myrnaloy, and nixnix.

Further to our last post on May 22, we have now made available an initial step to identify and advise people about the status of the overall Tor network.  This information is now displayed at the top of our pickaproxy.com web site, showing the "current Tor network status" as either Ok, Use With Caution, or Not Considered Safe.  These 3 conditions are initially defined as follows:

"Ok" means there are at least 525 exit nodes ("proxy servers" for the non-Tor-speaking set), 500 relays, 300 guards, 6 version 3 directories, 500 version 2 directories, 32 KB/s mean and average exit bandwidth, and 40 KB/s mean and average relay bandwidth. Any nodes hibernating, marked as "bad", not "valid", or not "running" are excluded from these numbers.

"Use With Caution" means there are less than 1 or more of these thresholds, but at least 375 exit nodes ("proxy servers"), 350 relays, 150 guards, 5 version 3 directories, 250 version 2 directories, 22 KB/s mean and average exit bandwidth, and 30 KB/s mean and average relay bandwidth.

Anything less than any of these Use With Caution thresholds will result in a "Not Considered Safe" status.

Our next step will be to allow people to subscribe to this information, and to define these thresholds for themselves. Our checks to update this status are currently done every 1-2 hours.

Last Monday, Memorial Day in the US, and Victoria Day in Canada, I discovered a potentially troubling anomaly in the Tor network. Between about 10am and 3pm EST the number of computers running the Tor software as a relay or exit dropped to about 400 from the usual range of about 2,000.

This could be nothing serious, but also could be very serious in terms of increased exposure of Tor network traffic to possible monitoring. It is generally acknowledged that the more computers running the Tor software as relays and exits the greater anonymity of it's users. With 80% of the usual Tor servers flagged as out-of-service for 5 hours, this would mean all the normal Tor network traffic would be forced to travel through just 20% of the available servers.  In other words, if an imaginary adversary controlled 4 Tor servers, then instead of having access to just 0.2% of the total Tor network traffic (4 of 2,000), they could have access to 10% of the total Tor network traffic (4 of 400), as long as their 4 were part of the ones that remained in service.

How could all these servers have been flagged as out of service?  Was it an accidental anomaly in the Tor software?  Was someone maliciously manipulating the Tor "running" status flag for this time period, hoping that no one would notice?

We have no answers at this time, although we are convinced that this anomaly was not simply a problem with our own software which monitors the composition and state of the Tor network.  In response to this, we have started development of an alert system to be added to our pickaproxy.com service, so that when (if?) these conditions come up again, our users will be told, so they can make their own choices as to whether to continue using our service (and the Tor network in general) or disconnect until we issue a "Code Green" when more normal conditions return ...

There are 5 very fast proxy servers operated by Performance Systems Inc. (PSI) in Washington, DC that scare me.

They are all exit nodes on the Tor network, providing proxy support for DNS (port 53), POP3 email (port 110), IMAP email (port 143), MSN Messenger (port 1863), ICQ (port 5190), Jabber and/or Google Talk and/or possibly a Tor Hidden Service (port 5222), MMCC (port 5050), Virtual Places (port 1533), and IRC (ports 6660-6667).  One of the 5 also provides proxy support for telnet (port 23).  None of them provide proxy support for http (port 80) or https (port 443), but there is a good chance if you are using the Tor network your traffic will run through 1 of these servers as a relay or guard/entry node.

None of them have any records in the DNS domain name system that I can find, they all have IP Addresses starting with 149.9.0, these are the only  proxy servers on the Tor network operated by PSI, and they all seem to be configured identically, even to the point of using the same out-of-date version of the Tor software.

I would say it is likely they are operated by, or on behalf of, some branch of the US government.

As a result, in order to limit your exposure to the potential of your internet activity being monitored by or through these servers, we have now configured our pickaproxy.com tryout services to always exclude these 5 proxy servers.  This will slow down our proxy service to some degree, but we consider the trade-off to be worth it.  Eventually we will allow our users to decide for themselves if they want to exclude these or any other proxy servers.

Comments are certainly welcome ...

A few items to report today:

(1) The Tor Project announced a fix this morning to a major security vulnerability in Debian's OpenSSL packages. We have now upgraded all the Tor software on our pickaproxy.com servers so you do not have to do anything yourself.

(2) When I first checked the number of Tor proxy servers running the new version this morning I found only 3 of them.  (You can check this yourself anytime by going to http://www.pickaproxy.com/?speak=tor. Look for the "Recommended Version Summary" drop-down list on the left.) After upgrading our own servers I see there are now 8 running the new version as of 13:10 pm EDT, leaving about 160 others needing to be upgraded.  This is pretty cool information to have at your fingertips, eh?

(3) The stunnel settings for the non-China proxies are "accept = 8100" and "connect = nonCN.pickaproxy.com:17231". Your proxy settings would be "localhost port 8100" as it would be for any stunnel users, to indicate stunnel was running on your computer in the background waiting for connections to port 8100 from your browser or whatever other program you may be using. (Yes, you could configure your stunnel to run on a different port than 8100 - it is your choice. Check our May 1 blog for more details on stunnel.)

(4) The stunnel settings for the non-Germany proxies are "accept = 8100" and "connect = nonDE.pickaproxy.com:17233".

(5) The stunnel settings for the non-US proxies are "accept = 8100" and "connect = nonUS.pickaproxy.com:17225"

(6) I see that lots of people have been using our pickaproxy.com geospoofing service over the past 25 days since we launched it on a tryout basis. There have been over 15,000 different web sites accessed through it so far. We are still working on improving it, providing more control and more information to our users, and figuring out how best to define and distinguish our free services from subscription services. We are also currently working on a way to let iPhone and iPod Touch users connect to us, we are working on having proxy auto-configuration PAC files for you to simplify changing your proxy settings, and we are designing an Internet Explorer and Firefox toolbar/addon to let you easily control and monitor your pickaproxy.com settings.