Re: [tor-relays] Call for discussion: turning funding into more exit relays
On 1/8/13 10:40 PM, Moritz Bartl wrote: I wrote a small incapable script [4] that visualizes how often a relay is a fast relay over time. In its current form, it is not very helpful, but slightly modified to output monthly overviews or just a percentage figure per relay, it might already be good enough to define when a reward is granted (after it became part of the rewards program) and when/if the operator needs to do additional explaining of downtimes etc. Feedback and patches welcome. Please see https://trac.torproject.org/projects/tor/ticket/7895 for my feedback. Best, Karsten [4] https://lists.torproject.org/pipermail/tor-relays/2012-November/001725.html ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Hello guys. Is is possible to choose one's Entry Guards?
First of all, AFAIK, bridge relays act as entry guards, meaning they *replace* the first step of your tor circuits, they don't extend them to 4 nodes. With that in mind you might be able to do this: your client - bridge (obfuscated or not) - tor node B - tor node C - whatever (clearnet / introduction points for your service) If you host a hidden service, a compromised bridge on the above circuit will make you vulnerable to timing attacks whether you hand-pick trusted nodes for BC or not. Also in general when you talk about guard node, you mean a node that you connect directly too for your first hop on a circuit. It doesn't make sense to talk about guard nodes in the middle of the circuit, you don't really care if those are compromised or not since they don't see you IP. So another idea would be to use Tor through Tor which unfortunately doesn't increase your anonymity much since timing attacks will still work the same way (maybe they will take a little longer to pull off though but your hidden service will be harder to reach too). That being said you can choose your entry guards with the EntryGuards torrc command and the StrictNodes commands which you can find in the Tor Manualhttps://www.torproject.org/docs/tor-manual.html.en If you are super paranoid you could add more latency to the connection between you and the hidden service server. For example you could rent a server anonymously in another country to host your hidden service, and only access that server using Tor from a random public WiFi and only for short durations (like just reuploading changed html code) using actually trusted entry nodes. This way even if they manage to find where the hidden service is located they will have to also start a separate attack to find where are you connecting to this server from. And if they find where you do connect from (which will take considerable time probably) you might have even switched to another public WiFi by that time. Also who are they in this case? Cause we are talking about an investigation that spans a ton of countries just to find you. I honestly believe this is overkill. If you need that much security then maybe Tor isn't for you. Cheers. - My blog: http://www.inshame.com My full signature with lots of links etc: http://bit.ly/trtsig ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] DigitalOcean, cheap VPS that's ok with middle relays
Moritz Bartl: Hi Micah, On 08.01.2013 19:47, Micah Lee wrote: FYI, I just discovered a VPS provider DigitalOcean, and they seem fine with people running non-exit nodes: Thanks for the hint. In general, I don't see why VPS providers would not allow internal Tor relaying, and I would not even bother to ask first. Interesting values to know about VPS providers are bandwidth allowance (unlimited is quite obviously a marketing term; often, limits can only be discovered by some months of experience) and [socket/numfile] limitations. Support is often reluctant to provide such values before ordering. A good way to characterize VPS offers is to post the output of cat /proc/user_beancounters. Hey all, I talked to my VPS provider (colorhost.de) about running a (non-exit) tor relay, and I would recommend some communication if you plan to run your relay for a longer amount of time. Smaller VPS providers might not have experience with TOR, and just assume illegal torrents when someone uses large amounts of bandwidth. In the price range we're talking about here, the provider has to have an internal assumption about how much of your Unlimited Bandwidth you are going to consume on average. If you exceed that on a regular basis (and with an un-throttled relay, you likely will), you end up on their list of customers they do not want to keep. Also, due to the slim profit margin, they may just terminate your account if they are ever forced to manually investigate it for some reason (e.g. exit-node DMCA complaints). What I did was explain that I was going to run a non-exit relay node and that it would cause steady load and traffic, and asked in a very direct manner about how much constant traffic they were comfortable with for the 3€/mo plan, regardless of what was advertised. I got a number, adjusted my settings accordingly and I've enjoyed great customer service ever since. This arrangement has provided a small (albeit guard-flagged) relay to the TOR network for nearly two years now and I've never had to switch providers or otherwise spend time on administrative overhead. Cheers -k ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] ServerAstra from hungary allows exit relays
Hi I want to share my experience with a hoster I discovered about a year ago: https://serverastra.com/ I set up a non-exit relay in feburary 2012. They offer a VPS with 100Mbit unmetered traffic for about 15$/month. Here are the vnstat stats: http://paste.scratchbook.ch/view/26af6ae0 Recently, I asked them if I am allowed to run an exit-relay. They answered: -- For now our ToS allows Tor nodes. but please be advised they are really easy to abuse. We will try to protect the network with our firewall in case of problems (we already experienced spam from ToR networks). In any case a ticket will be opened upon abuse case and we will try to keep both sides confidentiality during negotiation. Happy New Year! -- They are really cooperative! They also set me up a reverse DNS. So everything runs fine and fast. Although they sometimes encounter problems with DDOS-attacks, which affects the bandwith. But this only happened twice last year. Claude pgpAAnV9LRjPi.pgp Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] ServerAstra from hungary allows exit relays
