Chad MILLER:

If someone is spoofing them, then I reckon they are doing a good job updating them to match the (ever-increasing) revision number, now at 249-252.

I don't think anyone is "spoofing" the nickname behavior of your snap. I think these are actual running snap installations.

Downloads are anonymous, but the dashboard I have says it should be about 6000 nodes wishing to join

these are scary high numbers and the fact that no operator appears to be asking why any of these >5600 failing installations do not come online is making this even more odd-looking to me.

are these actual 6000 unique deployments? how are they counted? are endpoints submitting a unique ID to the update endpoint for the counter to work? (or are these counters just based on counting unique source IPs hitting the update endpoint? [within a day?]) do you have AS or country break downs for that number?

(though failed connectivity might remove some) and metrics.torproject.org says "at least 2000".

There are currently[1] 359 running relays with a nickname starting with "UbuntuCore" (that is more than 0.5% of the tor network's consensus weight fraction). That would be the 10th biggest tor relay operator if it were a single operator.

If someone has an idea for a veracity experiment, contact me.

What would you like to verify with an experiment?

We were in contact about this before, but maybe you could add a simple check for the existence of a file where the operator needs to add the ContactInfo and if it is not there the snap exits + adding that new requirement prominently to the snap documentation.

Then we can observe how many - disappear? - get a ContactInfo? - get the same ContactInfo? - get a random ContactInfo? - get an actual working ContactInfo?

[1] onionoo data from 2018-11-24 23:00 UTC [2] https://medium.com/@nusenu/is-this-a-ubuntu-based-botnet-deploying-tor-relay...

Chad MILLER:> I have assumed that 95% of users don't have public addresses or have port

forwarding. It's a connectivity problem, I think.

Yes, understood. And >5k deployments without anyone(?) asking about why it does not work is the crucial part that makes it odd (makes it look like bots).

are these actual 6000 unique deployments? how are they counted?

...

are endpoints submitting a unique ID to the update endpoint for the counter to work? (or are these counters just based on counting unique source IPs hitting the update endpoint? [within a day?]) do you have AS or country break downs for that number?

I think it's a count of update checks within a normal update-check window.

do you have the possibility to find out? (via authoritative documentation?) It would be great to have some affirmative data.

any comment about this?

maybe you could add a simple check for the existence of a file where the operator needs to add the ContactInfo and if it is not there the snap exits + adding that new requirement prominently to the snap documentation.

Then we can observe how many

• disappear?
• get a ContactInfo?
• get the same ContactInfo?
• get a random ContactInfo?
• get an actual working ContactInfo?

I DO have country information. Attached. (I removed the countries with fewer than 3 in case that could be used to identify them.)

thanks for providing this data, interesting to see that there are even instances in China trying to come online.

Do you have any other additional stats like hw architecture? or even hw arch per country?