Re: geeez...
Moritz Bartl mor...@torservers.net wrote: On 12.01.2011 22:05, Fabian Keil wrote: Some of my equipment got seized a few months ago. Good luck on getting it back then! Thanks. I'm also not sure how the police would try to seize equipment and fail (assuming the equipment is actually there). Explosives? ;-) Did you run a Tor exit at home? I'm not sure if they come and seize your home computer if the Tor server is hosted in a data center. Olaf seems not to have run into big trouble yet (or maybe he was quick on replacing the hardware). The exit node that triggered the raid is hosted by Strato. I'm running it there since 2006. The friendly local police man who usually deals with the occasional abuse cases has a generic description of Tor that includes the IP addresses of my exit nodes and can forward that information to whomever is interested without having to contact me every time. This arrangement worked rather well so far. For reasons unknown to me the investigation that lead to the raid was handled by a different police department, though, and apparently the police men involved prefer to investigate a bit differently. They also didn't seem that fond of Tor in general. Fabian signature.asc Description: PGP signature
Re: geeez...
Hi! On Thu, Jan 13, 2011 at 3:01 AM, Roger Dingledine a...@mit.edu wrote: This is related to the if you remove Tor from the world, you're not really reducing the ability of bad guys to be anonymous on the Internet idea. This could be then analog argument as saying that if you remove one weapon factory from the world, that there would be no difference? But one after another and there will be. I cannot buy an argument saying that because situation is bad there should be no small improvements where there could be. various other techniques people have developed over the years to deal with abuse. Then tell me which techniques have we developed which prevent pedophiles to use hidden Tor services? Which techniques have we developed which prevent somebody to blackmail somebody else over Tor network and stay anonymous? Which techniques have we developed which can help found out which are other people in terrorist group and trace their communication, once we discover they use Tor? It depends where your jerks are coming from. If your jerks are all obeying every law and showing up from their static non-natted IP address, then yes, routing address is definitely related to identity. But if your jerks have ever noticed this doesn't work so well for them, they may start using other approaches and suddenly you're back needing to learn about application-level mechanisms Because current protocols were done just to solve technical problems and not also law or other society problems. For example, HAM operators and their networks had, before they started their packets networks, already laws in place requiring them that each packet should also contain call-sign of responsible person/station. OK, in this particular case (as far as I know) this is not cryptographically enforced (but this is a technical thing) but it still shows that laws like this can work. So if countries (like they cooperate on ACTA) would declare that it is illegal to send or route or relay any packet without information about responsible person for it things would be much different. So saying that currently technology does not support this and so it does not matter is just because it was not required to support this. But there is nothing preventing that laws would be changed in this way. Probably also many lobbies are doing in this direction. Adding another required field to IPv6 is not so hard. Making it cryptographically secure a bit more. Do all work on teach people about identity thefts (which would become even more profitable) even harder. Because of this those are not arguments I could agree upon. They are true, but it could be also otherwise. I would like to hear good arguments why even if we would have in place all possible technical means to identify originators (or possibility to turn this on if we decide so) it would be still proper to not go along this path. I can see arguments for this only possible with basing the argument on human rights and similar values we might share. But then there are conflicts of those rights, security vs. freedom. Mitar *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: geeez...