My experience with ServerAstra is that they will null-route your IP address on reports of abuse. No notification to me, their customer. This put me in the position on several occasions of noticing that my VPS had been down for x days. It was only when opening a Support Ticket to complain about lack of service that I was told my IP address had been null-routed due to abuse reports. Here's an example of what I was told: Your VPS has been blocked automatically on numerous accounts of virus, malware activity and spamming, and got itself into several block lists. Please clean up the vps and fix the issues which are allowing such things to happen, as we keep our network secure and free of these problems. Your VPS ip will be enabled again rightaway but please prevent further abuse of our network resources. This while running an exit node with the Reduced Exit Policy. This was my experience from Feb through May of last year. They may not have a policy against exit nodes but they sure make it difficult to keep one running. On 01/09/2013 06:12 AM, Claude wrote: Hi I want to share my experience with a hoster I discovered about a year ago: https://serverastra.com/ I set up a non-exit relay in feburary 2012. They offer a VPS with 100Mbit unmetered traffic for about 15$/month. Here are the vnstat stats: http://paste.scratchbook.ch/view/26af6ae0 Recently, I asked them if I am allowed to run an exit-relay. They answered: -- For now our ToS allows Tor nodes. but please be advised they are really easy to abuse. We will try to protect the network with our firewall in case of problems (we already experienced spam from ToR networks). In any case a ticket will be opened upon abuse case and we will try to keep both sides confidentiality during negotiation. Happy New Year! -- They are really cooperative! They also set me up a reverse DNS. So everything runs fine and fast. Although they sometimes encounter problems with DDOS-attacks, which affects the bandwith. But this only happened twice last year. Claude ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Hello guys. Is is possible to choose one's Entry Guards?
On 1/9/2013 4:41 AM, Konstantinos Asimakis wrote: First of all, AFAIK, bridge relays act as entry guards, meaning they *replace* the first step of your tor circuits, they don't extend them to 4 nodes. With that in mind you might be able to do this: your client - bridge (obfuscated or not) - tor node B - tor node C - whatever (clearnet / introduction points for your service) If you host a hidden service, a compromised bridge on the above circuit will make you vulnerable to timing attacks whether you hand-pick trusted nodes for BC or not. Also in general when you talk about guard node, you mean a node that you connect directly too for your first hop on a circuit. It doesn't make sense to talk about guard nodes in the middle of the circuit, you don't really care if those are compromised or not since they don't see you IP. So another idea would be to use Tor through Tor which unfortunately doesn't increase your anonymity much since timing attacks will still work the same way (maybe they will take a little longer to pull off though but your hidden service will be harder to reach too). That being said you can choose your entry guards with the EntryGuards torrc command and the StrictNodes commands which you can find in the Tor Manual https://www.torproject.org/docs/tor-manual.html.en If you are super paranoid you could add more latency to the connection between you and the hidden service server. For example you could rent a server anonymously in another country to host your hidden service, and only access that server using Tor from a random public WiFi and only for short durations (like just reuploading changed html code) using actually trusted entry nodes. This way even if they manage to find where the hidden service is located they will have to also start a separate attack to find where are you connecting to this server from. And if they find where you do connect from (which will take considerable time probably) you might have even switched to another public WiFi by that time. Also who are they in this case? Cause we are talking about an investigation that spans a ton of countries just to find you. I honestly believe this is overkill. If you need that much security then maybe Tor isn't for you. Cheers. for our purposes, they can remain undefined. there are plenty of theys to pick from, what with illegal NSA wiretapping, various alphabet soup brigades targeting their own citizens, staggeringly escalated mandatory data retention, new anti-piracy techniques and legal precedants that allow various copyright owners to attack their own customers and clients, the list goes on and on. And that's just the USA. once you include things like publically-admitted cooperative domestic espionage between allied countries, and other foreign powers such as China, Russia, North Korea, and just about every Arab country in existence, there are a multitude of theys to be cautious about. Though, speaking as someone with an anarchist cypherpunk bent, I don't really need an excuse to take whatever precautions are available to me, seeing as any sort of activism or participation in social movements would cause me to be a political target. The only reason I'm posting here at all is because I do not think I am yet a target valuable enough to actually pursue. When I say entry guards i mean entry guards from the perspective of a tor node acting as a client. Am i mistaken in believing that a tor bridge relay acts as a client on behalf of the actual tor client behind it? Or does the short list of bridge relays act as entry guards, and connect to other tor relays as the first hop tor relay? ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Hello guys. Is is possible to choose one's Entry Guards?
On 1/9/2013 2:57 PM, Coyo wrote: On 1/9/2013 4:41 AM, Konstantinos Asimakis wrote: First of all, AFAIK, bridge relays act as entry guards, meaning they *replace* the first step of your tor circuits, they don't extend them to 4 nodes. When I say entry guards i mean entry guards from the perspective of a tor node acting as a client. Am i mistaken in believing that a tor bridge relay acts as a client on behalf of the actual tor client behind it? Or does the short list of bridge relays act as entry guards, and connect to other tor relays as the first hop tor relay? Oh, I misread that. Nevermind! Though I have another question! How many bridge relays, with or without protocol obfuscation, can you use simultaneously? Is there a limit? Can you configure that limit? Are bridge relays in the list written to torrc chosen at random up to a certain limit? ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays