Re: Family specifications (was: Re: perfect-privacy.com, Family specifications, etc)
On Thu, May 20, 2010 at 08:50:00PM +0200, bacardic...@gmail.com wrote 1.1K bytes in 28 lines about: : Would it be possible for my to include myself in the MyFamily line? Yes. When I ran 10 nodes, this is what I did. One config for all 10 was easier to maintain than 10 unique configs. -- Andrew Lewman The Tor Project pgp 0x31B0974B Website: https://www.torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Family specifications (was: Re: perfect-privacy.com, Family specifications, etc)
On Thu, May 20, 2010 at 01:44:36PM -0500, benn...@cs.niu.edu wrote 4.7K bytes in 91 lines about: : including some tor developers, did not bother to read the proposal by Bruce : from perfect-privacy.com. He did *not* propose, for example, any equivalent : to #include statements. He did *not* propose, for example, any method of : allowing a node to specify other members of a Family. You are correct. I did not respond to Bruce's proposal. I attempted to explain how MyFamily works today, and some of the risks of a client trusting the MyFamily statement from any one member of the family. This was suggested by others and there seems to be confusion around it. I am not addressing Bruce's proposal. I leave that to Paul, Roger, and others more qualified. -- Andrew Lewman The Tor Project pgp 0x31B0974B Website: https://www.torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Family specifications (was: Re: perfect-privacy.com, Family specifications, etc)
On Thu, May 20, 2010 at 02:36:01PM -0500, Scott Bennett wrote: > Hi Paul, > On Thu, 20 May 2010 15:12:38 -0400 Paul Syverson > wrote: > > > >Your interpretation of what Bruce said makes sense. But it is not > >how I parsed, "BelongToFamily xyz" in his message. I read it the same > >way it seems that Roger did, as giving a list: node x, node y, and > >node z. And then we're off and running. I think what Bruce/you > > You parsed "xyz" as meaning "x,y,x" or perhaps "x y z"? How bizarre. > Even the current MyFamily statement doesn't do that. Right. But I only saw the message in the context of Roger's reply where he seems to have read it that way. To be generous, he was reading an email proposing something associated with MyFamily, not code. Also, in my experience 'xyz' (with or without spaces) is usually used to mean a list of things rather than as a name variable like 'foo'. To be even more generous, hey we all make mistakes and I've probably explored this mistake's origins a fair amount farther than interesting or productive. So stopping now. > > >suggest is better than what I proposed to avoid the problems Roger and > >Andrew noted. As I said before, it's not how MyFamily now works. And I > > No, indeed it's not. Bruce was proposing an alternative method, one > that looks far more sensible than the current method. > I totally agree, albeit having not thought long or hard about it. Again, partly I was simply trying to explain to myself and perhaps others how we managed to misread the suggestion. > >believe Andrew/Roger/me/others were addressing trying to use the > >existing functionality in a different way, which was another > >disconnect. Anyway, this is certainly an idea worth considering. > > > >Now, should you ever say you are in multiple families at once? > > That's an interesting question, and I'm not sure of the answer. > However, it's worth noting that it would not open any useful attack > because each time a node adds itself to a Family reduces by some amount > its probability of being selected for a route. > > >And should there be a lattice structure for families, hmmm? ;>) > > > Not sure what that would accomplish. Seems to me that a client This and my other question were meant as jokes. Hence the emoticon. (Some of us haven't slept recently and are a bit punchy.) But yeah, many a theorem or system design started as jokes while goofing around. -Paul *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Family specifications (was: Re: perfect-privacy.com, Family specifications, etc)
Hi Paul, On Thu, 20 May 2010 15:12:38 -0400 Paul Syverson wrote: >On Thu, May 20, 2010 at 01:44:36PM -0500, Scott Bennett wrote: >> Oh. My. Goodness. Gracious! I go to sleep for a few hours, and the >> discussion descends into total confusion because a number of participants, >> including some tor developers, did not bother to read the proposal by Bruce >> from perfect-privacy.com. He did *not* propose, for example, any equivalent >> to #include statements. He did *not* propose, for example, any method of >> allowing a node to specify other members of a Family. > >Your interpretation of what Bruce said makes sense. But it is not >how I parsed, "BelongToFamily xyz" in his message. I read it the same >way it seems that Roger did, as giving a list: node x, node y, and >node z. And then we're off and running. I think what Bruce/you You parsed "xyz" as meaning "x,y,x" or perhaps "x y z"? How bizarre. Even the current MyFamily statement doesn't do that. >suggest is better than what I proposed to avoid the problems Roger and >Andrew noted. As I said before, it's not how MyFamily now works. And I No, indeed it's not. Bruce was proposing an alternative method, one that looks far more sensible than the current method. >believe Andrew/Roger/me/others were addressing trying to use the >existing functionality in a different way, which was another >disconnect. Anyway, this is certainly an idea worth considering. > >Now, should you ever say you are in multiple families at once? That's an interesting question, and I'm not sure of the answer. However, it's worth noting that it would not open any useful attack because each time a node adds itself to a Family reduces by some amount its probability of being selected for a route. >And should there be a lattice structure for families, hmmm? ;>) > Not sure what that would accomplish. Seems to me that a client would maintain a list of Family names that it has encountered. Each time it encounters a descriptor with a Family name not already present in its list, it would add a new entry for that Family to the list. Each node claiming membership in a Family would have an membership entry linked off of the appropriate entry in the Family list. When a new descriptor for a node is encountered, it would be checked for Family designation(s) against the appropriate membership list(s) to see whether the membership list(s) should be updated. If a node vanishes from the directory, its memberships should be removed. If an entry in the Family list ends up with no membership entries linked from it, then that Family entry should be removed from the Family list. It's just mundane list maintenance stuff. Shouldn't be a big deal. Each node's descriptor entry in tor's internal representation of the directory would link directly to the appropriate Family list entry. If multiple Family designations are permitted for a node, then the internal directory entry would instead anchor a short list of pointers to the Family list entries. I suppose a bit could be reserved somewhere nearby that would say whether the field in the internal directory entry were a direct pointer or a list anchor in order to accommodate the most likely case, namely, that a node would be a member of, at most, a single Family. Scott Bennett, Comm. ASMELG, CFIAG ** * Internet: bennett at cs.niu.edu * ** * "A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army." * *-- Gov. John Hancock, New York Journal, 28 January 1790 * ** *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Family specifications (was: Re: perfect-privacy.com, Family specifications, etc)
On Thu, May 20, 2010 at 01:44:36PM -0500, Scott Bennett wrote: > Oh. My. Goodness. Gracious! I go to sleep for a few hours, and the > discussion descends into total confusion because a number of participants, > including some tor developers, did not bother to read the proposal by Bruce > from perfect-privacy.com. He did *not* propose, for example, any equivalent > to #include statements. He did *not* propose, for example, any method of > allowing a node to specify other members of a Family. Your interpretation of what Bruce said makes sense. But it is not how I parsed, "BelongToFamily xyz" in his message. I read it the same way it seems that Roger did, as giving a list: node x, node y, and node z. And then we're off and running. I think what Bruce/you suggest is better than what I proposed to avoid the problems Roger and Andrew noted. As I said before, it's not how MyFamily now works. And I believe Andrew/Roger/me/others were addressing trying to use the existing functionality in a different way, which was another disconnect. Anyway, this is certainly an idea worth considering. Now, should you ever say you are in multiple families at once? And should there be a lattice structure for families, hmmm? ;>) Thanks for clearing things up, Paul *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Family specifications (was: Re: perfect-privacy.com, Family specifications, etc)
Hey Andrew, On Thu, May 20, 2010 at 13:44, wrote: > On Thu, May 20, 2010 at 01:31:47PM +0200, t...@wiredwings.com wrote 0.9K > bytes in 19 lines about: > : >From what I understand, yes, at the moment both "partners" have to list > : each other. That's what the fuss is all about, because this becomes hard > : to manage when you run a lot of nodes. > > Yes, this is how MyFamily works. Each node in the family must be > configured to list all other nodes in the family. If I start up node > Alice, and list Bob and Mallory in MyFamily, Bob must list Alice and > Mallory, and Mallory must list Alice and Bob. If Mallory lists Alice > and Bob, but neither Alice nor Bob list Mallory, it's not a valid > Family. Would it be possible for my to include myself in the MyFamily line? Would make it much simpeler to maintain, since at that point all nodes in the family can have an identical MyFamily config statement .. Greetings! Nils *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Answer by perfect-privacy.com Re: perfect-privacy.com, Family specifications, etc.
