>We do not choose more than one router in a given network range, which defaults to /16 for IPv4 and /32 for IPv6. (C Tor overrides this with EnforceDistinctSubnets; Arti overrides this with ipv[46]_subnet_family_prefix.)
2) There is currently no exit-node hosted at Hetzner. Check the Tor atlas
1) Hetzner has more than one /16. Probably not in the same rack though. Might be adjacent rows. Organizations which have their own IP ranges can use them at Hetzner, too.
2) Exit circuits are not the only type of circuit.
>Organizations which have their own IP ranges can use them at Hetzner, too.
If you own the nodes you can just log the encrypted traffic with metadata like user IP (if its an entry-node, which requires a Guard-flag), source and destination Tor-node and timestamp to send it to a centralized logging server. No need to host them in the same rack.
The problem of three nodes being in one rack is traffic analysis of an external attacker, who doesn't own the nodes.
If someone already owns the nodes it doesn't matter where they host them.. Using your own IP range for an attack would just be more complicated, less effective than just buying nodes worldwide and is an OPSEC risk.
So the only reason to run tor nodes on your own IP range on Hetzner servers is if you work together with an organization which has access to ISP and datacenter traffic and probably work together with the datacenter owner to attack Tor users through a correlation attack.
>Exit circuits are not the only type of circuit.
Connections to onion services are sent over 6 nodes, not 3. You talked about 3 nodes, so I assumed you talk about the typical Guard or Bridge Node -> Mid-Node -> Exit-Node circuit. The only reason to have less nodes are single-hop onion services. They are an edge-case..
Technological advances in the military sector are always very interesting and research into them is to be welcomed.
From ARPANet to GPS, we have benefited greatly from this and despite the moral concerns of some, AI-controlled drone swarms and fully automated target acquisition are also very interesting and important developments that future armies will need for its defense.
Thorn and all its supporters should be branded for what they are: Enemies of the free world. Enemies of democracy and fighters for oppression and dystopian police states.
If you look at the developments in Hungary and Poland (or the polls in Austria), any form of surveillance will be just used as another vehicle to keep autocrats and would-be dictators in power.
I doubt that the election in Poland in 2023 would have turned out like this if the PiS had seamless protocols of the opposition's communication.
It's hard to believe that there are such stupid people, but all right. However, it's shocking that you only get 18 months in jail for attempted murder, while people in the past got over 5 years in jail for trivial crimes like copyright infringement.
> It's hard to believe that there are such stupid people, but all right
I assume that if someone is at the point where they're willing to murder someone else, they're in an emotional place that excludes rational thought. In cases like this, it may not be that these people are stupid as much as they are blinded by anger/pain/whatever.
> However, it's shocking that you only get 18 months in jail for attempted murder, while people in the past got over 5 years in jail for trivial crimes like copyright infringement
There are crimes, and there are crimes. Hypothetical profits are more valuable than human life.
C++ is memory-unsafe and a Google search will not always return the latest and safest features, but raw pointers and C-like code. As a beginner, you often don't realize this.
Rust makes it a little more difficult for you with "unsafe" blocks and explicitly points this out to you.
>Evading in-person meetings or requests for drug tests.
I am surprised about the request for drug tests. Is this common in the US?
Except for high-security jobs, which are never possible remotely anyway, I have never heard of a client or employer asking for a drug test. If I got a request for a drug test, I would quit immediately. Even if I am sure it is negative, my private life is my business. Any attempt to control my private life I see as a personal attack.
In the US it’s fairly common policy to have when the employee could present a liability issue, such as driving a company provided vehicle, or operating heavy/dangerous equipment. Drug tests are a “cover our ass” measure and also make getting rid of “that fucking guy” easier.
In practice it varies heavily on how it’s implemented, generally a company isn’t really keen to spend the money and time on that shit until after they’ve been burned by incidents.
- Could be once on hiring, then only if you really fuck up. This is what my company does.
- Could be “random” testing that just so happens to “randomly” catch the obvious fuckwit who walked in after driving to work while probably blitzed and now wants to hop in a sprayer.
- Could be genuinely random testing.
