Re: 25 tbreg relays in directory

[Scott Bennett]

 On Tue, 28 Apr 2009 09:59:05 -0400 and...@torproject.org wrote:
>On Mon, Apr 27, 2009 at 11:57:17PM -0500, benn...@cs.niu.edu wrote 5.4K bytes 
>in 107 lines about:
>:  That brings up something that has bothered me for a long time.  When
>: tor discovers that its version doesn't match any in either client-versions
>: or server-versions, it currently writes complaints about it to the log(s),
>: but seems to do nothing further about it.  I'd like to see either of the
>: following.
>
>Recently, we're started emailing the node operators (at least those with
>valid contact info) suggesting they upgrade to at least 0.2.0.34-stable.
>This method seems to have a better success ratio in getting nodes
>upgraded from very old versions.  At least, better than the log messages
>that state your tor version is not recommended anymore.
>
 I just took a closer look at the obsolete nodes.  A number of them are
medium- to very high-data-rate nodes, including some that peak at over
1 MB/sec.  Obsolete nodes peaking at over 1 MB/sec currently include, according
to torstatus,

Node Name   Peak Rate   Version
(KB/sec)

Kryten  26880.1.2.19
TSL 5150 (!)0.1.2.19
c03d9ebf11720.1.2.19
3dd9T58cDbh84052b   11000.1.2.19
ohvi5poH5e  16950.2.0.31
Piratenschatzi  41800.2.0.32
ratatouille 11400.2.0.32
separator   13640.2.0.32
liquitor16370.2.0.32

 Now, frankly, I am not particularly worried about relays running 0.2.0.32.
The ones running any version in the 0.1.*.* series, however--and there are
118 of them showing in torstatus at present, including a 0.1.1.19-rc and a
0.1.2.9-rc that were restarted less than a day ago--should be ignored by
clients.  IIRC, there are known unsafe versions in the 0.2.0.x series that
should be ignored by clients.
 Nevertheless, the high-data-rate nodes running 0.1.x.x versions are of
great utility to the tor network, so I hope your efforts to contact operators
of obsolete relays will focus on these first.
 Looking at 0.2.1.x relays, the situation is not nearly as bad, which is
probably to have been expected because people following the development branch
are more likely to try to stay reasonably current and are also more likely to
pay attention to their tor log files.  (As the exceptions that prove the rule,
there are still some 0.2.0.x-alpha relays out there, though.)  I see

MopperSmurf 17880.2.1.10-alpha

but there is also a low-data-rate Unnamed running 0.2.1.1-alpha.
 The core purpose of tor is to provide secure anonymity to the users of
tor clients, but tor clients currently are not equipped to bypass obsolete/
unsafe tor relays as identified by tor's developers.  This has bothered me for
a long time, and I hope it will be rectified one way or another in the next
stable and development versions.  Of the two options I suggested previously,
perhaps the next releases could use option b), which requires no changes to
the statements used at the beginning of the descriptor and consensus files
and no changes to torrc.  The more nuanced option a) could be added when
convenient to the -alpha versions, later to become part of the stable versions.


  Scott Bennett, Comm. ASMELG, CFIAG
**
* Internet:   bennett at cs.niu.edu  *
**
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."   *
*-- Gov. John Hancock, New York Journal, 28 January 1790 *
**

Re: 25 tbreg relays in directory

[Scott Bennett]

 On Tue, 28 Apr 2009 09:59:05 -0400 and...@torproject.org wrote:
>On Mon, Apr 27, 2009 at 11:57:17PM -0500, benn...@cs.niu.edu wrote 5.4K bytes 
>in 107 lines about:
>:  That brings up something that has bothered me for a long time.  When
>: tor discovers that its version doesn't match any in either client-versions
>: or server-versions, it currently writes complaints about it to the log(s),
>: but seems to do nothing further about it.  I'd like to see either of the
>: following.
>
>Recently, we're started emailing the node operators (at least those with
>valid contact info) suggesting they upgrade to at least 0.2.0.34-stable.
>This method seems to have a better success ratio in getting nodes
>upgraded from very old versions.  At least, better than the log messages
>that state your tor version is not recommended anymore.
>
>We're also working on Tor Weather to enable automatic notifications, such
>as "your server is out of date, please upgrade".
>
 Those methods are all very nice, but do not address the clients' security
problems.  Warm and fuzzy feelings that tor node operators, who often do *not*
put contact information into their torrc files, will oblige do nothing to
enable clients to avoid nodes running versions that are known to be unsafe.
 Either of the options that I proposed here *would* address this issue,
and the issue is one that calls for a solution.  The first of the two options
I suggested would also make it possible to distinguish between old relays that
have security vulnerabilities for exit service but not for use as entry or
middle nodes and old relays that are insecure for any use.
 If other options to deal with the problem are on people's minds, please
speak up!


  Scott Bennett, Comm. ASMELG, CFIAG
**
* Internet:   bennett at cs.niu.edu  *
**
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."   *
*-- Gov. John Hancock, New York Journal, 28 January 1790 *
**

Re: Version checking (was Re: 25 tbreg relays in directory)

[Ted Smith]

On Tue, 2009-04-28 at 03:01 -0700, Tripple Moon wrote:
> --- On Tue, 4/28/09, Scott Bennett  wrote:
> 
> > From: Scott Bennett  > Subject: Re: 25 tbreg
>  relays in directory > To: or-talk@freehaven.net > Date: Tuesday, April
>  28, 2009, 12:57 AM [cut for clarity] >  That brings up something
>  that has bothered me for a > long time.  When > tor discovers that its
>  version doesn't match any in > either client-versions > or
>  server-versions, it currently writes complaints about it > to the
>  log(s), > but seems to do nothing further about it.  I'd like to > see
>  either of the > following. > >   a) Addition of three lines to the
>  consensus documents to > prevent use >  of unsafe versions of tor
>  [etc...cut for clarity] I also agree that there should be version
>  checking, i didn't even know it wasn't done so already... :( I would
>  furthermore suggest to build a version fingerprint that uses some
>  remotely calculated CRC value of the client. My reason for that is to
>  prevent the tor network to be poluted by specialy "tweaked/altered"
>  versions, which might endanger the security of the whole network. (Let
>  your imagination do a free run on possibilities in such cases). By
>  "remotely calculated CRC-value of the client" i mean that the
>  destination does the CRC calculation of the connecting client. Yes
>  this means the client needs to send all of its binary-self to the
>  destination. After this CRC-value has been calculated _once_ by a
>  destination, that destination should announce the presence of the
>  client to the whole network if its a valid client (not matter in what
>  mode it runs). These CRC-values could be centrally maintained by the
>  tor-development center and made accessible public or by a hidden
>  service.
> 
> IMHO, this kind of "login procedure to enter the tor-network" will make it 
> more secure and manageable.
> Again, i have _no_ idea at present how the tor program handles things at 
> present, so if its already done like that or even better just disregard what 
> i wrote :D
> 
> 
So you propose sending the whole of the Tor binary over the network,
having the authority do a CRC on it, and using that to check for
validity? Just making sure I have the right impression.


signature.asc
Description: This is a digitally signed message part

Re: Be ready: We're switching version control systems

[Nick Mathewson]

On Fri, Apr 24, 2009 at 08:29:55PM +0200, Juliusz Chroboczek wrote:
 [...]
> This is excellent news.
> 
> > - Better support for offline development.
> 
> This also means that occasional contributors will be able to use the
> RCS.
> 
> A centralised RCS, such as CVS or SVN, segregates contributors into two
> categories: those who have commit rights, and are able to enjoy all the
> nice features of the RCS, and those who don't, for whom the RCS is
> little more than a way to get the latest sources.
> 
> With a decentralised RCS, all contributors are able to use the RCS; if
> you're a non-comitter, you work on his private branch, which can be on
> a different server or simply on your laptop.  When your code is ready,
> you either ask somebody with commit rights to pull your changes into the
> official repository, or you push over e-mail.

Exactly, though I'd like to make an appeal here.  If you are working
on a Tor-related project, the time to get in touch with us and the
rest of the community is probably _not_ when you think your code is
ready to be merged.  Working in the dark like this can lead to
duplicated effort (if you work on something someone else is also
working on), and wasted effort (if your approach, on review, would
have proved to have problems that you didn't see).

Somebody should really expand the "HACKING" document to explain how to
get started enhancing Tor, how to write a design proposal, what needs
a design proposal, what versions are okay for new features vs
bugfixes, how portable the code needs to be, why or-talk is not
or-dev, and so on.

yrs,
-- 
Nick

Re: 25 tbreg relays in directory

[Udo van den Heuvel]

Roger Dingledine wrote:

Now, is this because of a massive Chinese conspiracy to flood the Tor
network with a block of centrally controlled Windows relays, or is it a
whole lot of excited Tor users in China who really want to help out but
don't realize that they're using an insecure and old version of Tor? You
decide. :)


Can we signal them somehow?
I.e.: have them change the config names?
And/or update software versions?


