Re: geeez...

2011-01-13 Thread Mitar 
Hi!

On Fri, Jan 14, 2011 at 6:24 AM, Mike Perry  wrote:
> But as soon as she scans her iris, the malware on her
> machine would wake up and inform its masters that it is ready to do
> their bidding.

This can be easily fixed just by using some Apple-app-store-like
system where only tested apps (with source code given to them to
check) would be available and with developers' identities also well
known. In combination with some trusted computing platform where CPU
would refuse to run any program not signed by such store. Of course
all this backed by law.

Of course, you would be only a consumer of your computer, but
everything for security. ;-)

Probably even easier is simply to make everybody responsible what
their computer is doing and they will take care themselves to install
trusted computing system into it.

Great read:

http://www.gnu.org/philosophy/right-to-read.html

> Taking freedoms away seems like an easy
> quick fix, but in reality, there is no gain, only more insecurity.

I agree with that. For me one big argument is that it is a difference
of motivation and numbers between normal users and criminals. The
later will spend time, energy and money to get around security fences
we would made, and for sure find some holes (as there is nothing like
perfect security), while all others would just have their freedoms
diminished. For nothing.


Mitar
***
To unsubscribe, send an e-mail to majord...@torproject.org with
unsubscribe or-talkin the body. http://archives.seul.org/or/talk/

Re: geeez...

2011-01-13 Thread Mike Perry 
Thus spake Mitar (mmi...@gmail.com):

> > This is related to the "if you remove Tor from the world, you're not
> > really reducing the ability of bad guys to be anonymous on the Internet"
> > idea.
> 
> This could be then analog argument as saying that if you remove one
> weapon factory from the world, that there would be no difference? But
> one after another and there will be.
> 
> I cannot buy an argument saying that because situation is bad there
> should be no small improvements where there could be.

That's not what we're saying, but I suspect you may just be trolling.
You're certainly straw-manning...

> > various other techniques people have developed over the years to deal with 
> > abuse.
> 
> Then tell me which techniques have we developed which prevent
> pedophiles to use hidden Tor services? Which techniques have we
> developed which prevent somebody to blackmail somebody else over Tor
> network and stay anonymous? Which techniques have we developed which
> can help found out which are other people in terrorist group and trace
> their communication, once we discover they use Tor?

The same techniques that law enforcement use when these same
sophisticated adversaries use black market compromised botnets:
http://voices.washingtonpost.com/securityfix/2008/08/web_fraud_20_tools.html
http://voices.washingtonpost.com/securityfix/2008/08/web_fraud_20_digital_forgeries.html
http://voices.washingtonpost.com/securityfix/2008/08/web_fraud_20_distributing_your.html

In these cases, police need to do police work: gathering technical
data and examining content for evidence to aid in the investigation;
and infiltrating groups and performing stings (for which they often
use Tor).

> > It depends where your jerks are coming from. If your jerks are all obeying
> > every law and showing up from their static non-natted IP address, then
> > yes, routing address is definitely related to identity. But if your
> > jerks have ever noticed this doesn't work so well for them, they may
> > start using other approaches and suddenly you're back needing to learn
> > about application-level mechanisms
> 
> Because current protocols were done just to solve technical problems
> and not also law or other "society" problems. For example, HAM
> operators and their networks had, before they started their packets
> networks, already laws in place requiring them that each packet should
> also contain call-sign of responsible person/station. OK, in this
> particular case (as far as I know) this is not cryptographically
> enforced (but this is a technical thing) but it still shows that laws
> like this can work. So if countries (like they cooperate on ACTA)
> would declare that it is illegal to send or route or relay any packet
> without information about responsible person for it things would be
> much different.

You think criminals obey the law?

Both China and South Korea have instituted fully authenticated
"internet drivers licenses", and not only has cybercrime not vanished,
it continues to flourish and profit from new markets that trade in these
credentials and the use of authenticated connections through proxy.

Even a fully cryptographically secured and authenticated Internet
would still be *just* as vulnerable to abuse, all other things being
equal. Grandma could even be required to have her iris scanned before
entering her bunker to use her military-grade encrypted, authenticated
PC that is otherwise disconnected from the Internet while her iris is
not available. But as soon as she scans her iris, the malware on her
machine would wake up and inform its masters that it is ready to do
their bidding.

The only way to really curtail these social problems is to properly
address their root causes. Taking freedoms away seems like an easy
quick fix, but in reality, there is no gain, only more insecurity.


This is why Tor is not part of the problem. In fact, its use by law
enforcement for stings, infiltration, and investigation indicates it
is also part of the solution.

-- 
Mike Perry
Mad Computer Scientist
fscked.org evil labs


pgp8yzAPfXBDT.pgp
Description: PGP signature

Re: geeez...

2011-01-13 Thread Jimmy Richardson 

Hi,:

What the hell are you talking about? The whole idea of Tor is anonymity, 
and you want Tor to make it easy to identify its users?


Thomas Jefferson already answered your question: The man who would 
choose security over freedom deserves neither.


If you want security over freedom, you're welcome to migrate to China or 
Iran.


Thanks


On 1/14/2011 9:27 AM, Mitar wrote:

Hi!