I work in Agriculture, and my company provides me a work pickup truck (funny enough, my ATV in the back is my actual “work” vehicle if you consider time spent driving) along with fuel, which I can make reasonable personal use of. The tradeoff is they demand the ability to get notified of tickets/points added on my license, and if I start repeatedly getting speeding tickets and ignore the “hey, stop that shit” talk they give me, they’ll ultimately rescind the free vehicle they’ve provided me. Getting a DUI would very likely result in immediate termination. Which I consider fair enough
If I worked a desk job and don’t have a situation where altered states of mind would present a massive danger to myself, others, and company equipment, then yeah drug tests can fuck right off.
>also make getting rid of “that fucking guy” easier.
Very much so. An ex-coworker worked for a cardboard factory, attempted to unionize the workforce by providing lunches to workers during talk shops. He was taking liquid cannabis, had a doctors permission, script to get his medical card, only dosed enough for his aliment, and HR was aware.
Management had him take a urine analysis, supposedly workforce wide, of course failed due to the cannabis use, fired him the same day.
Never missed a day he scheduled, good guy.
Working for the city we do routine tests, especially CDL drivers, but from what I understand, they don't look for positive tests for cannabis, so I'm unsure if we're seeing a shift due to the legalization across nearly half the US, or they're specifically looking for opioids.
That's a good source, however the issue that I see is that they already knew about it and kept him on.
You can't say it's okay to use marajuna and then later say, I had no idea he would test positive for marajuna. They should have reasonably known that he would test positive for marajuna.
Maybe it's not a medical discrimination case, but it's definately a case.
It's a National Labor Relations Act case. Employees have the right to talk about unionization with their coworkers.
The employer constructed the other evidence as an excuse (which is what basically any employer knowledgable of the law does), but the previous approval would undermine the validity of that evidence.
My first “real” job demanded a background check where they could “interview my neighbors to get a sense of my character” and other egregious things. I tried many times to get in touch with the background check provider’s (backcheck in Canada) privacy team, never ever got to a human or anyone to return my voicemails.
The employer was completely incredulous I would refuse to submit to the background check and thought I had stuff to hide. I was laid off in short order. I do t regret anything, this was invasive and unnecessary. I’ve never had to do a background check again beyond providing an extract of my police file that says I have no convictions.
What kind of job was this for? because interviewing neighbours is something that sounds like part of a top secret clearance not a private company background check
They probably don’t do it but it was in the paperwork I had to sign to authorize the background check and it felt way too intrusive for just a regular job, which is why I always refused to sign it.
> Except for high-security jobs, which are never possible remotely anyway, I have never heard of a client or employer asking for a drug test.
Some companies have contracts with the Federal Government and even if you won't be working on those projects or won't have to get the security clearance, there are certain clauses in the contracts which requires the company to not have employees drink at work, to drug test employees and other stuff like that.
I once was asked to do a drug test as the offer was contingent on the drug test to clear because of this kind of contract. I rejected the offer from other reasons, but the recruiter told me we can schedule the drug test weeks in advance, to make sure 'everything is out of your system, just in case'. It was a urine test, and I got the feeling that the company was trying to make sure the test was going to clear regardless of my lifestyle outside of work, no questions asked.
Also, the recruiter told me it was a one-time thing for me and other 'general purpose' employees, but persons directly involved in the whole security clearance government stuff were subject to random testing.
I heard a (likely apocryphal) story that selling govcloud service would require drug testing for employees that had any access at all to those systems. The story goes that the engineering leader laughed their sales counterpart making the proposal out of the room because they expected to lose
approximately a third of their employee base to such nonsense. This was before marijuana legalization became so widespread, I assume some kind of reality has taken hold now such that the requirements are achievable by a tech population that, anecdotally, smokes a lot of weed off hours.
weed is still illegal under federal law, so its a no-no if you're doing federal work. state-level is a different story.
in most cases no one cares if you did it last year, but you gotta be clean while on the gub'mnt / contractor payroll.
unofficially after the drug test i don't think anyone asks too many questions. just make sure you don't have to lie on the background check cuz I've seen people upgrade from a Secret to higher, and the higher clearance investigations went deeper and found stuff. RIP job in that case.
but seriously tho, knew a dude who did GIS work for the DIA and he was ripping a bong the second he got home. he eventually got really into the cult-y motivational speaker world, not sure where he is now, but was making fat stacks while blazing for a while
When I started each of my last 2 jobs, I had to take a drug test. They are both US Fortune 500 companies. They are just normal computer operations type jobs.
The previous company won their case in Colorado Supreme Court to fire someone using medical marijuana even while off-duty.[0]
Additionally, even though we passed a law (constitutional amendment) allowing recreational use in Colorado, employers are still allowed to test and fire you for it.
Intel had me do a drug test just for an internship that I was almost going to take in 1996 or 97. I'm not sure if they still do that, I haven't had a drug test since getting my Chinese work visa (which required a drug and Aids test).
Disease control is one of the primary tasks of customs and immigrations agencies around the world. This authority was exercised quite prominently in 2020. But it is also exercised pretty mundanely on daily basis in regards to the transport of agriculture that carries diseases of agricultural concern... much to the frustration of travelers with foreign snacks.
From the US Government USCIS Form I-693 Instructions:
The civil surgeon is required to perform specific tests for tuberculosis, syphilis, and gonorrhea. The medical examination also requires the civil surgeon to evaluate for other sexually transmitted diseases and Hansen’s disease (leprosy).
Furthermore it suggests that physical and mental disorders may be grounds for disqualification. Finally, drug addiction and substance abuse generally must be disclosed.
you want to know of any potential carriers and be able to trace potential vectors. plus if you offer socialized medicine you want to know that in order to adjust things like supplies of drugs and coverage for foreign travelers.
Canadian immigration wanted my full medical history for Permanent Resident status, and there was a medical check, blood work, and a chest xray for TB. I was in the US military with injuries from that, and they asked for all of the paperwork.
Intel used to come up regularly in discussions as requiring drug tests of all engineer new hires - and people either not bothering to apply based on that or trying to never show up for the test. Good to hear hints that this changed.
fwiw: That was in Oregon where pot was legal. I wouldn't be surprised if it's somewhat more strict in say, Arizona. Also, I knew that fab folks, both blue and green badge (people wearing bunny suits) were drug tested.
High security jobs. Jobs in finance. Anything involving driving or operating machinery. Maybe customer-facing jobs. Basically anywhere where, if you're stoned, you could cause damage to the company.
> Basically anywhere where, if you're stoned, you could cause damage to the company.
Does the C-suite also get regular, supervised piss-in-a-cup tests, or do they actually not have as much impact on the success of the firm as they claim to?
Depending on the legal environment, maybe. But it's not as if c-suite positions have zero job screening. They have a different screening process which includes other things that lower level positions don't have to do.
Companies have weird requests sometimes. A good decade ago or more, I was asked to sign a disclosure that I was not a member of a certain faith (that has/had anti-tech sentiment at the time). That would definitely not happen these days.
I'm super curious, what was this faith? the only ones I can think of are the Amish and Mennonites, but neither of those are going to take tech jobs in the first place.
My company drug tests everyone they hire, regardless of the position. They say it's for a discount on employment insurance, but I have not verified that. They only test once, on the start date. They'll only ever test again if you fuck up on the job and hurt someone, or yourself.
As part of the vetting procedure, my government job (not dealing with highly classified material) asked my former employers if they knew any of my sexual fetishes.
People often talk. Jim used to date Jenny in Accounting, and he said she's really, like REALLY, into S/M, etc.
Plus you'd be surprised (or maybe not) as to the number of DNS queries we get from employee workstations that are to questionable websites. I couldn't tell you all of my coworkers that are gay, but I can tell you a few that are hitting gay porn websites from their work laptop.
I interviewed for a random postdoc in the USA and then they offered and they asked for drug test and I told them no I have body autonomy and you don't get to decide what I do with my body when I'm not at work. And from the mysterious aether a directive came suddenly that it wasn't required only recommended that I take a drug test.
Lenovo's repairability of their products has unfortunately dropped a lot and I hope they take it seriously and get back to the quality they used to have.
I own several ThinkPads from the last 10 years. The older models were all very easy to repair.
I definitely won't be buying the new models anymore. I can live with the fact that socketed CPUs have been replaced with soldered ones due to aesthetics (thinner laptops), but soldered RAM is where my pain threshold is reached.