Udo

Re: Version checking (was Re: 25 tbreg relays in directory)

[Jim McClanahan]

> By "remotely calculated CRC-value of the client" i mean that the
destination does the CRC calculation of the connecting client.
> Yes this means the client needs to send all of its binary-self to the 
> destination.

That would be a pretty big upload for a dial-up user!

I am also wondering what kind of danger you think a *client* can have
for the Tor network.

And if somebody wanted to circumvent, I would think the client could be
modified so that when it claimed to be uploading itself, it was actually
uploading a copy of an unmodified binary.  Am I missing something?

Also what would be gained from a CRC based on the *binary*?  Wouldn't
that change according to the system that compiled it?

Re: 25 tbreg relays in directory

[andrew]

On Mon, Apr 27, 2009 at 11:57:17PM -0500, benn...@cs.niu.edu wrote 5.4K bytes 
in 107 lines about:
:  That brings up something that has bothered me for a long time.  When
: tor discovers that its version doesn't match any in either client-versions
: or server-versions, it currently writes complaints about it to the log(s),
: but seems to do nothing further about it.  I'd like to see either of the
: following.

Recently, we're started emailing the node operators (at least those with
valid contact info) suggesting they upgrade to at least 0.2.0.34-stable.
This method seems to have a better success ratio in getting nodes
upgraded from very old versions.  At least, better than the log messages
that state your tor version is not recommended anymore.

We're also working on Tor Weather to enable automatic notifications, such
as "your server is out of date, please upgrade".

-- 
Andrew Lewman
The Tor Project
pgp 0x31B0974B

Website: https://torproject.org/
Blog: https://blog.torproject.org/
Identica/Twitter: torproject

My tor exit node is gone from the node list?

[Alexandru Cezar]

Hi there,

For several months, we've been running a tor exit node (kyirong/A8BD 32A9 C2F2 
0C4F 8ED2 C26C E477 0A24 85E3 CD22). Since a few days, it seems to have 
vanished from the list of nodes, and I cannot make it reappear. Neither 
notice.log nor debug.log (when enabled) show any suspicious entries or error 
messages:

Apr 28 15:22:08.357 [notice] Tor 0.2.1.14-rc (r19307) opening log file.
Apr 28 15:22:08.417 [notice] Parsing GEOIP file.
Apr 28 15:22:09.105 [notice] Your Tor server's identity key fingerprint is 
'kyirong A8BD 32A9 C2F2 0C4F 8ED2 C26C E477 0A24 85E3 CD22'
Apr 28 15:22:15.553 [notice] We now have enough directory information to build 
circuits.
Apr 28 15:22:15.553 [notice] Bootstrapped 80%: Connecting to the Tor network.
Apr 28 15:22:15.643 [notice] Bootstrapped 85%: Finishing handshake with first 
hop.
Apr 28 15:22:16.409 [notice] Bootstrapped 90%: Establishing a Tor circuit.
Apr 28 15:22:17.817 [notice] Tor has successfully opened a circuit. Looks like 
client functionality is working.
Apr 28 15:22:17.817 [notice] Bootstrapped 100%: Done.
Apr 28 15:22:17.817 [notice] Now checking whether ORPort 89.248.169.108:8080 
and DirPort 89.248.169.108:80 are reachable... (this may take up to 20 minutes 
-- look for log messages indicating success)
Apr 28 15:22:19.106 [notice] Self-testing indicates your DirPort is reachable 
from the outside. Excellent.
Apr 28 15:22:38.504 [notice] Self-testing indicates your ORPort is reachable 
from the outside. Excellent. Publishing server descriptor.

Nothing else shows up after that, while debug.log is constantly being written 
to. Also, traffic logs suggest that the node is not used as much as it could be.

Whats up with that?

Thanks,
Alexandru



--
-
www.posta.ro - Romanias first free webmail since 1998!

