Insanely News

Diffusione di informazioni obiettive e costruttive.

Insanely News

Categoria: Old InsanelyOnionSite

mesothelioma claims

Mesothelioma claims – information e legal issues

(InsanelyNews) Litigation related to asbestos injuries and property damages has been claimed to be the longest-running mass tort in U.S. history.

Since asbestos-related disease has been identified by the medical profession in the late 1920s, workers’ compensation cases were filed and resolved in secrecy, with a flood of litigation starting in the United States in the 1970s, and culminating in the 1980s and 1990s. A massive multi-district litigation (MDL) complex filing has remained pending in the Eastern District of Pennsylvania for over 20 years. As many of the scarring-related injury cases have been resolved, asbestos litigation continues to be hard-fought among the litigants, mainly in individually brought cases for terminal cases of asbestosis, mesothelioma, and other cancers.


Legal Issues and mesothelioma claims

Some people who were exposed to asbestos have collected damages for an asbestos-related disease, including mesothelioma. Compensation via asbestos funds or class action lawsuits is an important issue in law practices regarding mesothelioma.

The first lawsuits against asbestos manufacturers were in 1929. Since then, many lawsuits have been filed against asbestos manufacturers and employers, for neglecting to implement safety measures after the links between asbestos, asbestosis, and mesothelioma became known (some reports seem to place this as early as 1898). The liability resulting from the sheer number of lawsuits and people affected has reached billions of dollars.The amounts and method of allocating compensation have been the source of many court cases, reaching up to the United States Supreme Court, and government attempts at resolution of existing and future cases. However, to date, the US Congress has not stepped in and there are no federal laws governing asbestos compensation.In 2013, the “Furthering Asbestos Claim Transparency (FACT) Act of 2013” passed the US House of representatives and was sent to the US Senate, where it was referred to the Senate Judiciary Committee.As the Senate did not vote on it before the end of the 113th Congress, it died in committee. It was revived in the 114th Congress, where it has not yet been brought before the House for a vote.


Filing Asbestos-Related Mesothelioma Claims

Asbestos is a dangerous substance that has been linked to a number of often deadly diseases including, but not limited to, mesothelioma and asbestosis. As a result, mesothelioma claims generally rely on several key pieces of information:

  • How you were exposed to asbestos
  • How long the exposure occurred
  • How the exposure has affected your health, quality of life, and ability to work

Given the length of time that it takes for mesothelioma to develop, establishing all of the pertinent facts surrounding your exposure can be challenging. Perhaps you worked in multiple places where you handled or were exposed to asbestos. You may have been exposed to it second hand, such as through dust on a family member’s clothing or via asbestos-filled products and materials in your home.

Even if you don’t know exactly how you were exposed to asbestos, when diagnosed with mesothelioma, it’s important to consult with experienced mesothelioma lawyers about your possibility of filing a claim. Knowledgeable attorneys will ask questions about your work history, previous residences, and other details that can help you identify potential claims.

Mesothelioma Claim Deadlines

How long you have to file a mesothelioma claim can vary depending on where you live and the type of claim you are filing.

Each state has its own laws, called statutes of limitations, that determine the time period within which a claim must be filed. Depending on the state, you may have as little as one year or as long as six years during which your asbestos claim can be filed.

The claim filing timeframe can also depend on which type of claim you are making (see below for a description of the different claim types). In some states, you have less time to file a wrongful death claim (filed by family members after a mesothelioma victim dies) than to file a personal injury claim (filed by a mesothelioma victim after diagnosis).

The following table provides the time limitations as defined by each state’s personal injury and wrongful death statutes. In each state, lawsuits must be filed before the limit has expired.

State Statute Of Limitations Wrongful Death Statute
Alabama 2 Years from Diagnosis 2 Years from Death
Alaska 2 Years from Diagnosis 2 Years from Death
Arizona 2 Years from Diagnosis 2 Years from Death
Arkansas 3 Years from Diagnosis 3 Years from Death
California 1 Year from Diagnosis 1 Year from Death
Colorado 2 Years from Diagnosis 2 Years from Death
Connecticut 3 Years from Diagnosis 3 Years from Death
Delaware 2 Years from Diagnosis 2 Years from Death
Florida 4 Years from Diagnosis 2 Years from Death
Georgia 2 Years from Diagnosis 2 Years from Death
Hawaii 2 Years from Diagnosis 2 Years from Death
Idaho 2 Years from Diagnosis 2 Years from Death
Illinois 2 Years from Diagnosis 2 Years from Death
Indiana 2 Years from Diagnosis 2 Years from Death
Iowa 2 Years from Diagnosis 2 Years from Death
Kansas 2 Years from Diagnosis 2 Years from Death
Kentucky 1 Year from Diagnosis 1 Year from Death
Louisiana 1 Year from Diagnosis 1 Year from Death
Maine 6 Years from Diagnosis 2 Years from Death
Maryland 3 Years from Diagnosis 3 Years from Death
Massachusetts 3 Years from Diagnosis 3 Years from Death
Michigan 3 Years from Diagnosis 3 Years from Death
Minnesota 4 Years from Diagnosis 3 Years from Death
Mississippi 3 Years from Diagnosis 3 Years from Death
Missouri 5 Years from Diagnosis 3 Years from Death
Montana 3 Years from Diagnosis 3 Years from Death
Nebraska 4 Years from Diagnosis 2 Years from Death
Nevada 2 Years from Diagnosis 2 Years from Death
New Hampshire 3 Years from Diagnosis 3 Years from Death
New Jersey 2 Years from Diagnosis 2 Years from Death
New Mexico 3 Years from Diagnosis 3 Years from Death
New York 3 Years from Diagnosis 2 Years from Death
North Carolina 3 Years from Diagnosis 2 Years from Death
North Dakota 6 Years from Diagnosis 2 Years from Death
Ohio 2 Years from Diagnosis 2 Years from Death
Oklahoma 2 Years from Diagnosis 2 Years from Death
Oregon 3 Years from Diagnosis 3 Years from Death
Pennsylvania 2 Years from Diagnosis 2 Years from Death
Rhode Island 3 Years from Diagnosis 3 Years from Death
South Carolina 3 Years from Diagnosis 3 Years from Death
South Dakota 3 Years from Diagnosis 3 Years from Death
Tennessee 1 Year from Diagnosis 1 Year from Death
Texas 2 Years from Diagnosis 2 Years from Death
Utah 3 Years from Diagnosis 2 Years from Death
Vermont 3 Years from Diagnosis 2 Years from Death
Virginia 2 Years from Diagnosis 2 Years from Death
Washington 3 Years from Diagnosis 3 Years from Death
Washington, D.C. 3 Years from Diagnosis 1 Year from Death
West Virginia 2 Years from Diagnosis 2 Years from Death
Wisconsin 3 Years from Diagnosis 3 Years from Death
Wyoming 4 Years from Diagnosis 2 Years from Death

Types of Mesothelioma Claims

There are two types of claims that mesothelioma victims or their families can file. Which type of claim is filed depends on whether the person diagnosed with mesothelioma is still alive, or whether they have passed away.

Personal Injury Claims

A personal injury claim can be filed by someone who has recently been diagnosed with mesothelioma. With personal injury claims, the person directly affected by the disease is claiming that he/she should be compensated for things such as:

  • Medical expenses incurred during diagnosis and treatment, including future treatment
  • Lost wages or other income, including expected future income
  • Pain and suffering experienced because of an asbestos-related disease

Individuals diagnosed with mesothelioma can usually file personal injury claims in any state where he/she resided, worked, or served in the military.

Wrongful Death Mesothelioma  Claims

A wrongful death claim is filed by the mesothelioma victim’s family after their loved one has passed away. In this case, the family members sue to receive compensation related to the loss of their beloved. This can include:

  • Loss of expected income due to the untimely death
  • Medical costs incurred during treatment administered before the deceased’s passing
  • Funeral expenses

The specific claims available to family members may vary from state to state. Discuss your claim options with a qualified attorney.



Chemotherapy Treatment

Health: Chemotherapy Treatment, stop the multiplication of cancer cells

(InsanelyNews) Chemotherapy Treatment

Literally meaning “chemical therapy,” the term “ chemotherapy treatment ” refers to the treatment of any disease with some sort of drug or “chemical.” However, it is better known specifically as a way to treat cancer. It is often recommended for the treatment of mesothelioma, either by itself, before or after surgery, or along with radiation therapy. The use of multiple types of therapy is known as multimodal treatment.

Simply put, chemotherapy works to stop the multiplication of cancer cells by killing them. Cancer cells, unlike healthy cells, grow out of control and develop into tumors that impair organ function. The chemotherapy drugs are all designed to stop this rampant growth.

For pleural mesothelioma patients, some chemotherapy drugs work better than others, and there are more than 100 such drugs currently on the market. Chemotherapy does not offer a cure for mesothelioma patients, but it can buy time. Scientists continue to invent new treatments to combine with chemotherapy that are increasing the life span of those with pleural mesothelioma.

Chemotherapy can cause serious side effects, but it can extend survival for many people with pleural mesothelioma. It can be frightening to consider chemotherapy treatment. Thankfully, modern medicines and therapies are helping patients manage symptoms better than in the past.

Process of Chemotherapy

Chemotherapy may be suggested as the primary treatment for some pleural mesothelioma patients, especially those who are not candidates for surgery. For those who are able to undergo surgery, it may be used beforehand to shrink tumors as much as possible or afterward to kill any remaining cancer cells. The stage of the disease and the patient’s overall health will help determine how chemotherapy is used.

Patients will learn all about how their chemotherapy treatment will go at an initial consultation visit with the cancer doctor, also known as an oncologist. The oncologist will review the patient’s medical history, all cancer-related tests and perform a physical exam. The doctor will also discuss how chemotherapy will be administered and how to respond to side effects. The consent form will be explained and patients will schedule their first chemotherapy appointment.

Chemotherapy is given in hospitals, cancer centers and chemotherapy centers. Chemotherapy medicine may be delivered intravenously (through a vein) or in pill form, and doctors will determine which is right for you. Administering chemotherapy in these forms represents “systemic” chemotherapy, which means the medicine travels throughout the body in search of cancer cells that it can destroy. The biggest concern with systemic chemotherapy is that it also kills healthy cells, resulting in a range of side effects.

Intravenous is the most common form of chemotherapy administration for pleural mesothelioma. It is given in cycles of once every several weeks followed by a break. The exact schedule of administration and how long the drug is given during chemotherapy sessions will vary for each patient depending upon their health and treatment plan.

Before chemotherapy is given the patient’s vitals are taken, weight and height are recorded to ensure the proper amount of chemotherapy is used, and blood samples may be collected to document red and white blood cell counts. Medicine to prevent nausea and fluids may be given. After the drug is administered for several minutes or hours and the IV is taken out, the patient’s vitals are taken again and a nurse or doctor will review how to deal with side effects. Anti-nausea and other medications for side effects may be prescribed.

Patients may feel fatigued after chemotherapy and should plan on resting after receiving treatment. Dehydration and constipation are counteracted by water, so drink plenty of fluids after chemotherapy. Avoid crowds and sick people because the immune system will be compromised. If any severe side effects develop, contact your oncologist immediately.

To reduce the toxic effects of chemotherapy and to better target specific tumors, doctors have developed new ways to deliver chemotherapy medicines. Pleural mesothelioma patients, for example, may be candidates for intrapleural chemotherapy, which injects the chemotherapeutic drug directly into the pleura at the site of the tumor. This localized approach spares the rest of the body from chemotherapy, but doesn’t allow the drug to reach any cancerous cells that may have spread outside of the pleura. Spreading cells can go on to develop tumors elsewhere, hence the benefit of systemic chemotherapy.


growth hacking

Could growth hacking be the low-cost key to business success?

(InsanelyNews) Growth hacking could be perceived as the realm of high-flying startups, but for cash-strapped small businesses, growing fast at a low cost should be a no-brainer.


Put simply, growth hacking uses innovative strategies to attract the maximum number of customers, while spending as little as possible. The concept was coined by Silicon Valley entrepreneur Sean Ellis in 2010. Ellis later went on to found GrowthHackers, a community of 200,000 members.

Hackers push the boundaries and experiment extensively in the search of an approach that yields the best results. For smaller businesses, the main focus is on marketing tools, such as search engine optimisation (SEO), social media and email marketing, but for giants like Facebook, Airbnb, Uber and Dropbox, the approach can touch every area of the business.

David Arnoux, co-founder at growth hacking training business Growth Tribe, says a left-field marketing approach can help small businesses achieve success against larger firms: “It is not a [set] bag of tricks. What you need is a philosophy and a process of rapid experimentation … When you are a very small company with limited resources – a David versus Goliath – you have to use unconventional methods or tactics to meet your needs.”

Growth Tribe launched its growth hacking academy in September 2015 and has since worked with more than 1,700 people. There are 100-150 attendees a month, made up of young professionals, corporate clients, and adult professionals who take the two-day or six-week crash course in growth hacking.

On the rising appeal of the approach Arnoux adds: “For sure there are more and more companies who are now becoming successful with rapid experimentation and with agile marketing. There are more and more examples of companies who run dozens of experiments per week. The difficulty for most companies is [to embrace] the growth mindset way of working and unlearn bad habits.”

Dutch online auction house Catawiki, was named top of Deloitte’s list of EMEA’s fastest growing companies in 2015. The company achieved 45,080% growth in revenue in the previous four years and attracts 14 million users a month. Chief marketing officer Harmen Visscher says the site has 35,000 lots each week and has grown from a team of 80 people in 2015, to more than 500.

For Catawiki, listening to their customers has been key to their success. The company has prioritised A/B testing across its payment options, email marketing and the product itself since they launched. This involves offering one version of your website, email or advertising to half of your audience and a different version to the other half to see which delivers better returns. You can then commit resources to the most effective.

“The growth hacking mentality should be in the DNA of each company,” adds Visscher. “It is essential for growth for everyone, even when it is not a startup.”

A cost effective approach

The possibilities for growth hacking are endless and largely cost effective (or even free). Before it was worth billions, Facebook made use of hacking tactics when it first launched as a platform for students in 2004. Some universities in the US already had their own social networks and were reluctant to embrace the new kid on the block. So Mark Zuckerberg and his co-founders targeted other universities in the immediate vicinity, putting pressure on the students using only their local networks to join Facebook’s universal platform. Similarly, Hotmail used its existing customers to drum up demand in the early days, by adding a line at the end of every email promoting its free service. This was at a time when the public still had to pay for email services.

For today’s small business owner, Growth Tribe recommends trying tools such as Clearbit, which builds profiles on website visitors; Hotjar, which tracks where customers are clicking on a page;, a web scraper that can be used to find sales leads; and Ghostery, which identifies what analytics tools are running on a website. Growth Tribe uses Rebrandly to target past talk attendees with ads in the weeks that follow.

Consultant Shadi Paterson, who teaches growth techniques through his company The 8760, says all that is required is some common sense.

“The benefit of growth hacking is it’s low cost, it is just time intensive,” he says . He believes building a business profile organically on Facebook and Twitter is a dated approach and entrepreneurs should look to piggyback on the influence of other people. This could be as simple as joining a chamber of commerce. “You instantly open up your network and massively increase your exposure,” he adds.

Arnoux agrees that time can be of the essence. Behind some of the biggest hacks, are 100-200 experiments, many of which have failed. The prospect of undertaking that volume of experimentation is a daunting task. But Arnoux says it helps to focus on one metric at a time.

“A little bit of growth on lots of experiments will give you better growth than one ginormous hack that is meant to solve everything,” he says. “Prioritise by [assessing] how big an impact [that metric] will have and how easy [the experiment] is to run. Whittle it down to three or four experiments and commit to testing them in a two-week period.”

Growth hacking may be one of those trendy imports from Silicon Valley, but its principles are founded in age-old business practices. “You have to find where your customers are and just talk to them, the recipe has not changed,” Paterson says. “Growth hacking is [just] another way of [doing that].”



Malware responsible for Ukraine blackout is the most dangerous tool

(InsanelyNews) A week before last Christmas on December 17, hackers with suspected ties to Russia took down the electric transmission station north of Kiev city, blacking out a portion of the Ukranian capital for about an hour which was equivalent to a fifth of its total power capacity. The cyber security researchers have now found an advanced malware that may have triggered the blackout as a mere dry run.


Cybersecurity firms ESET and Dragos Inc. plan today to release detailed analyses of a piece of malware used to attack electric utility Ukrenergo seven months ago, what they say represents a dangerous advancement in critical infrastructure hacking. The researchers describe that malware, which they’ve alternately named “Industroyer” or “Crash Override,” as only the second-ever known case of malicious code purpose-built to disrupt physical systems. The first, Stuxnet, was used by the US and Israel to destroy centrifuges in an Iranian nuclear enrichment facility in 2009.