I still believe that quality products must be repairable. I consider everything else to be cheap, throwaway products. No matter how much money "premium brands" charge for their junk with glued battery, glued SSD and fixed RAM in recycled aluminium packaging.
I agree with you. Web design doesn't seem to be the strength of the Whonix team.. and got worse over time.
Basically, you download a Virtualbox image, import it and then have a hardened Debian VM with Xfce UI & some privacy-friendly apps like Tor browser & a crypto wallet. The internet is slow (because of Tor) & tcp-only, but sufficient for most things. Virtualbox guest extensions are included and most things work out-of-the-box.
Tails is great. I am using it for several years now.
Other related projects are whonix ( https://www.whonix.org ), which consists of two virtual machines:
A workstation to work on and a gateway, which torifies all traffic from the workstation VM.
Whonix is also integrated in Qubes OS ( https://www.qubes-os.org ), which allows you to easily work with multiple seperate whonix VMs. There is also the possibility to tunnel all internet traffic of your machine through Tor including system upgrades of the host OS itself.
Whonix/Qubes integration is excellent, and it's certainly a nice perk of Qubes.
To clarify the benefits of the "two VM" approach:
Most of the unmasking exploits against Tor users (as distinguished from unmasking Tor hidden services) involve getting a browser to ignore the proxy settings, somehow. I believe WebRTC, Flash, and various other things have been used to cause the browser to beacon out to some endpoint - you exploit the kitty picture site, and put in code to exploit the browser, which then makes a direct request to http://someip/unique_identifier - and, boom, you've got the user's IP, probable cause, the works.
This happens because a "typical" Tor install is the daemon running locally, but nothing prevents other binaries from making a direct connection out. You set the browser to use socks5://localhost:9050 or something as the proxy, but if you can either get some part of it to misbehave, or just spawn off a different process, it doesn't obey the proxy settings and goes straight out.
Whonix solves this problem by splitting the system into the workstation VM (what you interact with) and the gateway VM (that connects to Tor and "torifies" traffic). The only network port on the workstation VM is connected to the input port on the gateway VM - and everything coming in that port is routed through Tor, via the other (internet connected) port.
So, if you manage to exploit the workstation VM, the attacker still doesn't gain an IP - because they launch a shell that runs 'wget http://someip/unique_id', but that goes out through the gateway VM, and gets encapsulated into Tor before going out, so it still pops out some Tor exit node, not your home IP address.
It raises the bar rather substantially for using Tor, and avoids a lot of the various ways to get Tor to leak. Also, they ship a copy of the Tor Browser in Whonix, which disables a lot of high risk functionality and allows you to very easily disable automatic media parsing and Javascript and such.
Qubes is awesome, and the integrated Whonix stuff is just a beautiful integration.
> The steps below outline how to make all PVH DispVM's permanently fully ephemeral. All data written to the disk will be encrypted with an ephemeral encryption key only stored in RAM. The encryption and encryption key generation is handled by dom0 and is thus inaccessible to the VM.
There have been several attacks against Brian Krebs in the past. From sending heroin* to his house, to adding his name to malware ("malware created by Brian Krebs"). This is because he always posts pictures and full names of criminals and is also why I have no sympathy for Brian Krebs, as I dislike online pillories and the rehabilitation of criminals is made massively more difficult this way. Nevertheless, attacks against him are of course to be condemned.
The criminals he exposes are absolute scum, I doubt their attacks against him would be much less severe had he only exposed their operations and not their identity. They have no qualms swatting people who are completely innocent, if Krebs pulled punches with them I highly doubt theyd reciprocate
I'm all for rehabilitation, but let's not kid ourselves. These Russian cybercriminals who have been in business for over a decade aren't going to just turn around and suddenly become productive members of global society.
1) you didn't read path selection constraints: https://spec.torproject.org/path-spec/path-selection-constra...
>We do not choose more than one router in a given network range, which defaults to /16 for IPv4 and /32 for IPv6. (C Tor overrides this with EnforceDistinctSubnets; Arti overrides this with ipv[46]_subnet_family_prefix.)
2) There is currently no exit-node hosted at Hetzner. Check the Tor atlas