On Thu, Jan 13, 2011 at 3:01 AM, Roger Dingledine  wrote:

This is related to the "if you remove Tor from the world, you're not
really reducing the ability of bad guys to be anonymous on the Internet"
idea.

This could be then analog argument as saying that if you remove one
weapon factory from the world, that there would be no difference? But
one after another and there will be.

I cannot buy an argument saying that because situation is bad there
should be no small improvements where there could be.


various other techniques people have developed over the years to deal with 
abuse.

Then tell me which techniques have we developed which prevent
pedophiles to use hidden Tor services? Which techniques have we
developed which prevent somebody to blackmail somebody else over Tor
network and stay anonymous? Which techniques have we developed which
can help found out which are other people in terrorist group and trace
their communication, once we discover they use Tor?


It depends where your jerks are coming from. If your jerks are all obeying
every law and showing up from their static non-natted IP address, then
yes, routing address is definitely related to identity. But if your
jerks have ever noticed this doesn't work so well for them, they may
start using other approaches and suddenly you're back needing to learn
about application-level mechanisms

Because current protocols were done just to solve technical problems
and not also law or other "society" problems. For example, HAM
operators and their networks had, before they started their packets
networks, already laws in place requiring them that each packet should
also contain call-sign of responsible person/station. OK, in this
particular case (as far as I know) this is not cryptographically
enforced (but this is a technical thing) but it still shows that laws
like this can work. So if countries (like they cooperate on ACTA)
would declare that it is illegal to send or route or relay any packet
without information about responsible person for it things would be
much different.

So saying that currently technology does not support this and so it
does not matter is just because it was not required to support this.
But there is nothing preventing that laws would be changed in this
way. Probably also many lobbies are doing in this direction. Adding
another required field to IPv6 is not so hard. Making it
cryptographically secure a bit more. Do all work on teach people about
identity thefts (which would become even more profitable) even harder.

Because of this those are not arguments I could agree upon. They are
true, but it could be also otherwise. I would like to hear good
arguments why even if we would have in place all possible technical
means to identify originators (or possibility to "turn" this on if we
decide so) it would be still "proper" to not go along this path.

I can see arguments for this only possible with basing the argument on
human rights and similar values we might share. But then there are
conflicts of those rights, security vs. freedom.


Mitar
***
To unsubscribe, send an e-mail to majord...@torproject.org with
unsubscribe or-talkin the body. http://archives.seul.org/or/talk/


***
To unsubscribe, send an e-mail to majord...@torproject.org with
unsubscribe or-talkin the body. http://archives.seul.org/or/talk/

Re: geeez...

2011-01-13 Thread Mitar 
Hi!

On Thu, Jan 13, 2011 at 3:01 AM, Roger Dingledine  wrote:
> This is related to the "if you remove Tor from the world, you're not
> really reducing the ability of bad guys to be anonymous on the Internet"
> idea.

This could be then analog argument as saying that if you remove one
weapon factory from the world, that there would be no difference? But
one after another and there will be.

I cannot buy an argument saying that because situation is bad there
should be no small improvements where there could be.

> various other techniques people have developed over the years to deal with 
> abuse.

Then tell me which techniques have we developed which prevent
pedophiles to use hidden Tor services? Which techniques have we
developed which prevent somebody to blackmail somebody else over Tor
network and stay anonymous? Which techniques have we developed which
can help found out which are other people in terrorist group and trace
their communication, once we discover they use Tor?

> It depends where your jerks are coming from. If your jerks are all obeying
> every law and showing up from their static non-natted IP address, then
> yes, routing address is definitely related to identity. But if your
> jerks have ever noticed this doesn't work so well for them, they may
> start using other approaches and suddenly you're back needing to learn
> about application-level mechanisms

Because current protocols were done just to solve technical problems
and not also law or other "society" problems. For example, HAM
operators and their networks had, before they started their packets
networks, already laws in place requiring them that each packet should
also contain call-sign of responsible person/station. OK, in this
particular case (as far as I know) this is not cryptographically
enforced (but this is a technical thing) but it still shows that laws
like this can work. So if countries (like they cooperate on ACTA)
would declare that it is illegal to send or route or relay any packet
without information about responsible person for it things would be
much different.

So saying that currently technology does not support this and so it
does not matter is just because it was not required to support this.
But there is nothing preventing that laws would be changed in this
way. Probably also many lobbies are doing in this direction. Adding
another required field to IPv6 is not so hard. Making it
cryptographically secure a bit more. Do all work on teach people about
identity thefts (which would become even more profitable) even harder.

Because of this those are not arguments I could agree upon. They are
true, but it could be also otherwise. I would like to hear good
arguments why even if we would have in place all possible technical
means to identify originators (or possibility to "turn" this on if we
decide so) it would be still "proper" to not go along this path.

I can see arguments for this only possible with basing the argument on
human rights and similar values we might share. But then there are
conflicts of those rights, security vs. freedom.


Mitar
***
To unsubscribe, send an e-mail to majord...@torproject.org with
unsubscribe or-talkin the body. http://archives.seul.org/or/talk/

Re: geeez...

2011-01-13 Thread Fabian Keil 
Moritz Bartl  wrote:

> On 12.01.2011 22:05, Fabian Keil wrote:
> > Some of my equipment got seized a few months ago.
> 
> Good luck on getting it back then!

Thanks.

> > I'm also not sure how the police would try to seize equipment
> > and fail (assuming the equipment is actually there). 
> 
> Explosives? ;-)
> Did you run a Tor exit at home? I'm not sure if they come and seize your
> home computer if the Tor server is hosted in a data center. Olaf seems
> not to have run into big trouble yet (or maybe he was quick on replacing
> the hardware).

The exit node that triggered the raid is hosted by Strato.

I'm running it there since 2006. The friendly local police man
who usually deals with the occasional abuse cases has a generic
description of Tor that includes the IP addresses of my exit nodes
and can forward that information to whomever is interested without
having to contact me every time.

This arrangement worked rather well so far.

For reasons unknown to me the investigation that lead to the
raid was handled by a different police department, though, and
apparently the police men involved prefer to "investigate" a bit
differently. They also didn't seem that fond of Tor in general.

Fabian


signature.asc
Description: PGP signature

Re: geeez...

2011-01-12 Thread Jay Lee Jaroslav 

On Jan 12, 2011, at 9:01 PM, Roger Dingledine wrote:

> On Thu, Jan 13, 2011 at 01:17:33AM +0100, Mitar wrote:
>> On Wed, Jan 12, 2011 at 6:26 AM, Mike Perry  wrote:
>>> and to suggest
>>> solutions for their security problems that involve improving their
>>> computer security for the Internet at large (open wifi, open proxies,
>>> botnets),
>> 
>> I am not sure what you mean by that? That there should not be open
>> WiFi because it improves security? Or that because there are open
>> WiFis, open proxies, botnets you have to secure your systems anyway?
> 
> I assume he meant the latter -- there are many ways that people can
> reach your website and have their IP address not really linked to the
> human making the connection.
> 
> This is related to the "if you remove Tor from the world, you're not
> really reducing the ability of bad guys to be anonymous on the Internet"
> idea. See also my first entry at https://www.torproject.org/docs/faq-abuse
> 
>> But how do you secure them against abusive behavior (blackmailing,
>> posting abusive content...)?
> 
> By making your decisions based on the application-level content rather
> than the routing of the packets. If you have a forum, and it has jerks,
> then you need to learn about accounts and authentication. If it stays
> bad, you need to learn about reputation, or moderation, or various other
> techniques people have developed over the years to deal with abuse.
> 
>> There is probably a reasonable argument that identification would help
>> with security here. No?
> 
> It depends where your jerks are coming from. If your jerks are all obeying
> every law and showing up from their static non-natted IP address, then
> yes, routing address is definitely related to identity. But if your
> jerks have ever noticed this doesn't work so well for them, they may
> start using other approaches and suddenly you're back needing to learn
> about application-level mechanisms (or you're back being angry at the
> Internet for not giving you identification by IP address; if blocking
> by IP address is the only abuse prevention mechanism you've got, you're
> going to spend a lot of your life angry).
> 
> For more on this topic, I'd point you to a short article a few years
> ago by Goodell and Syverson called "The Right Place at the Right Time:
> Examining the Use of Network Location in Authentication and Abuse
> Prevention" -- but in going to hunt for it I can't find it available
> online anymore. Proprietary publishers suck I guess. :(
> 
> --Roger
> 
> ***
> To unsubscribe, send an e-mail to majord...@torproject.org with
> unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
> 

Thank you Roger!

jlj
---
Jay Le Jaroslav 

***
To unsubscribe, send an e-mail to majord...@torproject.org with
unsubscribe or-talkin the body. http://archives.seul.org/or/talk/

Re: geeez...

2011-01-12 Thread Roger Dingledine 
On Wed, Jan 12, 2011 at 09:01:34PM -0500, Roger Dingledine wrote:
> For more on this topic, I'd point you to a short article a few years
> ago by Goodell and Syverson called "The Right Place at the Right Time:
> Examining the Use of Network Location in Authentication and Abuse
> Prevention" -- but in going to hunt for it I can't find it available

Here it is: go to
http://academic.research.microsoft.com/Paper/2491550.aspx
and then click on the link to a site in Egypt. :/

--Roger

***
To unsubscribe, send an e-mail to majord...@torproject.org with
unsubscribe or-talkin the body. http://archives.seul.org/or/talk/

Re: geeez...

2011-01-12 Thread Roger Dingledine 
On Thu, Jan 13, 2011 at 01:17:33AM +0100, Mitar wrote:
> On Wed, Jan 12, 2011 at 6:26 AM, Mike Perry  wrote:
> > and to suggest
> > solutions for their security problems that involve improving their
> > computer security for the Internet at large (open wifi, open proxies,
> > botnets),
> 
> I am not sure what you mean by that? That there should not be open
> WiFi because it improves security? Or that because there are open
> WiFis, open proxies, botnets you have to secure your systems anyway?

I assume he meant the latter -- there are many ways that people can
reach your website and have their IP address not really linked to the
human making the connection.

This is related to the "if you remove Tor from the world, you're not
really reducing the ability of bad guys to be anonymous on the Internet"
idea. See also my first entry at https://www.torproject.org/docs/faq-abuse

> But how do you secure them against abusive behavior (blackmailing,
> posting abusive content...)?