Crash Override is a completely new platform that was far more advanced than the general-purpose tools the same group used to attack Ukraine's power grid in December 2015. Instead of gaining access to the Ukrainian utilities’ networks and manually switching off power to electrical substations, as hackers did in 2015, the 2016 attack was fully automated. It was programmed to include the ability to “speak” directly to grid equipment, sending commands in the obscure protocols those controls use to switch the flow of power on and off. That means Crash Override could perform blackout attacks more quickly, with far less preparation, and with far fewer humans managing it, says Dragos’ Rob Lee.


This discovery is prompting concerns that the attack tools can be used against a broad range of electric grids around the world to sabotage operations including America. The malware is designed to take advantage of the world’s outdated power grids to shut off electricity in entire cities. The malware targets circuit breakers and is able to hijack electrical systems from afar by taking advantage of communication protocols for power supply, infrastructure, transportation controls and water and gas systems used all over the world which can hit more closer to home than email and data breaches.


The researchers say this new malware can automate mass power outages and includes swappable, plug-in components that could allow it to be adapted to different electric utilities, easily reused, or even launched simultaneously across multiple targets. They argue that those features suggest Crash Override could inflict outages far more widespread and longer lasting than the Kiev blackout.


What makes Crash Override so sophisticated is its ability to use the same arcane technical protocols that individual electric grid systems rely on to communicate with one another. The malware’s dangerousness lies in the fact that it uses protocols in the way they were designed to be used. The problem is that these protocols were designed decades ago, and back then industrial systems were meant to be isolated from the outside world. Thus, their communication protocols were not designed with security in mind. That means that the attackers didn't need to be looking for protocol vulnerabilities; all they needed was to teach the malware "to speak" those protocols. As such, the malware is more notable for its mastery of the industrial processes used by global grid operators than its robust code. Its fluency in the low-level grid languages allowed it to instruct Ukrainian devices to de-energize and re-energize substation lines.


As technology grows smarter and helps manage our homes, cities and businesses, it's become a prime target for both criminal and nation-state hackers. ESET security researcher Robert Lipovsky says, “If this is not a wake-up call, I don’t know what could be.”


The cyberattack-caused blackout in Kiev didn't lead to any disasters, but experts warn that it's only a preview of the future of cyber warfare.


Attacks targeting infrastructure can lead to chaos, like when engineers hacked into Los Angeles' traffic signal system and purposely created traffic jams. That makes it the biggest threat to industrial systems.



Hackintosh Peo Edition: Snow Leopard 10.6.7 – Asus P5KPL-AM EPU. old

Hackintosh My insanely guide for Snow Leopard 10.6.7 on p5kpl-am / EPU.

Guide date: 2011
Hackintosh test: it’s work again in date 10-2016 on the same hardware component


  • Asus P5KPL-AM/EPU
  • Nvidia GT 220 1024 GDDR2
  • Intel QuadCore Q9400
  • Muskin DDR2 800MHz 4GB


  1. iBoot with retail SnowOSX_Universal_10.6(432)GM-v3.5 DVD
  2. Boot system with iBoot, insert dvd and press f5
  3. When install,click customize and deselect all
  4. update with 10.6.8 combo updater (don’t reboot)
  5. after many kernel panic, i prefer replace AppleACPIPlatform and IOPCIFamily from snow leopard 10.6.7
  6. At this point i try and retry update install but at reboot result is: dsmos.kext kernel panic.

remove this kext (if you have) before reboot and after run Multibeast.

  1. System Utilities and other customized
  2. kexts: AttansicL1eEthernet, Latest VoodooHda, SleepEnabler for 10.6.8
  3. Access Icloud follow this post and it work! :)))
  4. If you have any kernel panic, try with -x -v npci=0x2000 flag, and if you have problem with graphic with quote GraphicsEnabler=Y,

and again if you have a generic problem try DSDT=No (after Multibeast 🙂 )

  • Ethernet: works
  • Audio: works
  • Video: with Nvidia Driver for 10.6.8
  • Sleep: works
Tick.png Tick.png
Tor Browser

Tor: Configuring Hidden Services, facebook and SSL with Cert

(InsanelyNews) Tor allows clients and relays to offer hidden services. That is, you can offer a web server, SSH server, etc., without revealing your IP address to its users. In fact, because you don’t use any public address, you can run a hidden service from behind your firewall.