Hi,: What the hell are you talking about? The whole idea of Tor is anonymity, and you want Tor to make it easy to identify its users? Thomas Jefferson already answered your question: The man who would choose security over freedom deserves neither. If you want security over freedom, you're welcome to migrate to China or Iran. Thanks On 1/14/2011 9:27 AM, Mitar wrote: Hi! On Thu, Jan 13, 2011 at 3:01 AM, Roger Dingledinea...@mit.edu wrote: This is related to the if you remove Tor from the world, you're not really reducing the ability of bad guys to be anonymous on the Internet idea. This could be then analog argument as saying that if you remove one weapon factory from the world, that there would be no difference? But one after another and there will be. I cannot buy an argument saying that because situation is bad there should be no small improvements where there could be. various other techniques people have developed over the years to deal with abuse. Then tell me which techniques have we developed which prevent pedophiles to use hidden Tor services? Which techniques have we developed which prevent somebody to blackmail somebody else over Tor network and stay anonymous? Which techniques have we developed which can help found out which are other people in terrorist group and trace their communication, once we discover they use Tor? It depends where your jerks are coming from. If your jerks are all obeying every law and showing up from their static non-natted IP address, then yes, routing address is definitely related to identity. But if your jerks have ever noticed this doesn't work so well for them, they may start using other approaches and suddenly you're back needing to learn about application-level mechanisms Because current protocols were done just to solve technical problems and not also law or other society problems. For example, HAM operators and their networks had, before they started their packets networks, already laws in place requiring them that each packet should also contain call-sign of responsible person/station. OK, in this particular case (as far as I know) this is not cryptographically enforced (but this is a technical thing) but it still shows that laws like this can work. So if countries (like they cooperate on ACTA) would declare that it is illegal to send or route or relay any packet without information about responsible person for it things would be much different. So saying that currently technology does not support this and so it does not matter is just because it was not required to support this. But there is nothing preventing that laws would be changed in this way. Probably also many lobbies are doing in this direction. Adding another required field to IPv6 is not so hard. Making it cryptographically secure a bit more. Do all work on teach people about identity thefts (which would become even more profitable) even harder. Because of this those are not arguments I could agree upon. They are true, but it could be also otherwise. I would like to hear good arguments why even if we would have in place all possible technical means to identify originators (or possibility to turn this on if we decide so) it would be still proper to not go along this path. I can see arguments for this only possible with basing the argument on human rights and similar values we might share. But then there are conflicts of those rights, security vs. freedom. Mitar *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/ *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: geeez...
Thus spake Mitar (mmi...@gmail.com): This is related to the if you remove Tor from the world, you're not really reducing the ability of bad guys to be anonymous on the Internet idea. This could be then analog argument as saying that if you remove one weapon factory from the world, that there would be no difference? But one after another and there will be. I cannot buy an argument saying that because situation is bad there should be no small improvements where there could be. That's not what we're saying, but I suspect you may just be trolling. You're certainly straw-manning... various other techniques people have developed over the years to deal with abuse. Then tell me which techniques have we developed which prevent pedophiles to use hidden Tor services? Which techniques have we developed which prevent somebody to blackmail somebody else over Tor network and stay anonymous? Which techniques have we developed which can help found out which are other people in terrorist group and trace their communication, once we discover they use Tor? The same techniques that law enforcement use when these same sophisticated adversaries use black market compromised botnets: http://voices.washingtonpost.com/securityfix/2008/08/web_fraud_20_tools.html http://voices.washingtonpost.com/securityfix/2008/08/web_fraud_20_digital_forgeries.html http://voices.washingtonpost.com/securityfix/2008/08/web_fraud_20_distributing_your.html In these cases, police need to do police work: gathering technical data and examining content for evidence to aid in the investigation; and infiltrating groups and performing stings (for which they often use Tor). It depends where your jerks are coming from. If your jerks are all obeying every law and showing up from their static non-natted IP address, then yes, routing address is definitely related to identity. But if your jerks have ever noticed this doesn't work so well for them, they may start using other approaches and suddenly you're back needing to learn about application-level mechanisms Because current protocols were done just to solve technical problems and not also law or other society problems. For example, HAM operators and their networks had, before they started their packets networks, already laws in place requiring them that each packet