By making your decisions based on the application-level content rather
than the routing of the packets. If you have a forum, and it has jerks,
then you need to learn about accounts and authentication. If it stays
bad, you need to learn about reputation, or moderation, or various other
techniques people have developed over the years to deal with abuse.

> There is probably a reasonable argument that identification would help
> with security here. No?

It depends where your jerks are coming from. If your jerks are all obeying
every law and showing up from their static non-natted IP address, then
yes, routing address is definitely related to identity. But if your
jerks have ever noticed this doesn't work so well for them, they may
start using other approaches and suddenly you're back needing to learn
about application-level mechanisms (or you're back being angry at the
Internet for not giving you identification by IP address; if blocking
by IP address is the only abuse prevention mechanism you've got, you're
going to spend a lot of your life angry).

For more on this topic, I'd point you to a short article a few years
ago by Goodell and Syverson called "The Right Place at the Right Time:
Examining the Use of Network Location in Authentication and Abuse
Prevention" -- but in going to hunt for it I can't find it available
online anymore. Proprietary publishers suck I guess. :(

--Roger

***
To unsubscribe, send an e-mail to majord...@torproject.org with
unsubscribe or-talkin the body. http://archives.seul.org/or/talk/

Re: geeez...

2011-01-12 Thread Moritz Bartl 
On 13.01.2011 01:01, Mitar wrote:
>> On top of this, it is *illegal* in Germany to keep user identifiable
>> data unless required for billing purposes.
> I think it is allowed but you have to clearly inform users of this
> (register this data collection with data privacy agency) and reasons
> for it and there is then principle of proportionality and subsidiarity
> so that you have to prove that collecting all this data is really
> needed for service or something. 

That is already included in the first paragraph: "[...] to the extent
necessary to enable the use". It is not defined that a particular
service may not require some personal identifiable data over the course
of the whole period, but it is only allowed to do so if it is really
_required_ for either usage or billing of the service.

> Maybe in Germany things are more strict?

Most services just don't care enough, and apart from areas where you can
make a shitload of money by harrassing people it is rarely prosecuted.
For example, using Google Analytics was and has always been illegal in
Germany, but you still can find hundreds of German sites using it.

To make this clear: If you as an operator are based in Germany, you have
to follow the German law, even if your server is located in other countries.
-- 
Moritz Bartl
http://www.torservers.net/
***
To unsubscribe, send an e-mail to majord...@torproject.org with
unsubscribe or-talkin the body. http://archives.seul.org/or/talk/

Re: geeez...

2011-01-12 Thread Mitar 
Hi!

On Wed, Jan 12, 2011 at 6:26 AM, Mike Perry  wrote:
> and to suggest
> solutions for their security problems that involve improving their
> computer security for the Internet at large (open wifi, open proxies,
> botnets),

I am not sure what you mean by that? That there should not be open
WiFi because it improves security? Or that because there are open
WiFis, open proxies, botnets you have to secure your systems anyway?
But how do you secure them against abusive behavior (blackmailing,
posting abusive content...)?

There is probably a reasonable argument that identification would help
with security here. No?

> The difference between these two approaches to abuse is the difference
> between decentralized fault-tolerant Internet freedom, and fragile,
> corruptible totalitarian control.

You are talking here just about technical fault-tolerance. What about
fault-tolerance when somebody is directly abused because of this
freedom? How can we solve problems for this person and here (probably
reasonable) unease feelings? Or should we just concentrate on
technical aspects and ignore that?


Mitar
***
To unsubscribe, send an e-mail to majord...@torproject.org with
unsubscribe or-talkin the body. http://archives.seul.org/or/talk/

Re: geeez...

2011-01-12 Thread Mitar 
Hi!

On Thu, Jan 13, 2011 at 12:46 AM, Moritz Bartl  wrote:
> On top of this, it is *illegal* in Germany to keep user identifiable
> data unless required for billing purposes.

I think it is allowed but you have to clearly inform users of this
(register this data collection with data privacy agency) and reasons
for it and there is then principle of proportionality and subsidiarity
so that you have to prove that collecting all this data is really
needed for service or something. Something like that. (Uh, is hard to
translate terms you know only in your language.)

Maybe in Germany things are more strict?


Mitar
***
To unsubscribe, send an e-mail to majord...@torproject.org with
unsubscribe or-talkin the body. http://archives.seul.org/or/talk/

Re: geeez...

2011-01-12 Thread Moritz Bartl 
Hi,

On top of this, it is *illegal* in Germany to keep user identifiable
data unless required for billing purposes.

Telemediengesetz §15 Nutzungsdaten
http://www.gesetze-im-internet.de/tmg/__15.html

Let me translate the first paragraph:

§15 Usage Data
(1) The service provider may collect personal data of a user and use
them only to the extent necessary to enable the use and billing of
telemedia. Usage data are particularly
1. Characteristics to identify the user,
2. Information on the beginning and end and the extent of current usage and
3. Details about the used telemedia services.