On Thu, 20 May 2010 12:31:17 +0200 Moritz Bartl wrote: >On 20.05.2010 06:25, Roger Dingledine wrote: >> The trouble here is that if we make family declarations one-sided, then >> I can tell everybody that I'm in blutmagie's family (and X's family and >> Y's family and Z's family and ...), and suddenly I'm influencing the >> path selection of other clients in a way I shouldn't be able to. > >Maybe it is a misunderstanding on my side, but I agree with Scott. How >could this influence the network in a way that one can speak of an >"attack"? My idea was that by stating a family, I say that *my node* >musn't be used in a circuit together with other members of that family, >no more, no less. >So, by misconfiguring the family on my side, I cannot hurt the network >more than (in the extreme) by running no node at all. > Exactly. Thank you, Moritz. Roger just didn't read what Bruce wrote. Scott Bennett, Comm. ASMELG, CFIAG ** * Internet: bennett at cs.niu.edu * ** * "A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army." * *-- Gov. John Hancock, New York Journal, 28 January 1790 * ** *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Family specifications (was: Re: perfect-privacy.com, Family specifications, etc)
Oh. My. Goodness. Gracious! I go to sleep for a few hours, and the discussion descends into total confusion because a number of participants, including some tor developers, did not bother to read the proposal by Bruce from perfect-privacy.com. He did *not* propose, for example, any equivalent to #include statements. He did *not* propose, for example, any method of allowing a node to specify other members of a Family. Let's see if we can get the discussion back on track. Please read below carefully. On Thu, 20 May 2010 10:44:44 -0400 Andrew Lewman wrote: >On Thursday May 20 2010 09:39:00 Flamsmark wrote: >> On 20 May 2010 07:44, wrote: >> > If Mallory lists Alice >> > and Bob, but neither Alice nor Bob list Mallory, it's not a valid >> > Family. Otherwise, Mallory could list every node in the network and >> > screw everyone. That was not Bruce's proposed method. Please go back and read it carefully. >> >> Why would this screw everyone? > >If only one side could declare a valid family that clients honored, you can >control the paths clients choose. Eventually, some large percent of the >network will find your declaration and be unable to build paths because they >are all in the one-sided MyFamily declaration. Or, worse off, you run three >nodes, let's call them TheMan0, TheMan1, and TheMan2. All three nodes list >every other node in the network, except your three TheMan# nodes. Now as >clients find your MyFamily declaration, they can only build paths through >TheMan0, TheMan1, and TheMan2. Now you've won. Bruce's proposal prevents any such possibility because it does not allow specification of any nodes by Nickname, key fingerprint, or any other method. Rather, it allows a node to identify a Family by some Family name or other label of which it itself is a member. Alice runs nodes A1, A2, and A3. In the torrc file of each would be a line like MyFamily We'reOff Bob runs nodes B1, B2, B3, and B4. Each of his nodes' torrc files contains a line like MyFamily toSee Carol runs nodes C1 and C2. Both of these nodes' torrc files contain the following line. MyFamily theWizard Now, Dave has a client that downloads the descriptors for all of Alice's, Bob's, and Carol's nodes. Seeing the Family name each node says it belongs to, the client groups Alice's nodes into one Family, Bob's nodes into another Family, and Carol's nodes into a third Family. Dave's client then chooses routes for circuits that will use no more than one node from each Family, just as clients do now. If Ed comes along and fires up a node E1 that says, "I'm in toSee Family", then if Dave's client chooses E1 for a route, it will not choose any of Bob's nodes for other positions in the same route. Likewise, if Dave's client chooses any of Bob's nodes for a circuit, Ed's E1 node will not be used for other positions in the same circuit. Ed, however, has no way to force Dave's client to choose Ed's nodes for circuit routes. > >This is one reason why the MyFamily declaration has to be the same on both >sides in order for clients to honor it. Tor clients do not trust the Tor >network by design. There are flaws in the MyFamily scheme, as we're seeing >with perfect-privacy. It's a pain in the ass if you run a lot of nodes, so >you just don't bother. It also assumes an honest relay operator will list all >of all the nodes that should be in a MyFamily declaration. > Again, that is completely inapplicable and irrelevant to Bruce's proposed method. To reiterate, his method enables each node to tell clients, "I'm in Family xyz. Don't use more than one of us in a circuit." It does not allow any node to specify other nodes. A node simply specifies the name of a Family to which it belongs. Jeesh. It's really not very difficult, and no, it is not vulnerable to the sort of attack you, Roger, and Sebastian have now misdirected the discussion. Sigh. Scott Bennett, Comm. ASMELG, CFIAG ** * Internet: bennett at cs.niu.edu * ** * "A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army." * *-- Gov. John Hancock, New York Journal, 28 January 1790 * ** *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Answer by perfect-privacy.com Re: perfect-privacy.com, Family specifications, etc.
> [snip] > The trouble here is that if we make family declarations one-sided, then > I can tell everybody that I'm in blutmagie's family (and X's family and > Y's family and Z's family and ...), and suddenly I'm influencing the > path selection of other clients in a way I shouldn't be able to. > > We need to have each set of relays in a family declare the others, > or it's open to attacks like this. Could there perhaps be some way of making a private key of some sort for a family? i.e instead of listing all the members of a family on all nodes and having to update them all the time, one could.. make a private family key and copy it and put it in the config of all nodes in the family? signature.asc Description: This is a digitally signed message part.