should also contain call-sign of responsible person/station. OK, in this particular case (as far as I know) this is not cryptographically enforced (but this is a technical thing) but it still shows that laws like this can work. So if countries (like they cooperate on ACTA) would declare that it is illegal to send or route or relay any packet without information about responsible person for it things would be much different. You think criminals obey the law? Both China and South Korea have instituted fully authenticated internet drivers licenses, and not only has cybercrime not vanished, it continues to flourish and profit from new markets that trade in these credentials and the use of authenticated connections through proxy. Even a fully cryptographically secured and authenticated Internet would still be *just* as vulnerable to abuse, all other things being equal. Grandma could even be required to have her iris scanned before entering her bunker to use her military-grade encrypted, authenticated PC that is otherwise disconnected from the Internet while her iris is not available. But as soon as she scans her iris, the malware on her machine would wake up and inform its masters that it is ready to do their bidding. The only way to really curtail these social problems is to properly address their root causes. Taking freedoms away seems like an easy quick fix, but in reality, there is no gain, only more insecurity. This is why Tor is not part of the problem. In fact, its use by law enforcement for stings, infiltration, and investigation indicates it is also part of the solution. -- Mike Perry Mad Computer Scientist fscked.org evil labs pgp8yzAPfXBDT.pgp Description: PGP signature
Re: geeez...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 thus Mike Perry spake: Some of us are also compiling abuse response templates. The goal for abuse responses is to inform people about Tor, and to suggest solutions for their security problems that involve improving their computer security for the Internet at large (open wifi, open proxies, botnets), rather than seeking vengeance and chasing ghosts. The difference between these two approaches to abuse is the difference between decentralized fault-tolerant Internet freedom, and fragile, corruptible totalitarian control. Is there any place (e.g. in a wiki) where one could find or even upload his own 'response template', as I might assume that they will be very specific to the country's law they're issued? Such a thing could be helpful for many of us. Timo -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFNLWcVfg746kcGBOwRAkjBAJ0cmrvDTbJJj+aU04fuOhaFs+BYhQCfdAQn qvVOpZUsi9qIpLZHoibrWHE= =KidE -END PGP SIGNATURE- *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: geeez...
Thus spake Timo Schoeler (timo.schoe...@riscworks.net): Some of us are also compiling abuse response templates. The goal for abuse responses is to inform people about Tor, and to suggest solutions for their security problems that involve improving their computer security for the Internet at large (open wifi, open proxies, botnets), rather than seeking vengeance and chasing ghosts. The difference between these two approaches to abuse is the difference between decentralized fault-tolerant Internet freedom, and fragile, corruptible totalitarian control. Is there any place (e.g. in a wiki) where one could find or even upload his own 'response template', as I might assume that they will be very specific to the country's law they're issued? Here's the (freshly updated) set of abuse complaints that reflects what myself and a handful of others have dealt with over the past 6 months or so: https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TorAbuseTemplates Notably absent from that list is a DMCA response, but the EFF provides one for that case: http://tor.eff.org/eff/tor-dmca-response.html.en -- Mike Perry Mad Computer Scientist fscked.org evil labs pgpyJRZRGOuuW.pgp Description: PGP signature
Re: geeez...
Am 12.01.2011 09:32, schrieb Timo Schoeler: thus Mike Perry spake: Some of us are also compiling abuse response templates. The goal for abuse responses is to inform people about Tor, and to suggest solutions for their security problems that involve improving their computer security for the Internet at large (open wifi, open proxies, botnets), rather than seeking vengeance and chasing ghosts. The difference between these two approaches to abuse is the difference between decentralized fault-tolerant Internet freedom, and fragile, corruptible totalitarian control. Is there any place (e.g. in a wiki) where one could find or even upload his own 'response template', as I might assume that they will be very specific to the country's law they're issued? Such a thing could be helpful for many of us. Timo Here are some: http://www.wiredwings.com/wiki/Torservers.net_Main_Page#Abuse regards, Jan *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: geeez...
Thus spake Mike Perry (mikepe...@fscked.org): Is there any place (e.g. in a wiki) where one could find or even upload his own 'response template', as I might assume that they will be very specific to the country's law they're issued? Here's the (freshly updated) set of abuse complaints that reflects what myself and a handful of others have dealt with over the past 6 months or so: https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TorAbuseTemplates I've also gone ahead and updated the blog post with new tips for exit node operators: https://blog.torproject.org/blog/tips-running-exit-node-minimal-harassment The two main changes are links to the ARIN registration pages and forms, and tips on forming an LLC to run your node for civil liability protection in the US. -- Mike Perry Mad Computer Scientist fscked.org evil labs pgpo4WbFzON4K.pgp Description: PGP signature
Re: geeez...