-- 
Moritz Bartl
http://www.torservers.net/

On 13.01.2011 00:33, Mitar wrote:
> Hi!
> 
>> But I wan't a legally binding statement from a lawyer or an official (BSI) 
>> that running TOR exit nodes
>> in germany is legal.
> 
> In Slovenia there is a law (for Internet commerce) that persons just
> passing data around, not changing it, choosing destination or source,
> filter, etc, are not responsible for the data. This even works for the
> servers. So if you have a server with content you are just storing for
> somebody else you are not responsible for that. But you have a witness
> status if they want to prosecute this somebody and have to cooperate.
> So police will come and talk to you, but not as s suspect but as a
> witness.
> 
> Probably this is an EU law.
> 
> 
> Mitar
> ***
> To unsubscribe, send an e-mail to majord...@torproject.org with
> unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
> 
***
To unsubscribe, send an e-mail to majord...@torproject.org with
unsubscribe or-talkin the body. http://archives.seul.org/or/talk/

Re: geeez...

2011-01-12 Thread Mitar 
Hi!

> But I wan't a legally binding statement from a lawyer or an official (BSI) 
> that running TOR exit nodes
> in germany is legal.

In Slovenia there is a law (for Internet commerce) that persons just
passing data around, not changing it, choosing destination or source,
filter, etc, are not responsible for the data. This even works for the
servers. So if you have a server with content you are just storing for
somebody else you are not responsible for that. But you have a witness
status if they want to prosecute this somebody and have to cooperate.
So police will come and talk to you, but not as s suspect but as a
witness.

Probably this is an EU law.


Mitar
***
To unsubscribe, send an e-mail to majord...@torproject.org with
unsubscribe or-talkin the body. http://archives.seul.org/or/talk/

Re: geeez...

2011-01-12 Thread Mitar 
Hi!

On Wed, Jan 12, 2011 at 12:52 AM, Moritz Bartl  wrote:
> Most complaints you will have to deal with can be easily solved by
> telling them about Tor. In extreme cases, the police might come knocking
> to your door or even try to seize your equipment, but I am only aware of
> a single case in Germany where that happened some years ago.

In Slovenia for our Tor node (currently down) we have very nice ISP
which said that they do not mind anything until we are paying our
bills. But we had two visits of police to our doors early in the
morning (once for blackmailing and once for pedophilia). Once we
explained to them that the IP is of Tor server and that there are not
logs they said OK and that was it. The problem is probably that the
server is registered on a physical person so once they see the name
they assume that this is some home user. But once you explain to them
that this is a server on collocation and not even at your home and
what Tor is and how it works. Then their assumption that you as a home
user is a probable suspect changes to that you are an admin of a
server and in this way probably just a witness. And once you tell them
that you cannot witness anything (you do not have logs) this is it (if
they believe you, but there are not much reasons for them not to -
they would have to have also some other signs to get a warrant).


Mitar
***
To unsubscribe, send an e-mail to majord...@torproject.org with
unsubscribe or-talkin the body. http://archives.seul.org/or/talk/

Re: geeez...

2011-01-12 Thread Olaf Selke 
Am 12.01.2011 22:48, schrieb Moritz Bartl:

> Did you run a Tor exit at home? I'm not sure if they come and seize your
> home computer if the Tor server is hosted in a data center. Olaf seems
> not to have run into big trouble yet (or maybe he was quick on replacing
> the hardware).

running an exit in a German data center isn't a big deal. Size really
matters and provides you a certain amount of safety. But as am employee
working for a German Telco, I advise you not to run an exit node at home
behind a DSL subscriber line. Do not do this!

Two days ago my local police officer told me he's regretting that I
might have to shut down blutmagie this year. So German law enforcement
isn't Tor operator's enemy in general.

Saturday at eighthundred I'll be a German Army's soldier in GFM
Augustdorf barracks again, protecting the galaxy against aliens.
http://www.informationfreeway.org/?lat=51.91590673350628&lon=8.769514491697844&zoom=14&layers=BF00F0

regards Olaf
***
To unsubscribe, send an e-mail to majord...@torproject.org with
unsubscribe or-talkin the body. http://archives.seul.org/or/talk/

Re: geeez...

2011-01-12 Thread Moritz Bartl 
Hi,

On 12.01.2011 22:05, Fabian Keil wrote:
> Some of my equipment got seized a few months ago.

Good luck on getting it back then!

> I'm also not sure how the police would try to seize equipment
> and fail (assuming the equipment is actually there). 

Explosives? ;-)
Did you run a Tor exit at home? I'm not sure if they come and seize your
home computer if the Tor server is hosted in a data center. Olaf seems
not to have run into big trouble yet (or maybe he was quick on replacing
the hardware).

-- 
Moritz Bartl
http://www.torservers.net/
***
To unsubscribe, send an e-mail to majord...@torproject.org with
unsubscribe or-talkin the body. http://archives.seul.org/or/talk/

Re: geeez...