If you have Tor installed, you can see hidden services in action by visiting this sample site.

This page describes the steps for setting up your own hidden service website. For the technical details of how the hidden service protocol works, see our hidden service protocol page.

Step Zero: Get Tor working


Before you start, you need to make sure:

  1. Tor is up and running,
  2. You actually set it up correctly.

Windows users should follow the Windows howto, OS X users should follow the OS X howto, and Linux/BSD/Unix users should follow the Unix howto.

Step One: Install a web server locally


First, you need to set up a web server locally. Setting up a web server can be complex. We’re not going to cover how to setup a web server here. If you get stuck or want to do more, find a friend who can help you. We recommend you install a new separate web server for your hidden service, since even if you already have one installed, you may be using it (or want to use it later) for a normal website.

You need to configure your web server so it doesn’t give away any information about you, your computer, or your location. Be sure to bind the web server only to localhost (if people could get to it directly, they could confirm that your computer is the one offering the hidden service). Be sure that its error messages don’t list your hostname or other hints. Consider putting the web server in a sandbox or VM to limit the damage from code vulnerabilities.

Once your web server is set up, make sure it works: open your browser and go to http://localhost:8080/, where 8080 is the webserver port you chose during setup (you can choose any port, 8080 is just an example). Then try putting a file in the main html directory, and make sure it shows up when you access the site.

Step Two: Configure your hidden service


Next, you need to configure your hidden service to point to your local web server.

First, open your torrc file in your favorite text editor. (See the torrc FAQ entry to learn what this means.) Go to the middle section and look for the line

    ############### This section is just for location-hidden services ###

This section of the file consists of groups of lines, each representing one hidden service. Right now they are all commented out (the lines start with #), so hidden services are disabled. Each group of lines consists of one HiddenServiceDir line, and one or more HiddenServicePort lines:

  • HiddenServiceDir is a directory where Tor will store information about that hidden service. In particular, Tor will create a file here named hostname which will tell you the onion URL. You don’t need to add any files to this directory. Make sure this is not the same directory as the hidserv directory you created when setting up thttpd, as your HiddenServiceDir contains secret information!
  • HiddenServicePort lets you specify a virtual port (that is, what port people accessing the hidden service will think they’re using) and an IP address and port for redirecting connections to this virtual port.

Add the following lines to your torrc:

    HiddenServiceDir /Library/Tor/var/lib/tor/hidden_service/
    HiddenServicePort 80

You’re going to want to change the HiddenServiceDir line, so it points to an actual directory that is readable/writeable by the user that will be running Tor. The above line should work if you’re using the OS X Tor package. On Unix, try “/home/username/hidden_service/” and fill in your own username in place of “username”. On Windows you might pick:

    HiddenServiceDir C:\Users\username\Documents\tor\hidden_service
    HiddenServicePort 80

Now save the torrc and restart your tor.

If Tor starts up again, great. Otherwise, something is wrong. First look at your logfiles for hints. It will print some warnings or error messages. That should give you an idea what went wrong. Typically there are typos in the torrc or wrong directory permissions (See the logging FAQ entry if you don’t know how to enable or find your log file.)

When Tor starts, it will automatically create the HiddenServiceDir that you specified (if necessary), and it will create two files there.

First, Tor will generate a new public/private keypair for your hidden service. It is written into a file called “private_key”. Don’t share this key with others — if you do they will be able to impersonate your hidden service.
The other file Tor will create is called “hostname”. This contains a short summary of your public key — it will look something like duskgytldkxiuqc6.onion. This is the public name for your service, and you can tell it to people, publish it on websites, put it on business cards, etc.

If Tor runs as a different user than you, for example on OS X, Debian, or Red Hat, then you may need to become root to be able to view these files.

Now that you’ve restarted Tor, it is busy picking introduction points in the Tor network, and generating a hidden service descriptor. This is a signed list of introduction points along with the service’s full public key. It anonymously publishes this descriptor to the directory servers, and other people anonymously fetch it from the directory servers when they’re trying to access your service.

Try it now: paste the contents of the hostname file into your web browser. If it works, you’ll get the html page you set up in step one. If it doesn’t work, look in your logs for some hints, and keep playing with it until it works.