The BSI comment had me rolling on the floor. Could you imagine the paperwork? If you're going to RSA, they'll be there. On Tue, Jan 11, 2011 at 3:28 PM, Dirk noi...@gmx.net wrote: ok... since this mailing list is not able to give at least some tips for running a tor exit node except: Do it. or We do have a lawyer (how is that supposed to help me?) I will just ask the german Bundesamt für Sicherheit in der Informationstechnik (https://www.bsi.bund.de) howto setup a TOR exit node without ruining my life... :D people here are probably too cool to give noobs instructions... Dirk *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: geeez...
Moritz Bartl mor...@torservers.net wrote: ok... since this mailing list is not able to give at least some tips for running a tor exit node except: What do you want to know exactly? In many countries, running an anonymizing service is definitely not illegal. Many exit operators run into trouble with their ISP, because they are too easily scared by DMCA complaints and the like. This is especially true for an exit policy that allows arbitrary ports, as your ISP will be flooded with mails from BayTSP/MediaSentry. That's why we have compiled a list of well-known ports. [1] You should find an ISP who explicitly allows you to run a Tor exit, and if you want you can start with an open exit policy. If your ISP complaints and wants to shut you down later, you can switch to the reduced exit policy. Or, you can allow exiting only to a few ports. It's your decision. Try to convince your ISP to SWIP the IP range and attach your personal abuse handle. Example: http://torstatus.blutmagie.de/cgi-bin/whois.pl?ip=79.140.39.227 Most complaints you will have to deal with can be easily solved by telling them about Tor. In extreme cases, the police might come knocking to your door or even try to seize your equipment, but I am only aware of a single case in Germany where that happened some years ago. Some of my equipment got seized a few months ago. I'm also not sure how the police would try to seize equipment and fail (assuming the equipment is actually there). Getting a warrant seems to be pretty easy as long as you don't mention that the IP address in question belongs to a known Tor server. Fabian signature.asc Description: PGP signature
Re: geeez...
Hi, On 12.01.2011 22:05, Fabian Keil wrote: Some of my equipment got seized a few months ago. Good luck on getting it back then! I'm also not sure how the police would try to seize equipment and fail (assuming the equipment is actually there). Explosives? ;-) Did you run a Tor exit at home? I'm not sure if they come and seize your home computer if the Tor server is hosted in a data center. Olaf seems not to have run into big trouble yet (or maybe he was quick on replacing the hardware). -- Moritz Bartl http://www.torservers.net/ *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: geeez...
Am 12.01.2011 22:48, schrieb Moritz Bartl: Did you run a Tor exit at home? I'm not sure if they come and seize your home computer if the Tor server is hosted in a data center. Olaf seems not to have run into big trouble yet (or maybe he was quick on replacing the hardware). running an exit in a German data center isn't a big deal. Size really matters and provides you a certain amount of safety. But as am employee working for a German Telco, I advise you not to run an exit node at home behind a DSL subscriber line. Do not do this! Two days ago my local police officer told me he's regretting that I might have to shut down blutmagie this year. So German law enforcement isn't Tor operator's enemy in general. Saturday at eighthundred I'll be a German Army's soldier in GFM Augustdorf barracks again, protecting the galaxy against aliens. http://www.informationfreeway.org/?lat=51.91590673350628lon=8.769514491697844zoom=14layers=BF00F0 regards Olaf *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: geeez...