2011-01-12 Thread Fabian Keil 
Moritz Bartl  wrote:

> > ok... since this mailing list is not able to give at least some tips
> > for running a tor exit node except:
> 
> What do you want to know exactly? In many countries, running an
> anonymizing service is definitely not illegal. Many exit operators run
> into trouble with their ISP, because they are too easily scared by DMCA
> complaints and the like. This is especially true for an exit policy that
> allows arbitrary ports, as your ISP will be flooded with mails from
> BayTSP/MediaSentry. That's why we have compiled a list of well-known
> ports. [1]
> 
> You should find an ISP who explicitly allows you to run a Tor exit, and
> if you want you can start with an open exit policy. If your ISP
> complaints and wants to shut you down later, you can switch to the
> reduced exit policy. Or, you can allow exiting only to a few ports. It's
> your decision.
> Try to convince your ISP to SWIP the IP range and attach your personal
> abuse handle. Example:
> http://torstatus.blutmagie.de/cgi-bin/whois.pl?ip=79.140.39.227
> 
> Most complaints you will have to deal with can be easily solved by
> telling them about Tor. In extreme cases, the police might come knocking
> to your door or even try to seize your equipment, but I am only aware of
> a single case in Germany where that happened some years ago.

Some of my equipment got seized a few months ago.

I'm also not sure how the police would try to seize equipment
and fail (assuming the equipment is actually there). Getting a
warrant seems to be pretty easy as long as you don't mention
that the IP address in question belongs to a known Tor server.

Fabian


signature.asc
Description: PGP signature

Re: geeez...

2011-01-12 Thread David Hill 
The BSI comment had me rolling on the floor.   Could you imagine the
paperwork?  If you're going to RSA, they'll be there.

On Tue, Jan 11, 2011 at 3:28 PM, Dirk  wrote:

> ok... since this mailing list is not able to give at least some tips for
> running a tor exit node except:
>
> "Do it." or "We do have a lawyer" (how is that supposed to help me?)
>
> I will just ask the german "Bundesamt für Sicherheit in der
> Informationstechnik" (https://www.bsi.bund.de) howto setup a TOR
> exit node without ruining my life... :D
>
> people here are probably too cool to give noobs instructions...
>
>
> Dirk
>
> ***
> To unsubscribe, send an e-mail to majord...@torproject.org with
> unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
>

Re: geeez...

2011-01-12 Thread Mike Perry 
Thus spake Mike Perry (mikepe...@fscked.org):

> > Is there any place (e.g. in a wiki) where one could find or even upload
> > his own 'response template', as I might assume that they will be very
> > specific to the country's law they're issued?
> 
> Here's the (freshly updated) set of abuse complaints that reflects
> what myself and a handful of others have dealt with over the past 6
> months or so:
> https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TorAbuseTemplates

I've also gone ahead and updated the blog post with new tips for exit
node operators:
https://blog.torproject.org/blog/tips-running-exit-node-minimal-harassment

The two main changes are links to the ARIN registration pages and
forms, and tips on forming an LLC to run your node for civil liability
protection in the US.

-- 
Mike Perry
Mad Computer Scientist
fscked.org evil labs


pgpo4WbFzON4K.pgp
Description: PGP signature

Re: geeez...

2011-01-12 Thread Jan Weiher 


Am 12.01.2011 09:32, schrieb Timo Schoeler:
> thus Mike Perry spake:
> 
>> Some of us are also compiling abuse response templates. The goal for
>> abuse responses is to inform people about Tor, and to suggest
>> solutions for their security problems that involve improving their
>> computer security for the Internet at large (open wifi, open proxies,
>> botnets), rather than seeking vengeance and chasing ghosts. The
>> difference between these two approaches to abuse is the difference
>> between decentralized fault-tolerant Internet freedom, and fragile,
>> corruptible totalitarian control.
> 
> Is there any place (e.g. in a wiki) where one could find or even upload
> his own 'response template', as I might assume that they will be very
> specific to the country's law they're issued?
> 
> Such a thing could be helpful for many of us.
> 
> Timo

Here are some:

http://www.wiredwings.com/wiki/Torservers.net_Main_Page#Abuse

regards,
Jan
***
To unsubscribe, send an e-mail to majord...@torproject.org with
unsubscribe or-talkin the body. http://archives.seul.org/or/talk/

Re: geeez...

2011-01-12 Thread Mike Perry 
Thus spake Timo Schoeler (timo.schoe...@riscworks.net):

> > Some of us are also compiling abuse response templates. The goal for
> > abuse responses is to inform people about Tor, and to suggest
> > solutions for their security problems that involve improving their
> > computer security for the Internet at large (open wifi, open proxies,
> > botnets), rather than seeking vengeance and chasing ghosts. The
> > difference between these two approaches to abuse is the difference
> > between decentralized fault-tolerant Internet freedom, and fragile,
> > corruptible totalitarian control.
> 
> Is there any place (e.g. in a wiki) where one could find or even upload
> his own 'response template', as I might assume that they will be very
> specific to the country's law they're issued?

Here's the (freshly updated) set of abuse complaints that reflects
what myself and a handful of others have dealt with over the past 6
months or so:
https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TorAbuseTemplates

Notably absent from that list is a DMCA response, but the EFF provides
one for that case:
http://tor.eff.org/eff/tor-dmca-response.html.en


-- 
Mike Perry
Mad Computer Scientist
fscked.org evil labs


pgpyJRZRGOuuW.pgp
Description: PGP signature

Re: geeez...