Step Three: More advanced tips


If you plan to keep your service available for a long time, you might want to make a backup copy of the private_key file somewhere.

If you want to forward multiple virtual ports for a single hidden service, just add more HiddenServicePort lines. If you want to run multiple hidden services from the same Tor client, just add another HiddenServiceDir line. All the followingHiddenServicePort lines refer to this HiddenServiceDir line, until you add another HiddenServiceDir line:

    HiddenServiceDir /usr/local/etc/tor/hidden_service/
    HiddenServicePort 80

    HiddenServiceDir /usr/local/etc/tor/other_hidden_service/
    HiddenServicePort 6667
    HiddenServicePort 22

Hidden services operators need to practice proper operational security and system administration to maintain security. For some security suggestions please make sure you read over Riseup’s “Tor hidden services best practices” document. Also, here are some more anonymity issues you should keep in mind:

  • As mentioned above, be careful of letting your web server reveal identifying information about you, your computer, or your location. For example, readers can probably determine whether it’s thttpd or Apache, and learn something about your operating system.
  • If your computer isn’t online all the time, your hidden service won’t be either. This leaks information to an observant adversary.
  • It is generally a better idea to host hidden services on a Tor client rather than a Tor relay, since relay uptime and other properties are publicly visible.
  • The longer a hidden is online, the higher the risk that its location is discovered. The most prominent attacks are building a profile of the hidden service’s availability and matching induced traffic patterns.



Today Facebook unveiled its hidden service that lets users access their website more safely. Users and journalists have been asking for our response; here are some points to help you understand our thinking.


I didn’t even realize I should include this section, until I heard from a journalist today who hoped to get a quote from me about why Tor users wouldn’t ever use Facebook. Putting aside the (still very important) questions of Facebook’s privacy habits, their harmful real-name policies, and whether you should or shouldn’t tell them anything about you, the key point here is that anonymity isn’t just about hiding from your destination.

There’s no reason to let your ISP know when or whether you’re visiting Facebook. There’s no reason for Facebook’s upstream ISP, or some agency that surveils the Internet, to learn when and whether you use Facebook. And if you do choose to tell Facebook something about you, there’s still no reason to let them automatically discover what city you’re in today while you do it.

Also, we should remember that there are some places in the world that can’t reach Facebook. Long ago I talked to a Facebook security person who told me a fun story. When he first learned about Tor, he hated and feared it because it “clearly” intended to undermine their business model of learning everything about all their users. Then suddenly Iran blocked Facebook, a good chunk of the Persian Facebook population switched over to reaching Facebook via Tor, and he became a huge Tor fan because otherwise those users would have been cut off. Other countries like China followed a similar pattern after that. This switch in his mind between “Tor as a privacy tool to let users control their own data” to “Tor as a communications tool to give users freedom to choose what sites they visit” is a great example of the diversity of uses for Tor: whatever it is you think Tor is for, I guarantee there’s a person out there who uses it for something you haven’t considered.


I think it is great for Tor that Facebook has added a .onion address. There are some compelling use cases for hidden services: see for example the ones described at using Tor hidden services for good, as well as upcoming decentralized chat tools like Ricochet where every user is a hidden service, so there’s no central point to tap or lean on to retain data. But we haven’t really publicized these examples much, especially compared to the publicity that the “I have a website that the man wants to shut down” examples have gotten in recent years.

Hidden services provide a variety of useful security properties. First — and the one that most people think of — because the design uses Tor circuits, it’s hard to discover where the service is located in the world. But second, because the address of the service is the hash of its key, they are self-authenticating: if you type in a given .onion address, your Tor client guarantees that it really is talking to the service that knows the private key that corresponds to the address. A third nice feature is that the rendezvous process provides end-to-end encryption, even when the application-level traffic is unencrypted.

So I am excited that this move by Facebook will help to continue opening people’s minds about why they might want to offer a hidden service, and help other people think of further novel uses for hidden services.

Another really nice implication here is that Facebook is committing to taking its Tor users seriously. Hundreds of thousands of people have been successfully using Facebook over Tor for years, but in today’s era of services like Wikipedia choosing not to accept contributions from users who care about privacy, it is refreshing and heartening to see a large website decide that it’s ok for their users to want more safety.

As an addendum to that optimism, I would be really sad if Facebook added a hidden service, had a few problems with trolls, and decided that they should prevent Tor users from using their old address. So we should be vigilant in helping Facebook continue to allow Tor users to reach them through either address.


Their hidden service name is “facebookcorewwwi.onion”. For a hash of a public key, that sure doesn’t look random. Many people have been wondering how they brute forced the entire name.

The short answer is that for the first half of it (“facebook”), which is only 40 bits, they generated keys over and over until they got some keys whose first 40 bits of the hash matched the string they wanted.

Then they had some keys whose name started with “facebook”, and they looked at the second half of each of them to pick out the ones with pronouncable and thus memorable syllables. The “corewwwi” one looked best to them — meaning they could come up with a story about why that’s a reasonable name for Facebook to use — so they went with it.

So to be clear, they would not be able to produce exactly this name again if they wanted to. They could produce other hashes that start with “facebook” and end with pronouncable syllables, but that’s not brute forcing all of the hidden service name (all 80 bits).

For those who want to explore the math more, read about the “birthday attack”. And for those who want to learn more (please help!) about the improvements we’d like to make for hidden services, including stronger keys and stronger names, see hidden services need some love and Tor proposal 224.


Facebook didn’t just set up a hidden service. They also got an https certificate for their hidden service, and it’s signed by Digicert so your browser will accept it. This choice has produced some feisty discussions in the CA/Browser community, which decides what kinds of names can get official certificates. That discussion is still ongoing, but here are my early thoughts on it.

In favor: we, the Internet security community, have taught people that https is necessary and http is scary. So it makes sense that users want to see the string “https” in front of them.

Against: Tor’s .onion handshake basically gives you all of that for free, so by encouraging people to pay Digicert we’re reinforcing the CA business model when maybe we should be continuing to demonstrate an alternative.

In favor: Actually https does give you a little bit more, in the case where the service (Facebook’s webserver farm) isn’t in the same location as the Tor program. Remember that there’s no requirement for the webserver and the Tor process to be on the same machine, and in a complicated set-up like Facebook’s they probably shouldn’t be. One could argue that this last mile is inside their corporate network, so who cares if it’s unencrypted, but I think the simple phrase “ssl added and removed here” will kill that argument.

Against: if one site gets a cert, it will further reinforce to users that it’s “needed”, and then the users will start asking other sites why they don’t have one. I worry about starting a trend where you need to pay Digicert money to have a hidden service or your users think it’s sketchy — especially since hidden services that value their anonymity could have a hard time getting a certificate.

One alternative would be to teach Tor Browser that https .onion addresses don’t deserve a scary pop-up warning. A more thorough approach in that direction is to have a way for a hidden service to generate its own signed https cert using its onion private key, and teach Tor Browser how to verify them — basically a decentralized CA for .onion addresses, since they are self-authenticating anyway. Then you don’t have to go through the nonsense of pretending to see if they could read email at the domain, and generally furthering the current CA model.

We could also imagine a pet name model where the user can tell her Tor Browser that this .onion address “is” Facebook. Or the more direct approach would be to ship a bookmark list of “known” hidden services in Tor Browser — like being our own CA, using the old-fashioned /etc/hosts model. That approach would raise the political question though of which sites we should endorse in this way.

So I haven’t made up my mind yet about which direction I think this discussion should go. I’m sympathetic to “we’ve taught the users to check for https, so let’s not confuse them”, but I also worry about the slippery slope where getting a cert becomes a required step to having a reputable service. Let us know if you have other compelling arguments for or against.


In terms of both design and security, hidden services still need some love. We have plans for improved designs (see Tor proposal 224) but we don’t have enough funding and developers to make it happen. We’ve been talking to some Facebook engineers this week about hidden service reliability and scalability, and we’re excited that Facebook is thinking of putting development effort into helping improve hidden services.

And finally, speaking of teaching people about the security features of .onion sites, I wonder if “hidden services” is no longer the best phrase here. Originally we called them “location-hidden services”, which was quickly shortened in practice to just “hidden services”. But protecting the location of the service is just one of the security features you get. Maybe we should hold a contest to come up with a new name for these protected services? Even something like “onion services” might be better if it forces people to learn what it is.





Powered by WordPress & Theme by Anders Norén

English English Italian Italian