Hi! On Wed, Jan 12, 2011 at 12:52 AM, Moritz Bartl mor...@torservers.net wrote: Most complaints you will have to deal with can be easily solved by telling them about Tor. In extreme cases, the police might come knocking to your door or even try to seize your equipment, but I am only aware of a single case in Germany where that happened some years ago. In Slovenia for our Tor node (currently down) we have very nice ISP which said that they do not mind anything until we are paying our bills. But we had two visits of police to our doors early in the morning (once for blackmailing and once for pedophilia). Once we explained to them that the IP is of Tor server and that there are not logs they said OK and that was it. The problem is probably that the server is registered on a physical person so once they see the name they assume that this is some home user. But once you explain to them that this is a server on collocation and not even at your home and what Tor is and how it works. Then their assumption that you as a home user is a probable suspect changes to that you are an admin of a server and in this way probably just a witness. And once you tell them that you cannot witness anything (you do not have logs) this is it (if they believe you, but there are not much reasons for them not to - they would have to have also some other signs to get a warrant). Mitar *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: geeez...
Hi! But I wan't a legally binding statement from a lawyer or an official (BSI) that running TOR exit nodes in germany is legal. In Slovenia there is a law (for Internet commerce) that persons just passing data around, not changing it, choosing destination or source, filter, etc, are not responsible for the data. This even works for the servers. So if you have a server with content you are just storing for somebody else you are not responsible for that. But you have a witness status if they want to prosecute this somebody and have to cooperate. So police will come and talk to you, but not as s suspect but as a witness. Probably this is an EU law. Mitar *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: geeez...
Hi, On top of this, it is *illegal* in Germany to keep user identifiable data unless required for billing purposes. Telemediengesetz §15 Nutzungsdaten http://www.gesetze-im-internet.de/tmg/__15.html Let me translate the first paragraph: §15 Usage Data (1) The service provider may collect personal data of a user and use them only to the extent necessary to enable the use and billing of telemedia. Usage data are particularly 1. Characteristics to identify the user, 2. Information on the beginning and end and the extent of current usage and 3. Details about the used telemedia services. -- Moritz Bartl http://www.torservers.net/ On 13.01.2011 00:33, Mitar wrote: Hi! But I wan't a legally binding statement from a lawyer or an official (BSI) that running TOR exit nodes in germany is legal. In Slovenia there is a law (for Internet commerce) that persons just passing data around, not changing it, choosing destination or source, filter, etc, are not responsible for the data. This even works for the servers. So if you have a server with content you are just storing for somebody else you are not responsible for that. But you have a witness status if they want to prosecute this somebody and have to cooperate. So police will come and talk to you, but not as s suspect but as a witness. Probably this is an EU law. Mitar *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/ *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: geeez...
Hi! On Thu, Jan 13, 2011 at 12:46 AM, Moritz Bartl mor...@torservers.net wrote: On top of this, it is *illegal* in Germany to keep user identifiable data unless required for billing purposes. I think it is allowed but you have to clearly inform users of this (register this data collection with data privacy agency) and reasons for it and there is then principle of proportionality and subsidiarity so that you have to prove that collecting all this data is really needed for service or something. Something like that. (Uh, is hard to translate terms you know only in your language.) Maybe in Germany things are more strict? Mitar *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: geeez...
Hi! On Wed, Jan 12, 2011 at 6:26 AM, Mike Perry mikepe...@fscked.org wrote: and to suggest solutions for their security problems that involve improving their computer security for the Internet at large (open wifi, open proxies, botnets), I am not sure what you mean by that? That there should not be open WiFi because it improves security? Or that because there are open WiFis, open proxies, botnets you have to secure your systems anyway? But how do you secure them against abusive behavior (blackmailing, posting abusive content...)? There is probably a reasonable argument that identification would help with security here. No? The difference between these two approaches to abuse is the difference between decentralized fault-tolerant Internet freedom, and fragile, corruptible totalitarian control. You are talking here just about technical fault-tolerance. What about fault-tolerance when somebody is directly abused because of this freedom? How can we solve problems for this person and here (probably reasonable) unease feelings? Or should we just concentrate on technical aspects and ignore that? Mitar *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: geeez...
