On 27 May 2017, at 02:28, Nagaev Boris bnagaev@gmail.com wrote:

On Fri, May 26, 2017 at 3:26 PM, nusenu nusenu-lists@riseup.net wrote:

...

...

Since about mid April there are just two similar Exits making up now about 4.5% exit probability together. Located in Panama, run in the okservers.net network, AS395978 ,they don’t give up any further information about themselves.

Personally I would feel better at least having a contact or even better, knowing who is giving that much effort. Probably a MyFamily configuration should be placed as well?

This isn't necessary, the relays will only be used by clients in the exit position.

...

...

https://atlas.torproject.org/#details/29C92C854E0F6652A77F3A8B231D6932993969...

https://atlas.torproject.org/#details/2CA4B2F36C2DDECFCB0B5A0D3300ED30E68E2D...

this post contains a few pints about these relay's location (more likely in Germany than Panama): http://www.hackerfactor.com/blog/index.php?/archives/762-Attacked-Over-Tor.h... https://twitter.com/nusenu_/status/861189840796344320

From the article: "The registration information bounces between multiple countries and never actually identifies the source. And they were all registered recently. If you talk to any cybersleuths about identity theft, spam, online fraud, scams, and fronts, they will tell you that misleading registration and bouncing between countries is a big red flag. This is some type of front. And it's deep enough to either be organized crime or a nation-state." Does it mean that several percent of exit traffic go through nodes that are likely to be "organized crime or a nation-state"?

Or maybe just someone who is using state-of-the-art techniques to keep their identity private?

T

-- Tim Wilson-Brown (teor)

teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------

I'm just wanting to raise the point, that while lack of contact information may be concerning, in my opinion the contact information is definitely not something you should rely on to assess how untrustworthy a given relay is. A person or group with malicious intentions can fake this, easily.

Agreed.

It is also important to remember that there may be good reasons for a benevolent group of people to omit contact information.

I don't agree here. Everyone should be able to create a random new email address so others can reach them in case of problems. They do not need to put their official email address into the contactinfo field.

Note: I'm not saying ContactInfo should become mandatory and/or verified.

Am 27.05.2017 um 00:48 schrieb Duncan:

Hi Paul,

Paul:

...

Since about mid April there are just two similar Exits making up now about 4.5% exit probability together. Located in Panama, run in the okservers.net network, AS395978 ,they don’t give up any further information about themselves.

Personally I would feel better at least having a contact or even better, knowing who is giving that much effort. Probably a MyFamily configuration should be placed as well?

I'm just wanting to raise the point, that while lack of contact information may be concerning, in my opinion the contact information is definitely not something you should rely on to assess how untrustworthy a given relay is. A person or group with malicious intentions can fake this, easily.

I agree with that part.

But sometimes it helps to look and think things from an extreme point of view: Let's assume the whole TOR would be anonymous in a way that you cant see contacts not even nicknames. Where in this scenario should TRUST derive from? Would you or anybody rely on that network, if you not at least know a certain number of people who give their dedication, work, money, for the project, people with total conviction doing the right thing. I guess you wouldn’t - at least I wouldn’t do so. So now you can go back, step by step and ask how many of those people, with how many servers under their control you need, until you come to the point where it's not enough any more. As I personally prefer having a high number of known volunteers, I can tell that I dislike two or three servers - holding more than 4.5% Exit-prob. during peak time -run by (a) person(s) nobody knows - especially when there is a very high probability that they attack useful targets http://www.hackerfactor.com/blog/index.php?/archives/762-Attacked-Over-Tor.h... !

It is also important to remember that there may be good reasons for a benevolent group of people to omit contact information.

...

https://atlas.torproject.org/#details/29C92C854E0F6652A77F3A8B231D6932993969...

https://atlas.torproject.org/#details/2CA4B2F36C2DDECFCB0B5A0D3300ED30E68E2D...

Paul

Regards, Duncan.

On Sat, May 27, 2017 at 8:00 PM, Duncan dguthrie@posteo.net wrote:

Hi Paul,

Paul:

...

I agree with that part.

But sometimes it helps to look and think things from an extreme point of view: Let's assume the whole TOR would be anonymous in a way that you cant see contacts not even nicknames. Where in this scenario should TRUST derive from? Would you or anybody rely on that network, if you not at least know a certain number of people who give their dedication, work, money, for the project, people with total conviction doing the right thing. I guess you wouldn’t - at least I wouldn’t do so. So now you can go back, step by step and ask how many of those people, with how many servers under their control you need, until you come to the point where it's not enough any more.

Firstly, remember that it's Tor not TOR! :)

I think it is important to remember that malicious nodes are part of the threat model, with the caveat that we assume that we are not faced with a global adversary that can see all traffic flowing in, out, and between. This problem of lack of contacts, as nusenu wrote, it is important to be able to contact people (I was wrong on that one before, so thanks for the correction), but it can be faked by people with bad intentions. I don't think we should trust the nodes per se, but we are assuming that the malicious nodes are not all controlled by the same person, or groups. This is actually a great example of where we should be using and pushing for hidden services - by doing that we eliminate having to put some degree of trust into the exit node operators. Good practice such as checking signatures on files, using an encrypted connection, etc, are all necessary with or without using Tor. It's also a fun exercise to do a trace route on your regular Internet connection. Often it goes on a quite esoteric route, through multiple routers, and through multiple countries. It is worth remembering that with Tor, we can kick bad nodes off the network, if we have reason to believe they are acting maliciously or are likely to do so.

...

As I personally prefer having a high number of known volunteers, I can tell that I dislike two or three servers - holding more than 4.5% Exit-prob. during peak time -run by (a) person(s) nobody knows - especially when there is a very high probability that they attack useful targets

http://www.hackerfactor.com/blog/index.php?/archives/762-Attacked-Over-Tor.h... !

Again, it's important to understand that even if the volunteers are "known" to the extent there is plausible contact information, that they create a MyFamily configuration, even then, they may have their software compromised, they may be coerced, or they may harbor downright bad intentions. I would also be quite uncomfortable with a high number of volunteers that have some mark of trust. It centralizes too much, and I believe that would be a point of weakness. There already are a number of people who are well-known in the Tor community, and run large relays, one should note. Furthermore, it is worth noting that the article there is really quite flawed for a number of reasons - e.g. misplaced faith in GeoIP, surprise that poorly written malevolent bots with exist, misunderstanding about how to contact the Tor project - but that has been discussed elsewhere, no doubt. At any rate, I am unsure how it demonstrates that we need known people to run relays.

There are two different approaches here:

(1) require contact info for each relay (2) require relays to run by known people

(1) gives a contact point to use in case the relay is broken or needs to upgrade. I received such messages several times and all of them were useful.

(2) makes it harder for one single malicious party to run majority of nodes (Sybil attack) and it also reduces response time (as operators would use their main e-mail address rather then fake that they are unlikely to check daily).

I think both (1) and (2) aren't worth it. (2) doesn't provide 100% protection against Sybil attack because a malicious party can hire real people to run infected relays from their homes. Regarding (1) it is also not needed, because most relays work well and if a relay misbehaves and doesn't provide correct contact information, it can be excluded from the network.