Re: Family specifications (was: Re: perfect-privacy.com, Family specifications, etc)
On Thu, May 20, 2010 at 1:31 PM, Moritz Bartl wrote: > On 20.05.2010 13:28, Oguz wrote: >> I too do not understand this. Already an evil entry node can list all >> nodes that it does _not_ control in its family option to try to force >> circuit through the nodes it controls, though it would obviously be a >> dead give away listing many unrelated nodes as within the family. Is >> there a check when a node declares itself to be in a family the >> descriptor of the other family members are checked to confirm? > > From what I understand, yes, at the moment both "partners" have to list > each other. That's what the fuss is all about, because this becomes hard > to manage when you run a lot of nodes. A two-line shell script run automatically with ssh? 1) sed -i 's/^MyFamily .*/MyFamily [new servers]/' /etc/tor/torrc 2) killall -HUP tor Difficult? Come on, this can all be automated in 10 minutes if they keep a list of the servers they have access to. If you're already operating multiple servers, you will need to have methods like this anyway, when other things change. *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Family specifications (was: Re: perfect-privacy.com, Family specifications, etc)
On Thursday May 20 2010 09:39:00 Flamsmark wrote: > On 20 May 2010 07:44, wrote: > > If Mallory lists Alice > > and Bob, but neither Alice nor Bob list Mallory, it's not a valid > > Family. Otherwise, Mallory could list every node in the network and > > screw everyone. > > Why would this screw everyone? If only one side could declare a valid family that clients honored, you can control the paths clients choose. Eventually, some large percent of the network will find your declaration and be unable to build paths because they are all in the one-sided MyFamily declaration. Or, worse off, you run three nodes, let's call them TheMan0, TheMan1, and TheMan2. All three nodes list every other node in the network, except your three TheMan# nodes. Now as clients find your MyFamily declaration, they can only build paths through TheMan0, TheMan1, and TheMan2. Now you've won. This is one reason why the MyFamily declaration has to be the same on both sides in order for clients to honor it. Tor clients do not trust the Tor network by design. There are flaws in the MyFamily scheme, as we're seeing with perfect-privacy. It's a pain in the ass if you run a lot of nodes, so you just don't bother. It also assumes an honest relay operator will list all of all the nodes that should be in a MyFamily declaration. Right now, Tor won't use any relays in a circuit in the same /16 network to try to address "network closeness" of relays. We saw it was plausible that someone can start up a bunch of relays in the same datacenter in the same netblock and start to see a lot of circuits within that netblock. You can disable this behavior by setting EnforceDistinctSubnets to 0. It is an open and active area of research as to the degree of anonymity (increase or decrease) one receives as you develop trusted paths through the network (pick your own path), or Autonomous System aware paths, or country level aware paths, etc. -- Andrew Lewman The Tor Project pgp 0x31B0974B Website: https://www.torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Answer by perfect-privacy.com Re: perfect-privacy.com, Family specifications, etc.
Oops, apologies - didn't realize this had already been answered. (a pox upon thread forking...) On Thu, May 20, 2010 at 7:03 AM, Damian Johnson wrote: > The trick is that both parties need to list each other as family for this > to work. As per the man page.. > > "When two servers both declare that they are in the same 'family'..." > > The attacker would need to be listed in every other relay's torrc for the > attack you described to work. I'm pretty sure listing relays you don't > control has no effect. -Damian > > > On Wed, May 19, 2010 at 11:29 PM, Scott Bennett wrote: > >> On Thu, 20 May 2010 08:23:34 +0200 (CEST) "Sebastian Hahn" >> wrote: >> >> All that would do would be to say to all clients, "Don't include >> >> this node in the same circuit as any of the blutmagie nodes." How >> would >> >> that be an attack? >> > >> >I can list all the nodes I don't control... >> > >> What is the limit on line length for such a MyFamily statement? What >> is the limit on descriptor length? Listing ~1500 nodes sounds like the >> sort of thing that wouldn't work very well. >> Also, my other question remains: what would stop me from listing >> nodes >> that I don't control in a MyFamily statement now? >> >> >> Scott Bennett, Comm. ASMELG, CFIAG >> ** >> * Internet: bennett at cs.niu.edu * >> ** >> * "A well regulated and disciplined militia, is at all times a good * >> * objection to the introduction of that bane of all free governments * >> * -- a standing army." * >> *-- Gov. John Hancock, New York Journal, 28 January 1790 * >> ** >> *** >> To unsubscribe, send an e-mail to majord...@torproject.org with >> unsubscribe or-talkin the body. http://archives.seul.org/or/talk/ >> > >
Re: Answer by perfect-privacy.com Re: perfect-privacy.com, Family specifications, etc.
The trick is that both parties need to list each other as family for this to work. As per the man page.. "When two servers both declare that they are in the same 'family'..." The attacker would need to be listed in every other relay's torrc for the attack you described to work. I'm pretty sure listing relays you don't control has no effect. -Damian On Wed, May 19, 2010 at 11:29 PM, Scott Bennett wrote: > On Thu, 20 May 2010 08:23:34 +0200 (CEST) "Sebastian Hahn" > wrote: > >> All that would do would be to say to all clients, "Don't include > >> this node in the same circuit as any of the blutmagie nodes." How would > >> that be an attack? > > > >I can list all the nodes I don't control... > > > What is the limit on line length for such a MyFamily statement? What > is the limit on descriptor length? Listing ~1500 nodes sounds like the > sort of thing that wouldn't work very well. > Also, my other question remains: what would stop me from listing nodes > that I don't control in a MyFamily statement now? > > > Scott Bennett, Comm. ASMELG, CFIAG > ** > * Internet: bennett at cs.niu.edu * > ** > * "A well regulated and disciplined militia, is at all times a good * > * objection to the introduction of that bane of all free governments * > * -- a standing army." * > *-- Gov. John Hancock, New York Journal, 28 January 1790 * > ** > *** > To unsubscribe, send an e-mail to majord...@torproject.org with > unsubscribe or-talkin the body. http://archives.seul.org/or/talk/ >
Re: Family specifications (was: Re: perfect-privacy.com, Family specifications, etc)
On May 20, 2010, at 08:39 AM, Flamsmark wrote: > On 20 May 2010 07:44, wrote: > If Mallory lists Alice > and Bob, but neither Alice nor Bob list Mallory, it's not a valid > Family. Otherwise, Mallory could list every node in the network and > screw everyone. > > Why would this screw everyone? I admit that I don't fully understand how > families are implemented, however, this doesn't seem sensible to me. Under a > scheme which allowed ``one-sided family declarations'' this doesn't seem to > be the ideal behaviour. If Mallory lists all the nodes in the network, then > this should prevent all the paths which have Mallory somewhere in them, but > not paths which avoid her entirely. An aggressive family declaration by > Mallory only prevents her from getting traffic, without impacting the rest of > the network.This would seem to be the only sensible way to implement > ``one-sided family declarations'', to prevent exactly the problem described. The problem I see with this is that it requires some foresight and backtracking in the creation of tunnels, which will add to network strain, unless someone can suggest a way to plan out the tunnels ahead of time.