On 13.01.2011 01:01, Mitar wrote: On top of this, it is *illegal* in Germany to keep user identifiable data unless required for billing purposes. I think it is allowed but you have to clearly inform users of this (register this data collection with data privacy agency) and reasons for it and there is then principle of proportionality and subsidiarity so that you have to prove that collecting all this data is really needed for service or something. That is already included in the first paragraph: [...] to the extent necessary to enable the use. It is not defined that a particular service may not require some personal identifiable data over the course of the whole period, but it is only allowed to do so if it is really _required_ for either usage or billing of the service. Maybe in Germany things are more strict? Most services just don't care enough, and apart from areas where you can make a shitload of money by harrassing people it is rarely prosecuted. For example, using Google Analytics was and has always been illegal in Germany, but you still can find hundreds of German sites using it. To make this clear: If you as an operator are based in Germany, you have to follow the German law, even if your server is located in other countries. -- Moritz Bartl http://www.torservers.net/ *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: geeez...
On Thu, Jan 13, 2011 at 01:17:33AM +0100, Mitar wrote: On Wed, Jan 12, 2011 at 6:26 AM, Mike Perry mikepe...@fscked.org wrote: and to suggest solutions for their security problems that involve improving their computer security for the Internet at large (open wifi, open proxies, botnets), I am not sure what you mean by that? That there should not be open WiFi because it improves security? Or that because there are open WiFis, open proxies, botnets you have to secure your systems anyway? I assume he meant the latter -- there are many ways that people can reach your website and have their IP address not really linked to the human making the connection. This is related to the if you remove Tor from the world, you're not really reducing the ability of bad guys to be anonymous on the Internet idea. See also my first entry at https://www.torproject.org/docs/faq-abuse But how do you secure them against abusive behavior (blackmailing, posting abusive content...)? By making your decisions based on the application-level content rather than the routing of the packets. If you have a forum, and it has jerks, then you need to learn about accounts and authentication. If it stays bad, you need to learn about reputation, or moderation, or various other techniques people have developed over the years to deal with abuse. There is probably a reasonable argument that identification would help with security here. No? It depends where your jerks are coming from. If your jerks are all obeying every law and showing up from their static non-natted IP address, then yes, routing address is definitely related to identity. But if your jerks have ever noticed this doesn't work so well for them, they may start using other approaches and suddenly you're back needing to learn about application-level mechanisms (or you're back being angry at the Internet for not giving you identification by IP address; if blocking by IP address is the only abuse prevention mechanism you've got, you're going to spend a lot of your life angry). For more on this topic, I'd point you to a short article a few years ago by Goodell and Syverson called The Right Place at the Right Time: Examining the Use of Network Location in Authentication and Abuse Prevention -- but in going to hunt for it I can't find it available online anymore. Proprietary publishers suck I guess. :( --Roger *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: geeez...
On Jan 12, 2011, at 9:01 PM, Roger Dingledine wrote: On Thu, Jan 13, 2011 at 01:17:33AM +0100, Mitar wrote: On Wed, Jan 12, 2011 at 6:26 AM, Mike Perry mikepe...@fscked.org wrote: and to suggest solutions for their security problems that involve improving their computer security for the Internet at large (open wifi, open proxies, botnets), I am not sure what you mean by that? That there should not be open WiFi because it improves security? Or that because there are open WiFis, open proxies, botnets you have to secure your systems anyway? I assume he meant the latter -- there are many ways that people can reach your website and have their IP address not really linked to the human making the connection. This is related to the if you remove Tor from the world, you're not really reducing the ability of bad guys to be anonymous on the Internet idea. See also my first entry at https://www.torproject.org/docs/faq-abuse But how do you secure them against abusive behavior (blackmailing, posting abusive content...)? By making your decisions based on the application-level content rather than the routing of the packets. If you have a forum, and it has jerks, then you need to learn about accounts and authentication. If it stays bad, you need to learn about reputation, or moderation, or various other techniques people have developed over the years to deal with abuse. There is probably a reasonable argument that identification would help with security here. No? It depends where your jerks are coming from. If your jerks are all obeying every law and showing up from their static non-natted IP address, then yes, routing address is definitely related to identity. But if your jerks have ever noticed this doesn't work so well for them, they may start using other approaches and suddenly you're back needing to learn about application-level mechanisms (or you're back being angry at the Internet for not giving you identification by IP address; if blocking by IP address is the only abuse prevention mechanism you've got, you're going to spend a lot of your life angry). For more on this topic, I'd point you to a short article a few years ago by Goodell and Syverson called The Right Place at the Right Time: Examining the Use of Network Location in Authentication and Abuse Prevention -- but in going to hunt for it I can't find it available online anymore. Proprietary publishers suck I guess. :( --Roger *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/ Thank you Roger! jlj --- Jay Le Jaroslav jaros...@multicians.org *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: geeez...