_
 - powered by www.posta.ro

Re: Version checking (was Re: 25 tbreg relays in directory)

[Scott Bennett]

 On Tue, 28 Apr 2009 03:01:30 -0700 (PDT) Tripple Moon
 wrote:
>--- On Tue, 4/28/09, Scott Bennett  wrote:
>
>> From: Scott Bennett 
>> Subject: Re: 25 tbreg relays in directory
>> To: or-talk@freehaven.net
>> Date: Tuesday, April 28, 2009, 12:57 AM
>[cut for clarity]
>>  That brings up something that has bothered me for a
>> long time.  When
>> tor discovers that its version doesn't match any in
>> either client-versions
>> or server-versions, it currently writes complaints about it
>> to the log(s),
>> but seems to do nothing further about it.  I'd like to
>> see either of the
>> following.
>> 
>>  a) Addition of three lines to the consensus documents to
>> prevent use
>> of unsafe versions of tor
>[etc...cut for clarity]
>I also agree that there should be version checking, i didn't even know it 
>wasn't done so already... :(
>I would furthermore suggest to build a version fingerprint that uses some 
>remotely calculated CRC value of the client.
>My reason for that is to prevent the tor network to be poluted by specialy 
>"tweaked/altered" versions, which might endanger the security of the whole 
>network.
>(Let your imagination do a free run on possibilities in such cases).
>By "remotely calculated CRC-value of the client" i mean that the destination 
>does the CRC calculation of the connecting client.
>Yes this means the client needs to send all of its binary-self to the 
>destination.
>After this CRC-value has been calculated _once_ by a destination, that 
>destination should announce the presence of the client to the whole network if 
>its a valid client (not matter in what mode it runs).
>These CRC-values could be centrally maintained by the tor-development center 
>and made accessible public or by a hidden service.
>

 Laying aside for the moment the matter of how the rest of the tor nodes
should determine the trustworthiness/credibility of the tor instance making
the announcement or even why the tor network, either as a "whole" or as
individual nodes, should care about the integrity of a client (!), how to you
propose to calculate a verification digest--a CRC would not likely be
considered adequately reliable--based upon the executable binary of software
that
a) comes in many successive version,

b) can be compiled for many hardware architectures, not all of which
are necessarily known to the developers,

c) can be compiled for many operating systems, not all of which are
necessarily known to the developers, and

d) can be compiled by untold numbers of versions of many compilers,
not all of which are necessarily known to the developers?

>IMHO, this kind of "login procedure to enter the tor-network" will make it 
>more secure and manageable.

 More secure and manageable for whom??  Big Brother?  Obviously not for
the supposedly anonymous tor user...jeesh.

>Again, i have _no_ idea at present how the tor program handles things at 
>present, so if its already done like that or even better just disregard what i 
>wrote :D
>
 It doesn't, and it shouldn't.


  Scott Bennett, Comm. ASMELG, CFIAG
**
* Internet:   bennett at cs.niu.edu  *
**
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."   *
*-- Gov. John Hancock, New York Journal, 28 January 1790 *
**

Version checking (was Re: 25 tbreg relays in directory)

[Tripple Moon]

--- On Tue, 4/28/09, Scott Bennett  wrote:

> From: Scott Bennett 
> Subject: Re: 25 tbreg relays in directory
> To: or-talk@freehaven.net
> Date: Tuesday, April 28, 2009, 12:57 AM
[cut for clarity]
>  That brings up something that has bothered me for a
> long time.  When
> tor discovers that its version doesn't match any in
> either client-versions
> or server-versions, it currently writes complaints about it
> to the log(s),
> but seems to do nothing further about it.  I'd like to
> see either of the
> following.
> 
>   a) Addition of three lines to the consensus documents to
> prevent use
>  of unsafe versions of tor
[etc...cut for clarity]
I also agree that there should be version checking, i didn't even know it 
wasn't done so already... :(
I would furthermore suggest to build a version fingerprint that uses some 
remotely calculated CRC value of the client.
My reason for that is to prevent the tor network to be poluted by specialy 
"tweaked/altered" versions, which might endanger the security of the whole 
network.
(Let your imagination do a free run on possibilities in such cases).
By "remotely calculated CRC-value of the client" i mean that the destination 
does the CRC calculation of the connecting client.
Yes this means the client needs to send all of its binary-self to the 
destination.
After this CRC-value has been calculated _once_ by a destination, that 
destination should announce the presence of the client to the whole network if 
its a valid client (not matter in what mode it runs).
These CRC-values could be centrally maintained by the tor-development center 
and made accessible public or by a hidden service.

IMHO, this kind of "login procedure to enter the tor-network" will make it more 
secure and manageable.
Again, i have _no_ idea at present how the tor program handles things at 
present, so if its already done like that or even better just disregard what i 
wrote :D