Re: Family specifications (was: Re: perfect-privacy.com, Family specifications, etc)
On 20 May 2010 07:44, wrote: > If Mallory lists Alice > and Bob, but neither Alice nor Bob list Mallory, it's not a valid > Family. Otherwise, Mallory could list every node in the network and > screw everyone. Why would this screw everyone? I admit that I don't fully understand how families are implemented, however, this doesn't seem sensible to me. Under a scheme which allowed ``one-sided family declarations'' this doesn't seem to be the ideal behaviour. If Mallory lists all the nodes in the network, then this should prevent all the paths which have Mallory somewhere in them, but not paths which avoid her entirely. An aggressive family declaration by Mallory only prevents her from getting traffic, without impacting the rest of the network.This would seem to be the only sensible way to implement ``one-sided family declarations'', to prevent exactly the problem described.
Re: Family specifications (was: Re: perfect-privacy.com, Family specifications, etc)
On Thu, May 20, 2010 at 07:44:51AM -0400, and...@torproject.org wrote: > On Thu, May 20, 2010 at 01:31:47PM +0200, t...@wiredwings.com wrote 0.9K > bytes in 19 lines about: > : >From what I understand, yes, at the moment both "partners" have to list > : each other. That's what the fuss is all about, because this becomes hard > : to manage when you run a lot of nodes. > > Yes, this is how MyFamily works. Each node in the family must be > configured to list all other nodes in the family. If I start up node > Alice, and list Bob and Mallory in MyFamily, Bob must list Alice and > Mallory, and Mallory must list Alice and Bob. If Mallory lists Alice > and Bob, but neither Alice nor Bob list Mallory, it's not a valid > Family. Otherwise, Mallory could list every node in the network and > screw everyone. Or list all nodes in the network but 3 and shunt all > traffic through those 3, etc. Glad I read this thread through to the end. This was what I was going to say, only not as well as Andrew. It is possible however, to have some value to allowing some asymmetry, viz: if Alice lists Bob_1, ..., Bob_1000 in her family, but no Bob lists Alice, then a path selection that chooses both Alice and Bob_i will be rejected, but one that lists Bob_i and Bob_j will be just fine. This is not how MyFamily works now (or am I wrong ?). But that could change. The only paths Alice could then affect would be ones that choose her. The point is not just that the attacks Andrew mentioned are no longer possible. It is also true that someone who mananged to set MyFamily on only some of his nodes would still cause those paths to be avoided. S/he may or may not have covered the entire family by this process, but s/he can cover the entire family by setting MyFamily in half of them, perhaps a little less overhead. Perhaps this is what various people were alluding to when they said that there is no attack in letting one node set MyFamily and having it only affect itself thereby? The above is not an unqualified recommendation, however. Besides the fifty percent configuration overhead savings for people with large families. I like that a partially set family provides some of the intended function rather than just failing completely, but (a) It's off the top of my head, (b) There may be other more subtle attacks than the obvious ones Andrew was mentioning, (c) The added complexity of it being OK to do something less complete than setting this at all nodes may lead to more people getting it wrong more often so that the graceful failure is more than offset. (d) I haven't thought about implications for complexity of path selection, distribution of directory info, etc. They may render any benefit too expensive. All that said, it is perhaps worth at least considering. aloha, Paul *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Family specifications (was: Re: perfect-privacy.com, Family specifications, etc)
On Thu, May 20, 2010 at 01:31:47PM +0200, t...@wiredwings.com wrote 0.9K bytes in 19 lines about: : >From what I understand, yes, at the moment both "partners" have to list : each other. That's what the fuss is all about, because this becomes hard : to manage when you run a lot of nodes. Yes, this is how MyFamily works. Each node in the family must be configured to list all other nodes in the family. If I start up node Alice, and list Bob and Mallory in MyFamily, Bob must list Alice and Mallory, and Mallory must list Alice and Bob. If Mallory lists Alice and Bob, but neither Alice nor Bob list Mallory, it's not a valid Family. Otherwise, Mallory could list every node in the network and screw everyone. Or list all nodes in the network but 3 and shunt all traffic through those 3, etc. -- Andrew Lewman The Tor Project pgp 0x31B0974B Website: https://www.torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Answer by perfect-privacy.com Re: perfect-privacy.com, Family specifications, etc.
Though I appreciate Jim's signature proposal, that could become difficult and convoluted to implement quite quickly. I think that perfectprivacy's initial suggestion was actually quite compelling: allow ``#include'' type statements to be used in a torrc. Currently, an operator of multiple relays has to edit the actual torrc of all the relays, which is probably quite fiddly, because they are all slightly different. With includes, the operator would only have to edit the ``master family'' file, and upload that to the relevant directory on all their nodes, a much simpler process. Moreover, includes are much easier to code than any sort of key verification system. It seems like includes are a relatively simple solution to a relatively simple problem.
Family specifications (was: Re: perfect-privacy.com, Family specifications, etc)
On 20.05.2010 13:28, Oguz wrote: > I too do not understand this. Already an evil entry node can list all > nodes that it does _not_ control in its family option to try to force > circuit through the nodes it controls, though it would obviously be a > dead give away listing many unrelated nodes as within the family. Is > there a check when a node declares itself to be in a family the > descriptor of the other family members are checked to confirm? >From what I understand, yes, at the moment both "partners" have to list each other. That's what the fuss is all about, because this becomes hard to manage when you run a lot of nodes. -- Moritz Bartl GPG 0xED2E9B44 http://moblog.wiredwings.com/ *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Answer by perfect-privacy.com Re: perfect-privacy.com, Family specifications, etc.
On 5/20/10, Moritz Bartl wrote: > On 20.05.2010 06:25, Roger Dingledine wrote: >> The trouble here is that if we make family declarations one-sided, then >> I can tell everybody that I'm in blutmagie's family (and X's family and >> Y's family and Z's family and ...), and suddenly I'm influencing the >> path selection of other clients in a way I shouldn't be able to. > > Maybe it is a misunderstanding on my side, but I agree with Scott. How > could this influence the network in a way that one can speak of an > "attack"? My idea was that by stating a family, I say that *my node* > musn't be used in a circuit together with other members of that family, > no more, no less. > So, by misconfiguring the family on my side, I cannot hurt the network > more than (in the extreme) by running no node at all. I too do not understand this. Already an evil entry node can list all nodes that it does _not_ control in its family option to try to force circuit through the nodes it controls, though it would obviously be a dead give away listing many unrelated nodes as within the family. Is there a check when a node declares itself to be in a family the descriptor of the other family members are checked to confirm? Regards Oguz *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Answer by perfect-privacy.com Re: perfect-privacy.com, Family specifications, etc.
On 20.05.2010 06:25, Roger Dingledine wrote: > The trouble here is that if we make family declarations one-sided, then > I can tell everybody that I'm in blutmagie's family (and X's family and > Y's family and Z's family and ...), and suddenly I'm influencing the > path selection of other clients in a way I shouldn't be able to. Maybe it is a misunderstanding on my side, but I agree with Scott. How could this influence the network in a way that one can speak of an "attack"? My idea was that by stating a family, I say that *my node* musn't be used in a circuit together with other members of that family, no more, no less. So, by misconfiguring the family on my side, I cannot hurt the network more than (in the extreme) by running no node at all. -- Moritz Bartl GPG 0xED2E9B44 http://moblog.wiredwings.com/ *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Answer by perfect-privacy.com Re: perfect-privacy.com, Family specifications, etc.