2011-01-12 Thread Timo Schoeler 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

thus Mike Perry spake:

> Some of us are also compiling abuse response templates. The goal for
> abuse responses is to inform people about Tor, and to suggest
> solutions for their security problems that involve improving their
> computer security for the Internet at large (open wifi, open proxies,
> botnets), rather than seeking vengeance and chasing ghosts. The
> difference between these two approaches to abuse is the difference
> between decentralized fault-tolerant Internet freedom, and fragile,
> corruptible totalitarian control.

Is there any place (e.g. in a wiki) where one could find or even upload
his own 'response template', as I might assume that they will be very
specific to the country's law they're issued?

Such a thing could be helpful for many of us.

Timo
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFNLWcVfg746kcGBOwRAkjBAJ0cmrvDTbJJj+aU04fuOhaFs+BYhQCfdAQn
qvVOpZUsi9qIpLZHoibrWHE=
=KidE
-END PGP SIGNATURE-
***
To unsubscribe, send an e-mail to majord...@torproject.org with
unsubscribe or-talkin the body. http://archives.seul.org/or/talk/

Re: geeez...

2011-01-11 Thread Mike Perry 
Thus spake Dirk (noi...@gmx.net):

> >> ok... since this mailing list is not able to give at least some tips
> >> for running a tor exit node except:
> > 
> > What do you want to know exactly? In many countries, running an
> > anonymizing service is definitely not illegal. 
> 
> This stuff: 
> https://blog.torproject.org/blog/tips-running-exit-node-minimal-harassment
> 
> reads all like "How not to get caught".

The tips in the blog post are not "how not to get caught". In fact,
every one of them is about telling people as early in the process what
is going on, and who to contact if there are issues. This is done
because at scale (gigabit speeds), abuse complaints happen way more
frequently. With the default exit policy, you will get about 50
automated DMCA complaints per day at gigabit speeds. With the
bittorrent-resistant reduced exit policy from that post, you get about
5 per week. So it is entirely about reducing your work load for
managing your exit, and keeping the noise away from your ISP.

As previous threads indicate, law enforcement can and does still
contact you. The goal again is making this easy, so no one needs to
kick in any doors.

Some of us are also compiling abuse response templates. The goal for
abuse responses is to inform people about Tor, and to suggest
solutions for their security problems that involve improving their
computer security for the Internet at large (open wifi, open proxies,
botnets), rather than seeking vengeance and chasing ghosts. The
difference between these two approaches to abuse is the difference
between decentralized fault-tolerant Internet freedom, and fragile,
corruptible totalitarian control.

> But I wan't a legally binding statement from a lawyer or an official (BSI) 
> that running TOR exit nodes in germany is legal.

I'm not a lawyer, but our largest exit (blutmagie) has run in germany
for the past 4 years or so.

> And then I wan't to sink that little money I have into running as many of 
> such servers as I can.

We have discovered that the most effective way to run tor servers is
in bulk, because smaller providers are not willing to put up with
occasional abuse complaints that do get through to them, because doing
so costs them human resources and dollars. Bandwidth also is
considerably cheaper in bulk than it is at residential or even shared
hosting/VPS prices.

Consider donating to http://www.torservers.net/, or setting up your
own similar project and collecting donations to leverage the economies
of scale inherent in bandwidth prices. Obviously, the more people
doing this the better (for distributed trust).

See also the thread at:
http://www.mail-archive.com/or-talk@freehaven.net/msg14159.html for
some insight into the arcane technical details involved in running
high capacity tor relays.

-- 
Mike Perry
Mad Computer Scientist
fscked.org evil labs


pgpWMTLlwF1UR.pgp
Description: PGP signature

Re: geeez...

2011-01-11 Thread Andrew Lewman 
On Wed, 12 Jan 2011 02:29:49 +0100
Dirk  wrote:
> But I wan't a legally binding statement from a lawyer or an official
> (BSI) that running TOR exit nodes in germany is legal.

Ask the CCC for a start.  They have defended many Germans already.


-- 
Andrew
pgp 0x74ED336B
***
To unsubscribe, send an e-mail to majord...@torproject.org with
unsubscribe or-talkin the body. http://archives.seul.org/or/talk/

Re: geeez...

2011-01-11 Thread Ali-Reza Anghaie 
Dirk,

Considering I2P's German home I think you should go back to what others have
said, it's not a matter of Legal, it's a matter of reducing activity that
might raise the alarm of other people. So read the links sent, consider the
port limitations, and work up from there.

If you really need to find something more concrete then consider contacting
EFF and EFF Europe projects (https://www.eff.org/issues/eff-europe). Good
luck, -Ali

Re: geeez...

2011-01-11 Thread Watson Ladd 
On Tue, Jan 11, 2011 at 7:29 PM, Dirk  wrote:
> Moritz Bartl wrote:
>> Hi Dirk,
>>
>>> ok... since this mailing list is not able to give at least some tips
>>> for running a tor exit node except:
>>
>> What do you want to know exactly? In many countries, running an
>> anonymizing service is definitely not illegal.
>
> This stuff: 
> https://blog.torproject.org/blog/tips-running-exit-node-minimal-harassment
>
> reads all like "How not to get caught".
>
>
> But I wan't a legally binding statement from a lawyer or an official (BSI) 
> that running TOR exit nodes in germany is legal.
The question is not "is it legal?" but "how do I minimize the effects
if someone decides to harass me through the law?"
>
> And then I wan't to sink that little money I have into running as many of 
> such servers as I can.
An admirable goal.
>
>
> Dirk
> ***
> To unsubscribe, send an e-mail to majord...@torproject.org with
> unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/
>



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin
***
To unsubscribe, send an e-mail to majord...@torproject.org with
unsubscribe or-talkin the body. http://archives.seul.org/or/talk/

Re: geeez...