Dirk, I don't think anyone on this list is too cool to give instructions, it is just that instructions already exist. The Tor Project website has information on how to set up a relay. http://www.torproject.org/docs/tor-doc-relay.html.en http://www.torproject.org/docs/faq.html.en http://www.torproject.org/docs/faq.html.en Mike Perry also wrote this great guide for running an exit node. https://blog.torproject.org/blog/tips-running-exit-node-minimal-harassment https://blog.torproject.org/blog/tips-running-exit-node-minimal-harassment -Kory On Tue, Jan 11, 2011 at 5:28 PM, Dirk noi...@gmx.net wrote: ok... since this mailing list is not able to give at least some tips for running a tor exit node except: Do it. or We do have a lawyer (how is that supposed to help me?) I will just ask the german Bundesamt für Sicherheit in der Informationstechnik (https://www.bsi.bund.de) howto setup a TOR exit node without ruining my life... :D people here are probably too cool to give noobs instructions... Dirk *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: geeez...
Hi Dirk, ok... since this mailing list is not able to give at least some tips for running a tor exit node except: What do you want to know exactly? In many countries, running an anonymizing service is definitely not illegal. Many exit operators run into trouble with their ISP, because they are too easily scared by DMCA complaints and the like. This is especially true for an exit policy that allows arbitrary ports, as your ISP will be flooded with mails from BayTSP/MediaSentry. That's why we have compiled a list of well-known ports. [1] You should find an ISP who explicitly allows you to run a Tor exit, and if you want you can start with an open exit policy. If your ISP complaints and wants to shut you down later, you can switch to the reduced exit policy. Or, you can allow exiting only to a few ports. It's your decision. Try to convince your ISP to SWIP the IP range and attach your personal abuse handle. Example: http://torstatus.blutmagie.de/cgi-bin/whois.pl?ip=79.140.39.227 Most complaints you will have to deal with can be easily solved by telling them about Tor. In extreme cases, the police might come knocking to your door or even try to seize your equipment, but I am only aware of a single case in Germany where that happened some years ago. If you need technical help setting up a node, the comments in torrc and the documentation on the website should help you. If not, join #tor on irc.oftc.net and I'm sure there will be someone to give you a hand. -- Moritz Bartl http://www.torservers.net/ [1] https://blog.torproject.org/blog/tips-running-exit-node-minimal-harassment On 12.01.2011 00:28, Dirk wrote: Do it. or We do have a lawyer (how is that supposed to help me?) I will just ask the german Bundesamt für Sicherheit in der Informationstechnik (https://www.bsi.bund.de) howto setup a TOR exit node without ruining my life... :D people here are probably too cool to give noobs instructions... Dirk *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/ *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: geeez...
Moritz Bartl wrote: Hi Dirk, ok... since this mailing list is not able to give at least some tips for running a tor exit node except: What do you want to know exactly? In many countries, running an anonymizing service is definitely not illegal. This stuff: https://blog.torproject.org/blog/tips-running-exit-node-minimal-harassment reads all like How not to get caught. But I wan't a legally binding statement from a lawyer or an official (BSI) that running TOR exit nodes in germany is legal. And then I wan't to sink that little money I have into running as many of such servers as I can. Dirk *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: geeez...
On Tue, Jan 11, 2011 at 7:29 PM, Dirk noi...@gmx.net wrote: Moritz Bartl wrote: Hi Dirk, ok... since this mailing list is not able to give at least some tips for running a tor exit node except: What do you want to know exactly? In many countries, running an anonymizing service is definitely not illegal. This stuff: https://blog.torproject.org/blog/tips-running-exit-node-minimal-harassment reads all like How not to get caught. But I wan't a legally binding statement from a lawyer or an official (BSI) that running TOR exit nodes in germany is legal. The question is not is it legal? but how do I minimize the effects if someone decides to harass me through the law? And then I wan't to sink that little money I have into running as many of such servers as I can. An admirable goal. Dirk *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talk in the body. http://archives.seul.org/or/talk/ -- Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety. -- Benjamin Franklin *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: geeez...
Dirk, Considering I2P's German home I think you should go back to what others have said, it's not a matter of Legal, it's a matter of reducing activity that might raise the alarm of other people. So read the links sent, consider the port limitations, and work up from there. If you really need to find something more concrete then consider contacting EFF and EFF Europe projects (https://www.eff.org/issues/eff-europe). Good luck, -Ali
Re: geeez...
On Wed, 12 Jan 2011 02:29:49 +0100 Dirk noi...@gmx.net wrote: But I wan't a legally binding statement from a lawyer or an official (BSI) that running TOR exit nodes in germany is legal. Ask the CCC for a start. They have defended many Germans already. -- Andrew pgp 0x74ED336B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: geeez...
Thus spake Dirk (noi...@gmx.net): ok... since this mailing list is not able to give at least some tips for running a tor exit node except: What do you want to know exactly? In many countries, running an anonymizing service is definitely not illegal. This stuff: https://blog.torproject.org/blog/tips-running-exit-node-minimal-harassment reads all like How not to get caught. The tips in the blog post are not how not to get caught. In fact, every one of them is about telling people as early in the process what is going on, and who to contact if there are issues. This is done because at scale (gigabit speeds), abuse complaints happen way more frequently. With the default exit policy, you will get about 50 automated DMCA complaints per day at gigabit speeds. With the bittorrent-resistant reduced exit policy from that post, you get about 5 per week. So it is entirely about reducing your work load for managing your exit, and keeping the noise away from your ISP. As previous threads indicate, law enforcement can and does still contact you. The goal again is making this easy, so no one needs to kick in any doors. Some of us are also compiling abuse response templates. The goal for abuse responses is to inform people about Tor, and to suggest solutions for their security problems that involve improving their computer security for the Internet at large (open wifi, open proxies, botnets), rather than seeking vengeance and chasing ghosts. The difference between these two approaches to abuse is the difference between decentralized fault-tolerant Internet freedom, and fragile, corruptible totalitarian control. But I wan't a legally binding statement from a lawyer or an official (BSI) that running TOR exit nodes in germany is legal. I'm not a lawyer, but our largest exit (blutmagie) has run in germany for the past 4 years or so. And then I wan't to sink that little money I have into running as many of such servers as I can. We have discovered that the most effective way to run tor servers is in bulk, because smaller providers are not willing to put up with occasional abuse complaints that do get through to them, because doing so costs them human resources and dollars. Bandwidth also is considerably cheaper in bulk than it is at residential or even shared hosting/VPS prices. Consider donating to http://www.torservers.net/, or setting up your own similar project and collecting donations to leverage the economies of scale inherent in bandwidth prices. Obviously, the more people doing this the better (for distributed trust). See also the thread at: http://www.mail-archive.com/or-talk@freehaven.net/msg14159.html for some insight into the arcane technical details involved in running high capacity tor relays. -- Mike Perry Mad Computer Scientist fscked.org evil labs pgpWMTLlwF1UR.pgp Description: PGP signature