Roger Dingledine wrote: On Mon, May 17, 2010 at 09:44:21PM +0200, Moritz Bartl wrote: Original Message Subject: Re: - Medium - Tor servers, Tor community wants to disable your nodes - General Date: Mon, 17 May 2010 13:46:04 +0200 From: Perfect Privacy Administration Organization: PP Internet Services [snip] A proposal to the TOR developers: I don't know if it's technically possible, but maybe one could introduce a "BelongingToFamily" entry or a similarly named command in future versions of TOR which could work as such, as that every server which contains the same "BelongingToFamily" entry (e.g. "BelongingToFamily xyz") belongs to the family "xyz". That way one wouldn't have to enumerate all server names in the "MyFamily" section of each and every individual torrc file what causes an enormous effort if one adds a lot of servers (and donates a lot of traffic) to the Tor network. As mentioned, we currently would have to edit 45+ torrc files on 45+ TOR servers whenever a server is added or removed, and the number of our servers is constantly increasing. The trouble here is that if we make family declarations one-sided, then I can tell everybody that I'm in blutmagie's family (and X's family and Y's family and Z's family and ...), and suddenly I'm influencing the path selection of other clients in a way I shouldn't be able to. We need to have each set of relays in a family declare the others, or it's open to attacks like this. In situations like Perfect Privacy's where there are a significant number of nodes that are dynamically changing. which all need to be in one family, the basic proposal seems useful enough that I wonder if it can be rehabilitated to take care of the concerns Roger just expressed. So let me just float an idea here that maybe others can flesh-out/simplify/correct ... What if families could be "declared" by giving them a name (say XYZ123) and publishing a public key for them. Then to add a node to the family, the server operator would issue a BelongToFamily XYZ123 declaration that is somehow signed by the corresponding private key. If the details can be worked out correctly, then only the person/organization with access to the private key can add servers to that family. I think that would take care of Roger' concern about relay operators adding their server to others' families. If this is too much information to reasonably contain in a torrc file, then perhaps it could be included in a separate file. Either one the Tor client automatically looks for or one referenced in torrc. Does anything like that seem viable? Maybe the developers can comment about the doability and whether it addresses all of the security concerns?And maybe Perfect Privacy can somehow be pulled into the conversation to see if such a thing would be useful for people in their situation. Jim P.S. The above was written while off-line. After seeing the newer posts, I realize my proposal might essentially be the same as The23rdRaccoon's. I am not sure. But I don't remember seeing anything about using a signature to limit who could add themselves to a family in Bruce's original proposal. *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: perfect-privacy.com, Family specifications, etc.
On Thu, 20 May 2010 07:37:17 + The23rd Raccoon wrote: >On Thu, May 20, 2010 at 5:47 AM, Scott Bennett wrote: >> =A0 =A0 On Thu, 20 May 2010 00:40:42 -0400 =3D?utf-8?Q?Jerzy_=3DC5=3D81og= >iewa?=3D >> wrote: >>>I apologize for altering the nature of this thread, but can someone =3D >>>please summarize what this discussion is about? Who is =3D >>>perfect-privacy.com and why are they of concern to Tor users? I am =3D >>>having a difficult time following the threads. >>> >> =A0 =A0 If you subscribed to this list after the start of the thread, jus= >t >> go to the list archives, and look for my original message. =A0It should >> all then become clear. > >This suggestion, coming from you, is especially hilarious. You haven't >yet successfully preserved a single thread you are present in. You >really need a mail client from this millennium. STFW for 'In-Reply-To >header'. As anyone who has been around long enough is aware, the "thread" is the content of the Subject: header, not the content of any USENET newsreader- derived, latecoming header. The only times I have failed to preserve the content of the Subject: have been on other lists, where I receive messages in digest form and have made an error in editing. Now, having stated that again, I just went to the archives page and found it in seconds, so it certainly wasn't difficult at all. http://archives.seul.org/or/talk/May-2010/msg00108.html > >(Sorry for the noise or-talk, I was obliged to comment at that >hypocrisy. I'll go back to rummaging through the trash for delicious >snacks and discarded research papers now.) Your comment is misplaced, given that I have repeatedly stated on this list that I am *not* the system administrator of this system and that I do *not* install or delete software on this system. I have nothing at all to do with it. > >P.S. I too had a bit of a problem following exactly why MyFamily has >to be this cumbersome. If Tor clients are already doing pair-wise Ah. I see. You wait until your post script to discuss the subject at hand. >checking anyways, why can't all nodes just refer to a 'mother' node's >descriptor that lists a family key that can be used to sign a simpler >family statement. Or, just limit the number of families a node can be Yes, that was essentially the suggestion of Bruce from perfect-privacy.com. >a part of to just one, specified by a UUID, to limit the damage they >can do. Also, I still fail to see why having extra nodes (i.e., nodes *not* under the control of a given node's operator) creates any real problem. I suppose in a tiny, experimental network, one could pretend that such a threat might exist, but in the real world, I just don't see it. Further, Bruce's suggestion avoids the issue entirely by requiring each node to subscribe *itself* to a Family by specifying only the key/ name/other type of identifier of that Family. Sebastian's "attack" could not be done. Scott Bennett, Comm. ASMELG, CFIAG ** * Internet: bennett at cs.niu.edu * ** * "A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army." * *-- Gov. John Hancock, New York Journal, 28 January 1790 * ** *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: perfect-privacy.com, Family specifications, etc.
On Thu, May 20, 2010 at 5:47 AM, Scott Bennett wrote: > On Thu, 20 May 2010 00:40:42 -0400 =?utf-8?Q?Jerzy_=C5=81ogiewa?= > wrote: >>I apologize for altering the nature of this thread, but can someone = >>please summarize what this discussion is about? Who is = >>perfect-privacy.com and why are they of concern to Tor users? I am = >>having a difficult time following the threads. >> > If you subscribed to this list after the start of the thread, just > go to the list archives, and look for my original message. It should > all then become clear. This suggestion, coming from you, is especially hilarious. You haven't yet successfully preserved a single thread you are present in. You really need a mail client from this millennium. STFW for 'In-Reply-To header'. (Sorry for the noise or-talk, I was obliged to comment at that hypocrisy. I'll go back to rummaging through the trash for delicious snacks and discarded research papers now.) P.S. I too had a bit of a problem following exactly why MyFamily has to be this cumbersome. If Tor clients are already doing pair-wise checking anyways, why can't all nodes just refer to a 'mother' node's descriptor that lists a family key that can be used to sign a simpler family statement. Or, just limit the number of families a node can be a part of to just one, specified by a UUID, to limit the damage they can do. *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Answer by perfect-privacy.com Re: perfect-privacy.com, Family specifications, etc.
On Thu, 20 May 2010 08:23:34 +0200 (CEST) "Sebastian Hahn" wrote: >> All that would do would be to say to all clients, "Don't include >> this node in the same circuit as any of the blutmagie nodes." How would >> that be an attack? > >I can list all the nodes I don't control... > What is the limit on line length for such a MyFamily statement? What is the limit on descriptor length? Listing ~1500 nodes sounds like the sort of thing that wouldn't work very well. Also, my other question remains: what would stop me from listing nodes that I don't control in a MyFamily statement now? Scott Bennett, Comm. ASMELG, CFIAG ** * Internet: bennett at cs.niu.edu * ** * "A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army." * *-- Gov. John Hancock, New York Journal, 28 January 1790 * ** *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Answer by perfect-privacy.com Re: perfect-privacy.com, Family specifications, etc.
> All that would do would be to say to all clients, "Don't include > this node in the same circuit as any of the blutmagie nodes." How would > that be an attack? I can list all the nodes I don't control... *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: perfect-privacy.com, Family specifications, etc.
On Thu, 20 May 2010 00:40:42 -0400 =?utf-8?Q?Jerzy_=C5=81ogiewa?= wrote: >I apologize for altering the nature of this thread, but can someone = >please summarize what this discussion is about? Who is = >perfect-privacy.com and why are they of concern to Tor users? I am = >having a difficult time following the threads. > If you subscribed to this list after the start of the thread, just go to the list archives, and look for my original message. It should all then become clear. Scott Bennett, Comm. ASMELG, CFIAG ** * Internet: bennett at cs.niu.edu * ** * "A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army." * *-- Gov. John Hancock, New York Journal, 28 January 1790 * ** *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Answer by perfect-privacy.com Re: perfect-privacy.com, Family specifications, etc.
On Thu, 20 May 2010 00:25:33 -0400 Roger Dingledine wrote: >On Mon, May 17, 2010 at 09:44:21PM +0200, Moritz Bartl wrote: >> Original Message >> Subject: Re: - Medium - Tor servers, Tor community wants to disable your >> nodes - General >> Date: Mon, 17 May 2010 13:46:04 +0200 >> From: Perfect Privacy Administration >> Organization: PP Internet Services >[snip] >> A proposal to the TOR developers: I don't know if it's technically >> possible, but maybe one could introduce a "BelongingToFamily" entry or a >> similarly named command in future versions of TOR which could work as >> such, as that every server which contains the same "BelongingToFamily" >> entry (e.g. "BelongingToFamily xyz") belongs to the family "xyz". >> >> That way one wouldn't have to enumerate all server names in the >> "MyFamily" section of each and every individual torrc file what causes >> an enormous effort if one adds a lot of servers (and donates a lot of >> traffic) to the Tor network. As mentioned, we currently would have to >> edit 45+ torrc files on 45+ TOR servers whenever a server is added or >> removed, and the number of our servers is constantly increasing. > >The trouble here is that if we make family declarations one-sided, then >I can tell everybody that I'm in blutmagie's family (and X's family and >Y's family and Z's family and ...), and suddenly I'm influencing the >path selection of other clients in a way I shouldn't be able to. How would that be any different from me adding a MyFamily statement of the current form to my node's torrc that included all four blutmagie nodes? > >We need to have each set of relays in a family declare the others, >or it's open to attacks like this. > All that would do would be to say to all clients, "Don't include this node in the same circuit as any of the blutmagie nodes." How would that be an attack? Scott Bennett, Comm. ASMELG, CFIAG ** * Internet: bennett at cs.niu.edu * ** * "A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army." * *-- Gov. John Hancock, New York Journal, 28 January 1790 * ** *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: perfect-privacy.com, Family specifications, etc.
I apologize for altering the nature of this thread, but can someone please summarize what this discussion is about? Who is perfect-privacy.com and why are they of concern to Tor users? I am having a difficult time following the threads. -- Jerzy Łogiewa -- jerz...@interia.eu -- Pamietaj o Dniu Matki! Wyslij kartkę na komorke >> http://linkint.pl/f26f3 *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Answer by perfect-privacy.com Re: perfect-privacy.com, Family specifications, etc.
On Mon, May 17, 2010 at 09:44:21PM +0200, Moritz Bartl wrote: > Original Message > Subject: Re: - Medium - Tor servers, Tor community wants to disable your > nodes - General > Date: Mon, 17 May 2010 13:46:04 +0200 > From: Perfect Privacy Administration > Organization: PP Internet Services [snip] > A proposal to the TOR developers: I don't know if it's technically > possible, but maybe one could introduce a "BelongingToFamily" entry or a > similarly named command in future versions of TOR which could work as > such, as that every server which contains the same "BelongingToFamily" > entry (e.g. "BelongingToFamily xyz") belongs to the family "xyz". > > That way one wouldn't have to enumerate all server names in the > "MyFamily" section of each and every individual torrc file what causes > an enormous effort if one adds a lot of servers (and donates a lot of > traffic) to the Tor network. As mentioned, we currently would have to > edit 45+ torrc files on 45+ TOR servers whenever a server is added or > removed, and the number of our servers is constantly increasing. The trouble here is that if we make family declarations one-sided, then I can tell everybody that I'm in blutmagie's family (and X's family and Y's family and Z's family and ...), and suddenly I'm influencing the path selection of other clients in a way I shouldn't be able to. We need to have each set of relays in a family declare the others, or it's open to attacks like this. --Roger *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: perfect-privacy.com, Family specifications, etc.
On Sun, May 16, 2010 at 12:45:22AM -0500, Scott Bennett wrote: > The tor man page gives a not very edifying description of the NodeFamily > statement. The man page says that the NodeFamily statement may be used more > than once in a given torrc file. Does each use define a different Family? Yes. > Or do all nodes listed in NodeFamily statements get lumped into a single > Family? No. > What effect does the NodeFamily statement have upon the use of nodes > whose descriptors already contain some Family information? Independent. Meaning your Tor client believes family information in the descriptor, and independently looks at whether you've set the NodeFamily to indicate not to use two relays in the same circuit. > I intend to add > one or more NodeFamily lines to my torrc very shortly, but need to know > whether a) I have to include all of the nodes in a single, very long run-on > NodeFamily statement, and b) listing all of perfect-privacy.com's nodes now > would mean that encountering similar situations with nodes belong to someone > else would require grouping them with perfect-privacy.com's nodes. Thanks > in advance for any answers to these questions! It would be great to see somebody clean up the man page entry. Maybe that is you? :) Thanks, --Roger *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Answer by perfect-privacy.com Re: perfect-privacy.com, Family specifications, etc.