2011-01-11 Thread Dirk 
Moritz Bartl wrote:
> Hi Dirk,
> 
>> ok... since this mailing list is not able to give at least some tips
>> for running a tor exit node except:
> 
> What do you want to know exactly? In many countries, running an
> anonymizing service is definitely not illegal. 

This stuff: 
https://blog.torproject.org/blog/tips-running-exit-node-minimal-harassment

reads all like "How not to get caught".


But I wan't a legally binding statement from a lawyer or an official (BSI) that 
running TOR exit nodes in germany is legal.

And then I wan't to sink that little money I have into running as many of such 
servers as I can.


Dirk
***
To unsubscribe, send an e-mail to majord...@torproject.org with
unsubscribe or-talkin the body. http://archives.seul.org/or/talk/

Re: geeez...

2011-01-11 Thread Moritz Bartl 
Hi Dirk,

> ok... since this mailing list is not able to give at least some tips
> for running a tor exit node except:

What do you want to know exactly? In many countries, running an
anonymizing service is definitely not illegal. Many exit operators run
into trouble with their ISP, because they are too easily scared by DMCA
complaints and the like. This is especially true for an exit policy that
allows arbitrary ports, as your ISP will be flooded with mails from
BayTSP/MediaSentry. That's why we have compiled a list of well-known
ports. [1]

You should find an ISP who explicitly allows you to run a Tor exit, and
if you want you can start with an open exit policy. If your ISP
complaints and wants to shut you down later, you can switch to the
reduced exit policy. Or, you can allow exiting only to a few ports. It's
your decision.
Try to convince your ISP to SWIP the IP range and attach your personal
abuse handle. Example:
http://torstatus.blutmagie.de/cgi-bin/whois.pl?ip=79.140.39.227

Most complaints you will have to deal with can be easily solved by
telling them about Tor. In extreme cases, the police might come knocking
to your door or even try to seize your equipment, but I am only aware of
a single case in Germany where that happened some years ago.

If you need technical help setting up a node, the comments in torrc and
the documentation on the website should help you. If not, join #tor on
irc.oftc.net and I'm sure there will be someone to give you a hand.

-- 
Moritz Bartl
http://www.torservers.net/

[1]
https://blog.torproject.org/blog/tips-running-exit-node-minimal-harassment

On 12.01.2011 00:28, Dirk wrote:
> 
> "Do it." or "We do have a lawyer" (how is that supposed to help me?)
> 
> I will just ask the german "Bundesamt für Sicherheit in der 
> Informationstechnik" (https://www.bsi.bund.de) howto setup a TOR
> exit node without ruining my life... :D
> 
> people here are probably too cool to give noobs instructions...
> 
> 
> Dirk
> 
> ***
> To unsubscribe, send an e-mail to majord...@torproject.org with
> unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
> 
***
To unsubscribe, send an e-mail to majord...@torproject.org with
unsubscribe or-talkin the body. http://archives.seul.org/or/talk/

Re: geeez...

2011-01-11 Thread Kory Kirk 
Dirk,

I don't think anyone on this list is "too cool" to give instructions, it is
just that instructions already exist.

The Tor Project website has information on how to set up a relay.
http://www.torproject.org/docs/tor-doc-relay.html.en
http://www.torproject.org/docs/faq.html.en

Mike Perry also wrote this great guide for running an exit node.
https://blog.torproject.org/blog/tips-running-exit-node-minimal-harassment


-Kory

On Tue, Jan 11, 2011 at 5:28 PM, Dirk  wrote:

> ok... since this mailing list is not able to give at least some tips for
> running a tor exit node except:
>
> "Do it." or "We do have a lawyer" (how is that supposed to help me?)
>
> I will just ask the german "Bundesamt für Sicherheit in der
> Informationstechnik" (https://www.bsi.bund.de) howto setup a TOR
> exit node without ruining my life... :D
>
> people here are probably too cool to give noobs instructions...
>
>
> Dirk
>
> ***
> To unsubscribe, send an e-mail to majord...@torproject.org with
> unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
>

geeez...

2011-01-11 Thread Dirk 
ok... since this mailing list is not able to give at least some tips for 
running a tor exit node except:

"Do it." or "We do have a lawyer" (how is that supposed to help me?)

I will just ask the german "Bundesamt für Sicherheit in der 
Informationstechnik" (https://www.bsi.bund.de) howto setup a TOR
exit node without ruining my life... :D

people here are probably too cool to give noobs instructions...


Dirk

***
To unsubscribe, send an e-mail to majord...@torproject.org with
unsubscribe or-talkin the body. http://archives.seul.org/or/talk/