> In the meantime, perfect-privacy.com should advise this list as soon as > its torrc files are in compliance, while the rest of us should feel free to > use the NodeFamily information I posted earlier with, apparently, the addition > of 17 more node fingerprints that I missed when I grepped the directory for > the email address from the contact info. The entries should be fine now. Robert On May 18, 2010, at 6:22 AM, Scott Bennett wrote: > On Mon, 17 May 2010 21:44:21 +0200 Moritz Bartl > wrote: >> What I did was just file a report at the company's website. It took them >> only minutes to get back to me. >> Scott, I don't know why, but you probably didn't get their response in >> the first place. > > No, I certainly didn't. Also, they should have received a bounce message. > "Bruce" neglected to mention whether he had gotten one. > I've long thought that every node Family should have a Family name, but > his suggestion for the actual form of the MyFamily statement is better than > what I had been thinking of. I heartily recommend that it be adopted and > implemented ASAP. > In the meantime, perfect-privacy.com should advise this list as soon as > its torrc files are in compliance, while the rest of us should feel free to > use the NodeFamily information I posted earlier with, apparently, the addition > of 17 more node fingerprints that I missed when I grepped the directory for > the email address from the contact info. > > > Scott Bennett, Comm. ASMELG, CFIAG > ** > * Internet: bennett at cs.niu.edu * > ** > * "A well regulated and disciplined militia, is at all times a good * > * objection to the introduction of that bane of all free governments * > * -- a standing army." * > *-- Gov. John Hancock, New York Journal, 28 January 1790 * > ** > *** > To unsubscribe, send an e-mail to majord...@torproject.org with > unsubscribe or-talkin the body. http://archives.seul.org/or/talk/ *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Answer by perfect-privacy.com Re: perfect-privacy.com, Family specifications, etc.
On Mon, 17 May 2010 21:44:21 +0200 Moritz Bartl wrote: >What I did was just file a report at the company's website. It took them >only minutes to get back to me. >Scott, I don't know why, but you probably didn't get their response in >the first place. No, I certainly didn't. Also, they should have received a bounce message. "Bruce" neglected to mention whether he had gotten one. I've long thought that every node Family should have a Family name, but his suggestion for the actual form of the MyFamily statement is better than what I had been thinking of. I heartily recommend that it be adopted and implemented ASAP. In the meantime, perfect-privacy.com should advise this list as soon as its torrc files are in compliance, while the rest of us should feel free to use the NodeFamily information I posted earlier with, apparently, the addition of 17 more node fingerprints that I missed when I grepped the directory for the email address from the contact info. Scott Bennett, Comm. ASMELG, CFIAG ** * Internet: bennett at cs.niu.edu * ** * "A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army." * *-- Gov. John Hancock, New York Journal, 28 January 1790 * ** *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Answer by perfect-privacy.com Re: perfect-privacy.com, Family specifications, etc.
Hi, What I did was just file a report at the company's website. It took them only minutes to get back to me. Scott, I don't know why, but you probably didn't get their response in the first place. Original Message Subject: Re: - Medium - Tor servers, Tor community wants to disable your nodes - General Date: Mon, 17 May 2010 13:46:04 +0200 From: Perfect Privacy Administration Organization: PP Internet Services Hello, Moritz! We explained the situation already three days ago to Scott Bennett who had contacted us by e-mail about it. We will resolve the situation, as soon as we have time. The Tor software makes it unfortunately very time-consuming to maintain the "MyFamily" entries, once one has a lot of servers. We currently would have to edit 45+ torrc entries on 45+ server whenever a server is added or removed (what happens frequently), just to keep "MyFamily" up-to-date. A proposal to the TOR developers: I don't know if it's technically possible, but maybe one could introduce a "BelongingToFamily" entry or a similarly named command in future versions of TOR which could work as such, as that every server which contains the same "BelongingToFamily" entry (e.g. "BelongingToFamily xyz") belongs to the family "xyz". That way one wouldn't have to enumerate all server names in the "MyFamily" section of each and every individual torrc file what causes an enormous effort if one adds a lot of servers (and donates a lot of traffic) to the Tor network. As mentioned, we currently would have to edit 45+ torrc files on 45+ TOR servers whenever a server is added or removed, and the number of our servers is constantly increasing. Please find my reply to Scott beneath. Maybe you can also be so kind to forward it to the TOR community, as I'm not a part of the mailing list. All the best, Bruce Perfect Privacy Administration = Original Message Subject: Re: your multiple tor node Family specifications Date: Fri, 14 May 2010 13:16:32 +0200 From: Perfect Privacy Administration Organization: PP Internet Services To: Scott Bennett Hello, Scott! We are a non-profit work association which provides privacy services and which donates a certain amount of the bandwidth of everyone of its servers to the TOR network. Our setup is currently as such, as that all servers which are located in a specific data center or country, are grouped together in one family. This has, above all, practical reasons, because we are already operating 45+ servers world-wide. Additional servers are added on a frequent basis; at times servers are also removed from our park, either because we don't like the server's performance or because the data center doesn't like the privacy services we are providing (and the abuse level they create) and terminates a contract. Grouping all servers into one family would, while being ideal, cause at the moment a disproportional maintenance effort. We would have to edit and change the torrc files on 45+ machines whenever a server is added, renamed or removed. Currently, we only have one server in most data centers, and where we have more than one it's usually not more than 2 to 5, so the effort to update the torrc files if another server should be added to a specific data center is still quite manageable. However, we naturally do understand your position. Please consider this a temporary solution until we had the time to come around to develop and to install scripts on all servers which will enable use to propagate the "MyFamily" entry centrally to all TOR servers in our park. Whenever a TOR server is added or removed, the scripts on the individual servers could then recreate updated torrc files, using the centrally propagated "MyFamily" entry, reloading the new torrc configuration at the same time. This would solve the problem of cumbersomely manually updating a steadily growing number of 45+ torrc files on 45+ different servers whenever a server is added, renamed or removed from our park, just in order to have the correct "MyFamily" entry in all of them. Actually, thinking about it, if the TOR configuration file does support a command like "Include" which would permit TOR to read configuration entries from another file (a file which contains the "My Family" entry and which we can centrally propagate to all servers with scp), a solution to this problem could be implemented much quicker. I don't have the list of TOR commands in my head and will have to look up if such a possibility exists... In any way, we will take care of this issue as soon as our time permits. We are planning to rewrite the torrc files anyway, making use of the DirPortFrontPage command to display a disclaimer on port 80. Maybe the one effort can be combined with the other. All the best, Bruce Perfect Privacy Administration On 11.05.2010 20:25, Scott Bennett wrote: > Your organization appears to have a large number of tor relays listed > in the tor dir
Re: perfect-privacy.com, Family specifications, etc.
> > While some of them appear to be guards, none is running as an > > exit node, so this should not be possible. > Thanks for pointing that out, Paolo. I had missed that. However, > it should not be possible to get more than one of them in any given > circuit route, but because they are not grouped into a single Family, > a circuit could consist of all nodes except the exit node being > perfect-privacy.com's nodes. For most users it would suffice if all PerfectPrivacy nodes would loose their Guard flag (which for those who haven't explicitly set "UseEntryGuards 0" in their TORRC would mean that PerfectPrivacy servers would act the way they seems to be set up - as middle-relays). As far as I can tell the main problem are the German relays which list other family members as PPrivGermanyX, while the servers themselves use the names PPrivComGermanyX. So it would be enough if servers PPrivComGermany2 - PPrivComGermany5 would become invalid. The exact definition of "family" seems somewhat foggy in the documentation. The Tor manual says "controlled or administered by a group or organization identical or similar to that of the other servers" which to me reads "is run by the same people", while the TorFAQ starts with "don't run more than a few dozen on the same network" which seems to indicate that the physical network is what defines a family (which seems to be how the PerfectPiracy folks are defining it). It's only the last line of that section which says "You should set MyFamily if you have administrative control of the computers or of their network". Seems like an optional thing to me rather than a requirement. Personally I have mixed feelings about disabling a whole node-family just to send a message. Sure, it'll probably work and definitely would help Tor's security, but it'd also be bad for the networks throughput and punish the relay operators for something that doesn't seem to have been explicitly said out loud. *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: perfect-privacy.com, Family specifications, etc.
On Sun, 16 May 2010 23:18:59 +0300 =?UTF-8?Q?ilter_y=C3=BCksel?= top-posted (please don't do that): >Isn't there any way to detect automatically if these 28 relays in same >family? Why do you need configure your torrc file manually? See the MyFamily statement's description in the tor man page. Then look at what I posted before about the perfect-privacy.com nodes being misconfigured w.r.t. Family designations. Their operator(s) did it wrong and have not responded to email sent to the address in those nodes' contact information. Scott Bennett, Comm. ASMELG, CFIAG ** * Internet: bennett at cs.niu.edu * ** * "A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army." * *-- Gov. John Hancock, New York Journal, 28 January 1790 * ** *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: perfect-privacy.com, Family specifications, etc.
Hello Scott, Isn't there any way to detect automatically if these 28 relays in same family? Why do you need configure your torrc file manually? Thanks in advance. ilter On Sun, May 16, 2010 at 8:45 AM, Scott Bennett wrote: > On Sun, 16 May 2010 07:08:53 +0200 Paolo Palmieri > wrote: > >> There is someone going by the name of perfect-privacy.com who is > >> listed in the contact information of roughly 28 relays' descriptors with > >> widely varying throughput capacities in the tor directory. These > relays' > >> descriptors are grouped into quite a few separate Family specifications, > >> although some appear to be orphans without a Family. > > > >>From a quick look at Tor status, it seems to me that they are grouped > >into families based on their geographical location. > > That is true for some of them, but there are also some that are not > in any Family at all. In any case, they all should be in a single Family. > > > >> I would appreciate having these relays lose their "Valid" flags in > >> the consensus until such time as their operator(s) group all of them > >> into a single Family specification. I hope the authority operators > >> will take this action in a timely fashion. Until this situation is > >> dealt with, it will remain entirely possible that clients may build > >> circuits whose entire routes consist of perfect-privacy.com's nodes. > > > >While some of them appear to be guards, none is running as an exit node, > >so this should not be possible. > > > Thanks for pointing that out, Paolo. I had missed that. However, > it should not be possible to get more than one of them in any given circuit > route, but because they are not grouped into a single Family, a circuit > could consist of all nodes except the exit node being perfect-privacy.com > 's > nodes. > I note that at present nothing has been done about the bad situation > by either perfect-privacy.com or by the directory authority operators, nor > have I yet received any response to my email message to the address in the > contact info for these nodes. > The tor man page gives a not very edifying description of the > NodeFamily > statement. The man page says that the NodeFamily statement may be used > more > than once in a given torrc file. Does each use define a different Family? > Or do all nodes listed in NodeFamily statements get lumped into a single > Family? What effect does the NodeFamily statement have upon the use of > nodes > whose descriptors already contain some Family information? I intend to add > one or more NodeFamily lines to my torrc very shortly, but need to know > whether a) I have to include all of the nodes in a single, very long run-on > NodeFamily statement, and b) listing all of perfect-privacy.com's nodes > now > would mean that encountering similar situations with nodes belong to > someone > else would require grouping them with perfect-privacy.com's nodes. Thanks > in advance for any answers to these questions! > > > Scott Bennett, Comm. ASMELG, CFIAG > ** > * Internet: bennett at cs.niu.edu * > ** > * "A well regulated and disciplined militia, is at all times a good * > * objection to the introduction of that bane of all free governments * > * -- a standing army." * > *-- Gov. John Hancock, New York Journal, 28 January 1790 * > ** > *** > To unsubscribe, send an e-mail to majord...@torproject.org with > unsubscribe or-talkin the body. http://archives.seul.org/or/talk/ >
Re: perfect-privacy.com, Family specifications, etc.
On Sun, 16 May 2010 07:08:53 +0200 Paolo Palmieri wrote: >> There is someone going by the name of perfect-privacy.com who is >> listed in the contact information of roughly 28 relays' descriptors with >> widely varying throughput capacities in the tor directory. These relays' >> descriptors are grouped into quite a few separate Family specifications, >> although some appear to be orphans without a Family. > >>From a quick look at Tor status, it seems to me that they are grouped >into families based on their geographical location. That is true for some of them, but there are also some that are not in any Family at all. In any case, they all should be in a single Family. > >> I would appreciate having these relays lose their "Valid" flags in >> the consensus until such time as their operator(s) group all of them >> into a single Family specification. I hope the authority operators >> will take this action in a timely fashion. Until this situation is >> dealt with, it will remain entirely possible that clients may build >> circuits whose entire routes consist of perfect-privacy.com's nodes. > >While some of them appear to be guards, none is running as an exit node, >so this should not be possible. > Thanks for pointing that out, Paolo. I had missed that. However, it should not be possible to get more than one of them in any given circuit route, but because they are not grouped into a single Family, a circuit could consist of all nodes except the exit node being perfect-privacy.com's nodes. I note that at present nothing has been done about the bad situation by either perfect-privacy.com or by the directory authority operators, nor have I yet received any response to my email message to the address in the contact info for these nodes. The tor man page gives a not very edifying description of the NodeFamily statement. The man page says that the NodeFamily statement may be used more than once in a given torrc file. Does each use define a different Family? Or do all nodes listed in NodeFamily statements get lumped into a single Family? What effect does the NodeFamily statement have upon the use of nodes whose descriptors already contain some Family information? I intend to add one or more NodeFamily lines to my torrc very shortly, but need to know whether a) I have to include all of the nodes in a single, very long run-on NodeFamily statement, and b) listing all of perfect-privacy.com's nodes now would mean that encountering similar situations with nodes belong to someone else would require grouping them with perfect-privacy.com's nodes. Thanks in advance for any answers to these questions! Scott Bennett, Comm. ASMELG, CFIAG ** * Internet: bennett at cs.niu.edu * ** * "A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army." * *-- Gov. John Hancock, New York Journal, 28 January 1790 * ** *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: perfect-privacy.com, Family specifications, etc.
> There is someone going by the name of perfect-privacy.com who is > listed in the contact information of roughly 28 relays' descriptors with > widely varying throughput capacities in the tor directory. These relays' > descriptors are grouped into quite a few separate Family specifications, > although some appear to be orphans without a Family. >From a quick look at Tor status, it seems to me that they are grouped into families based on their geographical location. > I would appreciate having these relays lose their "Valid" flags in > the consensus until such time as their operator(s) group all of them > into a single Family specification. I hope the authority operators > will take this action in a timely fashion. Until this situation is > dealt with, it will remain entirely possible that clients may build > circuits whose entire routes consist of perfect-privacy.com's nodes. While some of them appear to be guards, none is running as an exit node, so this should not be possible. Paolo *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
