[tor-relays] Fwd: [tor-talk] Fwd: Ops request: Deploy OpenVPN terminators
to list, not me. -- Forwarded message -- From: Mirimir Date: Wed, May 14, 2014 at 11:58 PM Subject: Re: [tor-talk] Fwd: [tor-relays] Ops request: Deploy OpenVPN terminators On 05/14/2014 09:07 PM, grarpamp wrote: >> On Tue, May 13, 2014 at 5:48 PM, Jeroen Massar wrote: >> -- -- >> world > >> That "ovpn" part on the left is easily detected by any party in the >> middle doing > > No. Understand the diagram. It is not detectable by anyone > between torcli and torrelay, because that is just normal > tor. > >> Note that you are running IP over TCP over Tor (which is over TCP). > > Of course. Unless of course, as suggested before, some operators > choose the method of binding/routing their exit over an ip different > from their OR_IP, then it would just be native tor and native TCP. > >> The performance of that will be very bad. Tor network is already >> overloaded enough as it is. > > No it won't, I've tested it, it works just fine. The only issue is the > exit ip may change. So the exit operator is expected to block > access to ovpn_ip from anything other than their associated or_ip, > and the user is expected to config their client to use only the > associated exit per whatever 'world' usage session they have in > mind. It's not supposed to be point-click easy, only possible. That's a very cool idea :) Using $5/mo VPS, there could be a large pool of exit IPs for each Tor exit. -- ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Thinking about deploying a new node
I do see some talk on this list that bridges are more in need at the moment on balance. And that some of the new obfs/scramble/pt protocols could use some deployment testing and feedback. As far as your proposed hoster, they do not seem to have flatly refused an exit. You may wish to propose to them actually running one under your suggested responsibly handling abuse tickets for them. And make sure you can fall back to non-exit or bridge with them without losing money if exit does not mutually work out. Better to know/talk these things with your provider beforehand. You can suggest that since tor is 'slow' a genuine impactive ddos is not really possible via tor, though of course feeble packeting that people will still complain about is. Show them your proposed exit policy, non smtp spam, etc. 3TB/mo is about 10Mbps so that is more the governing factor for billing than 100Mbps port link. You can apply various rate limits on tor or your system/port. Tor itself does not need a fwd or rev fqdn to run. Though a rev entry can help to clue people like LEA in that the IP is in fact a tor node. And matching fwd/rev can help give users access to services that check that thing. If you do not have a domain to give, the host may be able to put the node name in theirs. Good luck, thx. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Ops request: Deploy OpenVPN terminators
> On Tue, May 13, 2014 at 5:48 PM, Jeroen Massar wrote: > They do not care about solely Tor, that is just one of many many things > they block to restrict the majority of people from accessing 'free' > (ahem) content. I've said multiple times this does not concern gfw or bootstrapping access to tor itself. Fuck the gfw, and if this helps do that in any amount by providing alternative 'exit ips' to tor users, great. > If GFW can detect it, any other adversary can do so too. It's called defense in depth, no particular part of which is bulletproof. Get off it. > Hence, you are mixing them. No, I know, and do not mix, up the difference, I choose to combine them into one class since this will help to defeat both equally. > Define "ours". I already did, those relay ops who wish to run OpenVPN or bind/route their exit via a different IP. You as an op are free to not do such things. Don't claim that others do not. > This service is there so that operators of sites can decide if they > want to serve anonymous users or not. As said and echoed in other threads, I warrant that a signifigant portion of them are not making such careful, balanced and thoughful decisions as you suggest. > Note that that is there to reduce the amount of abuse, and thus the > global and full blocking of Tor. As in other threads, prove that the incidence of abuse via tor is greater than the incidence via clearnet. > Typically an operator will only block > registration through Tor, while allowing logins through Tor. Doesn't matter which one is blocked, result is the same, a service unusable by legit users who care about their good privacy interests as noted on the tor front page. > Who is "We"? Which users complain, and about what exactly? Ever try to access a site via tor and be rejected for doing nothing wrong? That's who. > You seem to want to attempt avoiding blocks of a server, not that you > want to anonymous, or have an operator-in-the-middle blocking you from a > site that wants you as a user. Do not combine the two. Tor's encrypted circuits give source anonymity. Tor's exits (or this OpenVPN/binding) give the ways around things. Absolutely right, I wish to give users ways to avoid gratuitous unthoughtful (in respect and consideration to the individual legit user wishing access to such services) ways around such blocking. > By trying to avoid blocks that way, you > will only give a bad name to Tor and other similar projects. Only if you assume tor users are 'bad' actors. That is a shame people think that. >> They can then move to account >> based and other finer grained user management models. > Sites (eg wikipedia) that use TorDNSEL and similar constructs typically > allow registration from a non-anonymized address, while allowing logins > quite fine from them. Already answered. > It is no different than us deploying tor network to give users > ability to avoid blocks in first place. It is simply evolution > of making such tools available to users. > You are trying to defy policy of a site... Tor ITSELF is trying to defy all manner of policies, this fits that just fine. > not bypassing a bad operator. This makes no sense. I never said relay ops were bad. > You don't have to run described openvpn extension if you > don't want. > I don't think anybody will. There are too many ways to abuse that setup > and more importantly, too easy to detect. I'm putting the idea out there. Some relays will, some won't. You don't like it, you don't have to. Some blocklists and site ops will scan and detect these new IP's, some won't. Any that don't is a win for us. Abuse it? Laugh, no more than users abuse current Tor exits. Actually, it would likely be less incidence of mundane flood of abuse since the moronic masses of the internet won't bother figuring out how to scan and setup OpenVPN over tor or using controller to map non OR_IP exits. > Tor and other "open proxies" have a lot to do with abusive users. > Typically they come hand in hand. Seriously? A thousand Tor exits compared to a hundreds of millions of clearnet internet IP's cause more incidence of abuse reports that need handled by abuse desks and LEA? Please, GET REAL!!! > There are good users, and there are bad ones. Depending on how your user > base works and how much time one wants to spend, you might not want to > keep on banning the people who are obviously trying to hide. I'm sorry you feel that the majority of tor users are bad. Have you visited your local coffeeshop or home lately, how many of those teenage freeloaders are bad. No difference, maybe even worse incidence. > There is a list of these kind of services here: > https://trac.torproject.org/projects/tor/wiki/org/doc/ListOfServicesBlockingTor > Attempting to bypassing those restrictions will only cause them to block > that method too, and IMHO with good reason. They are free to do that, we are free to continue to deploy countermeasures against indiscriminate non user-account-based blockin
[tor-relays] Thinking about deploying a new node
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 So, every now and then, somebody asks what the best use of a node would be--bridge, relay, or exit. And yes, this is one of those requests. This would be a VPS from VPS Nodes. I checked the list of good and bad ISPs, and they don't seem to be listed. So I asked them directly how they felt about Tor, and this was the response: "While we don't specifically disallow Tor by name, it does come under the ToS as it is commonly used to launch large scale DDOS and SPAM campaigns and is therefore not allowed on our network for that reason. rDNS is provided as standard, you need to have a valid FQDN A record associated with the IP address that is assigned to your container. As far as SWIP, I would have to pass the request on to management as they are the only ones with that access." Seems pretty clear to me that they're not in favor of having an exit on their network. (I brought up the reduced exit policy and asked specifically about SWIP so that I could handle most of whatever abuse complaints come in, but they wouldn't provide anything further than this response.) That leaves bridge or standard relay. My question is, given 3TB of monthly bandwidth and a 100Mbps (shared) uplink, would it be better to run as an entry/middle node, or as an obfs3/scramblesuit bridge? (If there are other suggestions for trying to talk VPS Nodes into allowing an exit node, I'm all ears--though it may be better left with somebody with more experience talking to ISPs.) Thanks in advance, -Lance -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQIcBAEBCgAGBQJTdCUCAAoJEECmBqfoBgXnV2EQAKcP+K+b698oExGXuI3C5FLh YOGU6z1XQy6C/ERkcNxqTfSbqF/5Izm1ey+1qzr41keVUQ1CKkPgGWbgz/plnCbu ZJf3riJrYucg27RHCSioz3ZBt8NV7d8msRrJAVsUoZy90MyghxYTXH6faGBrLNdw tUnhT9IhSp2C46/JBlPa02FM3Aa4JXggnuhxmUNzpCsNun12D+U3AXefStOjo2GC a9CnXFxxmvHURm7CRlXm7VDMyXZYtWWvBny3ndXhAwdp1EXJ67cjcxdml7PNRYqD 6OOWbfc70i6f8f5YhFFvcsLBlxBaTFTLBWz3J7SQPbVk6W8x8Av3rSvfky7wGyW7 qdbB1UI2FvsIVVCzr8e5bZxjxxUIABMm3Dpg5P+d0y7m7Gts9QhfLtgDMDZHwTYO bbsaDjJO7hUlFFd029PPW6PkH1dSD6pIjkE78ZAX57+5ZBk6JeMhOl8uWeqvbkbz KlOJJ34w0dVLCYiSF+q/BT2tlRMYVjUnQpbWHoxIZNcqBF4bzHdh0O5p/Fg0LSwD GFMOeRpMIDe6oJhU9xo/rdEVjIUGA9rRCBalT2N9fD3XhMQRGm4z/4e41A+YOE61 00BqybYG3Cof87QGqvZEv7zg8w0iU1n2LT52MvpfnQC15QoDvq8GA8C4wAoNpdQv Te15KnmiIweVAXjZBzZ1 =PeIP -END PGP SIGNATURE- ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Ops request: Deploy OpenVPN terminators
On Tue, May 13, 2014 at 8:27 PM, Tom Ritter wrote: > This seems very similar to the idea of having private exit nodes: > https://www.torproject.org/docs/faq#HideExits Tor daemon must of course know its exit OR ip's+ports via some mechanism (currently, distributed consensus), or Tor would not work. There is no such thing as private exits in that context. Every anon protocol learns its own peers somehow. Running OpenVPN terminators on your exit box on a different ip than your tor exit is unrelated to Tor itself. It is an extra/enhanced service relay operators would choose to provide on their own. > It's also easy to enumerate Exit IPs not by scanning up/down, by just > building a circuit through every exit node to a server you control, > and looking at the originating IP. Given that very few exit relays exit via an IP not in the consensus, enemies of tor do not have to scan or build, they can just look at the consensus. This is not relevant to the context of this proposal. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Malicious or crappily configured exit node
Lunar: > Thomas Themel: >> Excerpts from u's message of Wed May 14 13:16:21 +0200 2014: >>> I'm not quite sure where to report this (that is how this e-mail ends up >>> on tor-relays :) ), nor how to avoid this exit node. Is there a way to >>> do that? >> >> ExcludeNodes in torrc allows you to avoid this node, enjoy the docs at >> https://www.torproject.org/docs/tor-manual.html.en for details. > Thanks Thomas, that is what i did in the meantime. > This is not really the question here. Such relay should get a BadExit > flag from the directory authorities so that every Tor clients avoid it > without having any extra configuration. +1. That was indeed the idea of starting this thread :) Lunar, is there a better place to report this than here? u. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Malicious or crappily configured exit node
Thomas Themel: > Excerpts from u's message of Wed May 14 13:16:21 +0200 2014: > > I'm not quite sure where to report this (that is how this e-mail ends up > > on tor-relays :) ), nor how to avoid this exit node. Is there a way to > > do that? > > ExcludeNodes in torrc allows you to avoid this node, enjoy the docs at > https://www.torproject.org/docs/tor-manual.html.en for details. This is not really the question here. Such relay should get a BadExit flag from the directory authorities so that every Tor clients avoid it without having any extra configuration. -- Lunar signature.asc Description: Digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] my orphan relay
I'm running an ordinary bridge on what I think is a respectable duty cycle, but over the past three or so months it's not carried any traffic at all. With the advent of obfsproxy bridges, does the algorithm(?) that serves out bridge addresses no longer recognize ordinary bridges? Are ordinary bridges no longer useful? Details: Running VBB 0.2.4.20-0.2.21. Network Map and my own port scanners show that the bridge has regularly and reliably hooked onto circuits. A sample of 20 days uptime since March 20th shows the average sent/recv bandwith to be 5%/day, with a range of 2% to 7%. The bridge shows as running in OOo and Globe. There is no problem with the "Who has used my bridge" module(?): When I open a Tor client at a remote ISP, "Who has used my bridge" immediately lights up showing traffic from that client's country. Thanks for any advice - eliaz gpg 0x04DEF82B ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] How to handle an abuse report
Hi, On 05/14/2014 01:09 PM, Ch'Gans wrote: > Yes, I did. And it's neither all-white nor all-black, so I decided i > would give it a go, in restricted mode w/ finger crossed. > Update: OK, maybe... After reading again and again, it's more a > deep-dark-grey than a white, Regardless, you should _always_ ask the ISP _beforehand_ if they're ok with a Tor exit. For more information, see https://trac.torproject.org/projects/tor/wiki/doc/TorExitGuidelines -- Moritz Bartl https://www.torservers.net/ ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] How to handle an abuse report
On 05/14/2014 01:29 PM, Lunar wrote: >> about an exit. You are responsible what happens from that IP. > Sorry but the last statement is wrong in many jurisdictions: > https://trac.torproject.org/projects/tor/wiki/doc/TorExitGuidelines#Legal > For Germany, see TMG §8 and §15. True, but the location of the server defines the legal territory for the data center, not your own. Even if you rent a server in a foreign country, you must still conform and know about your local laws. Then, in addition, you can take the foreign country's laws into account as well. -- Moritz Bartl https://www.torservers.net/ ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] How to handle an abuse report
On 15/05/14 01:02, Ed Carter wrote:
The abuse reply templates located at
https://trac.torproject.org/projects/tor/wiki/doc/TorAbuseTemplates
contain some good ideas about how to reply to various complaints.
Hi Ed,
Thanks for the link, I still haven't decided yet how to handle this, but
for the sake of record, this link might be useful too:
https://www.torservers.net/wiki/abuse/templates
Chris
Hi all,
Since 3 weeks, I'm running a TOR exit node [1] on a server I rent from
Hetzner (A German hosting company), after reading about using Hetzner to
run a TOR node, I decided to go for the "restricted" mode to avoid any
stupid copywrong issue (That is, I allowed only a limited set of ports,
which sadly excludes p2p).
Everything went well so far, until today. Someone, let's call this
person/group "A", reported an abuse to Hetzner. A TOR User, "B", is
spamming chat/forums with vociferous insults and disrespectful messages,
I got a copy of few of them and the insults from B are as bad as the
ideas defended by A, but I'm not here to judge anyone...
From A's timezone, it happened from the 9th of May, 8:20PM to the 10th
of May, 2:30 AM. Given the nature of the TOR network, I assumed that it
is very unlikely that stupid-B will use my server's IP to insult
stupid-A any time soon... or is it?
Now, I have to report to Hetzner, I will tell them that I'm running a
TOR exit node in "restricted" mode, but how can I defend myself, I am
not sure that my "restricted node" and "given the nature of the TOR
network" arguments will convinced them the Hetzner dudes.
Could anyone gives advice, feedback or stories on how to deal with this
situation?
Best regards,
Chris
[1]
https://atlas.torproject.org/#details/18B6EBAF10814335242ECA5705A04AAD29774078
--
QtCreator/qmakeparser.cpp:42
// Parser ///
#define fL1S(s) QString::fromLatin1(s)
namespace { // MSVC2010 doesn't seem to know the semantics of "static" ...
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
--
QtCreator/qmakeparser.cpp:42
// Parser ///
#define fL1S(s) QString::fromLatin1(s)
namespace { // MSVC2010 doesn't seem to know the semantics of "static" ...
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] How to handle an abuse report
On 2014-05-14 13:29, Lunar wrote: > Jeroen Massar: >>> Now, I have to report to Hetzner, I will tell them that I'm running a >>> TOR exit node in "restricted" mode, but how can I defend myself, I am >>> not sure that my "restricted node" and "given the nature of the TOR >>> network" arguments will convinced them the Hetzner dudes. >> >> You cannot "defend" yourself. There is no way for anybody to be able to >> claim that it was you, not you, or somebody else. That is the bad thing >> about an exit. You are responsible what happens from that IP. > > Sorry but the last statement is wrong in many jurisdictions: > https://trac.torproject.org/projects/tor/wiki/doc/TorExitGuidelines#Legal > > For Germany, see TMG §8 and §15. Thanks for the pointers, but how is my statement "wrong"? Note that I specifically do not state anything about "law" there. As the ISP hosting the IP and/or the law enforcement involved cannot know the difference between the "owner/user" of the IP exiting or whatever traffic is going through Tor, you might just get in trouble, even for hosted boxes[1][2]. (though you must be stupid to put up a red flag like a Tor exit and then use that exit yourself for illegal things) While what is linked on that page might be defined in the "law", has that ever been tested in court in those jurisdictions specifically for Tor[3][4]? If they have been tested in court, links to the results of those cases would be awesome to see there as they actually have value. The Dutch, Austrian and German ones are mostly similar (same three points) (did not check the other lingos). As they all fall under European law, having a court case in anywhere in the EU would already be a great start. I personally would never consider a "proxy" (which is what Tor is in every which way you would define it, even though there is a forwarding "network" behind it) a "common-carrier" in the most general case how they call this. Not that I wouldn't like to see it treated like that, but that is likely the way that courts will treat it most very likely. The German variant "Kommunikationsnetz" might be more appropriate to Tor, depends though (the three points in $8) if one considers the unwrapping of the layers "modification of the information" or not of course. (then again, IP inside Ethernet inside PPPoE etc...). The big 'no' in that three point list is that the source address is changed though, which would disqualify from "choosing the addressees of the information" depending on interpretation, hence, until those laws have been tested in court... nothing much one can really state about it. To add to it all, the EFF's Tor Legal FAQ (https://www.torproject.org/eff/tor-legal-faq) has a rather important message: 8<- Should I run an exit relay from my home? No. If law enforcement becomes interested in traffic from your exit relay, it's possible that officers will seize your computer. For that reason, it's best not to run your exit relay in your home or using your home Internet connection. Instead, consider running your exit relay in a commercial facility that is supportive of Tor. Have a separate IP address for your exit relay, and don't route your own traffic through it. >8 The last part "don't route your own traffic through it" is dubious, especially when requesting a VPS or some other setup with only 1 IP, you will be doing at least management through it, you will also not be able to claim you never send traffic through it (which is the intent of that sentence I would say). To put it maybe better: running a Tor exit node on a VPS/dedicated-server where you host both private and Tor on, is likely a bad idea... Greets, Jeroen PS: Nope, not "giving" "legal advice" or anything either, just my point of view, thus comments on this subject extremely welcome of course! -- [1] http://raided4tor.cryto.net/ [2] https://www.techdirt.com/articles/20121130/07495221185/tor-exit-node-operator-charged-with-distributing-child-porn.shtml [3] Especially as the top of that page mentions: "NOTE: This FAQ is for informational purposes only and does not constitute legal advice." [4] https://www.torproject.org/eff/tor-legal-faq 8<--- Has anyone ever been sued or prosecuted for running Tor? No, we aren’t aware of anyone being sued or prosecuted in the United States for running a Tor relay. Further, we believe that running a Tor relay — including an exit relay that allows people to anonymously send and receive traffic — is lawful under U.S. law. >8 ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] How to handle an abuse report
The abuse reply templates located at
https://trac.torproject.org/projects/tor/wiki/doc/TorAbuseTemplates
contain some good ideas about how to reply to various complaints.
> Hi all,
>
> Since 3 weeks, I'm running a TOR exit node [1] on a server I rent from
> Hetzner (A German hosting company), after reading about using Hetzner to
> run a TOR node, I decided to go for the "restricted" mode to avoid any
> stupid copywrong issue (That is, I allowed only a limited set of ports,
> which sadly excludes p2p).
>
> Everything went well so far, until today. Someone, let's call this
> person/group "A", reported an abuse to Hetzner. A TOR User, "B", is
> spamming chat/forums with vociferous insults and disrespectful messages,
> I got a copy of few of them and the insults from B are as bad as the
> ideas defended by A, but I'm not here to judge anyone...
>
> From A's timezone, it happened from the 9th of May, 8:20PM to the 10th
> of May, 2:30 AM. Given the nature of the TOR network, I assumed that it
> is very unlikely that stupid-B will use my server's IP to insult
> stupid-A any time soon... or is it?
>
> Now, I have to report to Hetzner, I will tell them that I'm running a
> TOR exit node in "restricted" mode, but how can I defend myself, I am
> not sure that my "restricted node" and "given the nature of the TOR
> network" arguments will convinced them the Hetzner dudes.
>
> Could anyone gives advice, feedback or stories on how to deal with this
> situation?
>
> Best regards,
> Chris
>
> [1]
> https://atlas.torproject.org/#details/18B6EBAF10814335242ECA5705A04AAD29774078
>
> --
> QtCreator/qmakeparser.cpp:42
> // Parser ///
> #define fL1S(s) QString::fromLatin1(s)
> namespace { // MSVC2010 doesn't seem to know the semantics of "static" ...
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Malicious or crappily configured exit node
On 14/05/14 23:16, u wrote:
Hello!
referring to
https://trac.torproject.org/projects/tor/wiki/doc/badRelays, i sent this
also to tor-assistances@tpo. Never got an answer though :(
One of the reason I've heard on other mailing lists, is that people
sometimes get flagged as spam, and indeed your email is flagged as spam
by gmail in my case. So if I didn't check my spam box, i would never
have heard about your email despite being on this mailing list
Chris
Now and then, I use Icedove with TorBirdy under Debian.
While connecting to port 465 on my usual mailserver, using SSL, I
sometimes get an SSL certificate alert. The certificate presented is not
my usual certificate at all (which works without adding an exception),
but one for cab.cabinethardwareparts.com, pretending to be my
mailserver. [1]
I've searched a bit for information on that exit node and found:
http://torstatus.rueckgr.at/router_detail.php?FP=0cc9b8aa649881c39e948e70b662772d8695c2e9
This node has flags: fast, stable, guard...
I tried it several times and the behaviour was repeatedly the same.
Last time it happened was 10 days ago. Then again today.
I'm not quite sure where to report this (that is how this e-mail ends up
on tor-relays :) ), nor how to avoid this exit node. Is there a way to
do that?
Thanks,
u.
[1] http://pix.toile-libre.org/upload/original/1399232278.png screenshot
of the certificate
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
--
QtCreator/qmakeparser.cpp:42
// Parser ///
#define fL1S(s) QString::fromLatin1(s)
namespace { // MSVC2010 doesn't seem to know the semantics of "static" ...
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Malicious or crappily configured exit node
Hi, Excerpts from u's message of Wed May 14 13:16:21 +0200 2014: > I'm not quite sure where to report this (that is how this e-mail ends up > on tor-relays :) ), nor how to avoid this exit node. Is there a way to > do that? ExcludeNodes in torrc allows you to avoid this node, enjoy the docs at https://www.torproject.org/docs/tor-manual.html.en for details. ciao, -- [*Thomas Themel*] Wir muessen fuer die Freiheit planen und nicht nur fuer die [Albulastrasse 52] Sicherheit, auch wenn vielleicht aus keinem anderen Grund [ CH-8048 Zürich ] als dem, dass nur die Freiheit die Sicherheit sichern kann. [*+41 78 9070988*] - Karl Popper, "Die offene Gesellschaft und ihre Feinde" ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] How to handle an abuse report
On Wed, May 14, 2014 at 10:08:47PM +1200, Ch'Gans wrote: > Hi all, > > Since 3 weeks, I'm running a TOR exit node [1] on a server I rent > from Hetzner (A German hosting company), after reading about using > Hetzner to run a TOR node, I decided to go for the "restricted" mode Hetzner doesn't like exits. Run a middleman. > to avoid any stupid copywrong issue (That is, I allowed only a > limited set of ports, which sadly excludes p2p). ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] Malicious or crappily configured exit node
Hello! referring to https://trac.torproject.org/projects/tor/wiki/doc/badRelays, i sent this also to tor-assistances@tpo. Never got an answer though :( Now and then, I use Icedove with TorBirdy under Debian. While connecting to port 465 on my usual mailserver, using SSL, I sometimes get an SSL certificate alert. The certificate presented is not my usual certificate at all (which works without adding an exception), but one for cab.cabinethardwareparts.com, pretending to be my mailserver. [1] I've searched a bit for information on that exit node and found: http://torstatus.rueckgr.at/router_detail.php?FP=0cc9b8aa649881c39e948e70b662772d8695c2e9 This node has flags: fast, stable, guard... I tried it several times and the behaviour was repeatedly the same. Last time it happened was 10 days ago. Then again today. I'm not quite sure where to report this (that is how this e-mail ends up on tor-relays :) ), nor how to avoid this exit node. Is there a way to do that? Thanks, u. [1] http://pix.toile-libre.org/upload/original/1399232278.png screenshot of the certificate ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] How to handle an abuse report
Jeroen Massar: > > Now, I have to report to Hetzner, I will tell them that I'm running a > > TOR exit node in "restricted" mode, but how can I defend myself, I am > > not sure that my "restricted node" and "given the nature of the TOR > > network" arguments will convinced them the Hetzner dudes. > > You cannot "defend" yourself. There is no way for anybody to be able to > claim that it was you, not you, or somebody else. That is the bad thing > about an exit. You are responsible what happens from that IP. Sorry but the last statement is wrong in many jurisdictions: https://trac.torproject.org/projects/tor/wiki/doc/TorExitGuidelines#Legal For Germany, see TMG §8 and §15. -- Lunar signature.asc Description: Digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] How to handle an abuse report
On 14/05/14 22:22, Jeroen Massar wrote:
Hi Jeroen,
Thanks for your comments
On 2014-05-14 12:08, Ch'Gans wrote:
Hi all,
Since 3 weeks, I'm running a TOR exit node [1] on a server I rent from
Hetzner (A German hosting company), after reading about using Hetzner to
run a TOR node,
Did you read the comments about Hetzner here:
https://trac.torproject.org/projects/tor/wiki/doc/GoodBadISPs
Yes, I did. And it's neither all-white nor all-black, so I decided i
would give it a go, in restricted mode w/ finger crossed.
Update: OK, maybe... After reading again and again, it's more a
deep-dark-grey than a white,
?
I decided to go for the "restricted" mode to avoid any
stupid copywrong issue (That is, I allowed only a limited set of ports,
which sadly excludes p2p).
What is bad about excluding p2p? People who do p2p are causing huge
performance bottlenecks for normal Tor users. People who want to do p2p
should use their p2p network for solving their illegality bypass issues.
Everything went well so far, until today. Someone, let's call this
person/group "A", reported an abuse to Hetzner. A TOR User, "B", is
spamming chat/forums with vociferous insults and disrespectful messages,
I got a copy of few of them and the insults from B are as bad as the
ideas defended by A, but I'm not here to judge anyone...
From A's timezone, it happened from the 9th of May, 8:20PM to the 10th
of May, 2:30 AM. Given the nature of the TOR network, I assumed that it
is very unlikely that stupid-B will use my server's IP to insult
stupid-A any time soon... or is it?
They can just pick another exit. Hence why DNSEL exists, so that the
operator of the site can chose to block accounts from signing up through
Tor.
Now, I have to report to Hetzner, I will tell them that I'm running a
TOR exit node in "restricted" mode, but how can I defend myself, I am
not sure that my "restricted node" and "given the nature of the TOR
network" arguments will convinced them the Hetzner dudes.
You cannot "defend" yourself. There is no way for anybody to be able to
claim that it was you, not you, or somebody else. That is the bad thing
about an exit. You are responsible what happens from that IP.
I agree, it's just that I thought I could convince them I'm not a bad
guy, and so they should "let me go", this was before I read your next point:
Could anyone gives advice, feedback or stories on how to deal with this
situation?
See above. Hetzner typically does not allow Tor exits. Too much hassle
for their abuse apartment and they are a budget hoster and abuse costs
money thus you are cutting in on their bottom line: cash.
Good point, can't blame them for that. I will make something up and see
how it goes. Worst case I'll be banned, which is OK for me.
Chris
Greets,
Jeroen
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
--
QtCreator/qmakeparser.cpp:42
// Parser ///
#define fL1S(s) QString::fromLatin1(s)
namespace { // MSVC2010 doesn't seem to know the semantics of "static" ...
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] How to handle an abuse report
On 2014-05-14 12:08, Ch'Gans wrote: > Hi all, > > Since 3 weeks, I'm running a TOR exit node [1] on a server I rent from > Hetzner (A German hosting company), after reading about using Hetzner to > run a TOR node, Did you read the comments about Hetzner here: https://trac.torproject.org/projects/tor/wiki/doc/GoodBadISPs ? > I decided to go for the "restricted" mode to avoid any > stupid copywrong issue (That is, I allowed only a limited set of ports, > which sadly excludes p2p). What is bad about excluding p2p? People who do p2p are causing huge performance bottlenecks for normal Tor users. People who want to do p2p should use their p2p network for solving their illegality bypass issues. > Everything went well so far, until today. Someone, let's call this > person/group "A", reported an abuse to Hetzner. A TOR User, "B", is > spamming chat/forums with vociferous insults and disrespectful messages, > I got a copy of few of them and the insults from B are as bad as the > ideas defended by A, but I'm not here to judge anyone... > > From A's timezone, it happened from the 9th of May, 8:20PM to the 10th > of May, 2:30 AM. Given the nature of the TOR network, I assumed that it > is very unlikely that stupid-B will use my server's IP to insult > stupid-A any time soon... or is it? They can just pick another exit. Hence why DNSEL exists, so that the operator of the site can chose to block accounts from signing up through Tor. > Now, I have to report to Hetzner, I will tell them that I'm running a > TOR exit node in "restricted" mode, but how can I defend myself, I am > not sure that my "restricted node" and "given the nature of the TOR > network" arguments will convinced them the Hetzner dudes. You cannot "defend" yourself. There is no way for anybody to be able to claim that it was you, not you, or somebody else. That is the bad thing about an exit. You are responsible what happens from that IP. > Could anyone gives advice, feedback or stories on how to deal with this > situation? See above. Hetzner typically does not allow Tor exits. Too much hassle for their abuse apartment and they are a budget hoster and abuse costs money thus you are cutting in on their bottom line: cash. Greets, Jeroen ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Ops request: Deploy OpenVPN terminators
On 2014-05-14 03:58, grarpamp wrote: > On Tue, May 13, 2014 at 8:40 PM, Andy Isaacson wrote: >> Anecdotally, the GFW blocks OpenVPN endpoints as well. > > You need to specify context... access *to* ovpn nodes?, which > is moot because that is not the deployment specified here in > diagram... That was not the setup you described originally. The diagram that you included makes your intentions much clearer. Please note that you are not solving anything for most Tor users. They get blocked from _accessing_ the Tor network, not from getting out of it. [..] > It's about enabling quite some other users other means to get > around silly ip based blocklists derived from the consensus, the > tor dns query thing, or poor management models by the site the user > wishes to access, etc. As I noted, 'getting out', or better 'who allows Tor nodes to connect to their sites' is a decision to be made by those operators. Trying to circumvent that will just cause more blockage there, noting it is much easier to do so for such an operator and in their full right (if you like it or not). > We provide tor exits Who is "we" here? I am fairly confident you do not speak for any kind of majority of exit node operators. Note that most exit nodes have a port and network blocks themselves to avoid them from being abused. > exact so users can get around stuff What site is it again that you are trying to circumvent? Did you list it on: https://trac.torproject.org/projects/tor/wiki/org/doc/ListOfServicesBlockingTor or is it some private thing you are banned from? > so adding in an ovpn on a spare ip is no philosophical difference there. There is a HUGE difference. As noted above, most exits have a block list for address space and ports. You would have to do the same for openvpn, next to that, as that is not integrated into Tor, tor cannot make a decision about when something is being blocked and thus chose another 'exit'. > Yes, it is a fuck you to old way > of playing nice by saying "here's all our public nodes, block us", You clearly do not understand why the DNSEL is published. Please read up on it. > and it might cost $few more a month for the ip, and eat some > cpu on localhost, but that's about it. If it helps some users > it's worth doing, to each operators own desire. OpenVPN, especially in crypted mode, requires quite a lot more CPU power on the nodes running OpenVPN node. Next to that, due to the overhead of IP over OpenVPN-TCP which then goes over Tor, your performance will be really bad. You do not need OpenVPN to solve a 'different exit than published', the exit operator can just randomly forward/NAT outbound packets over different IPs. > Same goes for binding/routing your tor exit out a different ip > than your OR ip. Except that using OpenVPN can permit > other protocols for help of user than only TCP. Which is likely the real requirement you have. Do you want to do gaming, or is it torrenting you want to do? Or... even worse: the ability to send raw packets? Greets, Jeroen ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Remove From LIST
Actually, there is a great description on "How to unsubscribe from a mailman mailinglist" available. Maybe link this in the footer section. http://article.gmane.org/gmane.network.opennms.general/7202 Regards, Sven. -- PGP Key: https://0x80.io/pub/files/key.asc PGP Key Fingerprint: 2DF2 79CD 48DD 4D38 F0B6 7557 2E68 D557 49AA 1D99 Note: I'll be transitioning away from this key in the near future. On 05/14/2014 04:17 AM, krishna e bera wrote: > On 14-05-13 07:34 PM, Eric Giannini wrote: >> Hi Tor, >> Please remove my email from the lists.torproject.org >> Eric >> >> >> ___ >> tor-relays mailing list >> tor-relays@lists.torproject.org >> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > > > Please consider adding a phrase such as > > "To remove yourself from the list or see archives, visit the below link:" > > just above the url. > > ___ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > signature.asc Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Ops request: Deploy OpenVPN terminators
On 2014-05-14 01:54, grarpamp wrote: > On Tue, May 13, 2014 at 5:48 PM, Jeroen Massar wrote: >> Thank you for suggesting the GFW folks now scan and/or directly block >> these IP addresses too. > > The gfw is going to do what the gfw does. And many times that is > dedicated to blocking access to tor, not access from tor, obviously, > as once you have access, the exit is out of reach of gfw. They do not care about solely Tor, that is just one of many many things they block to restrict the majority of people from accessing 'free' (ahem) content. > If you don't want to be blocked by gfw, don't run this > openvpn extension service on your node/ip. If GFW can detect it, any other adversary can do so too. As you are not defending against GFW, which adversary do you have in mind? What is the problem you are running into? >> You are mixing the difference between an operator of a site selecting >> who their viewers are and a man-in-the-middle selecting that for both >> the user and the server. Don't mix those up. > > No I'm not. I'm combining them. Hence, you are mixing them. > Whether site op blocks an > IP in its Apache/ipfw or subscribes to a service to do the > same is immaterial to this countermeasure of ours. Define "ours". The Tor Project provides various ways to be able to detect a Tor-exit, eg: https://www.torproject.org/projects/tordnsel.html.en This service is there so that operators of sites can decide if they want to serve anonymous users or not. Note that that is there to reduce the amount of abuse, and thus the global and full blocking of Tor. Typically an operator will only block registration through Tor, while allowing logins through Tor. > We see them blocking legit users who complain about it, Who is "We"? Which users complain, and about what exactly? > so we act to allow them alternative access. You seem to want to attempt avoiding blocks of a server, not that you want to anonymous, or have an operator-in-the-middle blocking you from a site that wants you as a user. By trying to avoid blocks that way, you will only give a bad name to Tor and other similar projects. > They can then move to account > based and other finer grained user management models. Sites (eg wikipedia) that use TorDNSEL and similar constructs typically allow registration from a non-anonymized address, while allowing logins quite fine from them. > It is no different than us deploying tor network to give users > ability to avoid blocks in first place. It is simply evolution > of making such tools available to users. You are trying to defy policy of a site... not bypassing a bad operator. > You don't have to run described openvpn extension if you > don't want. I don't think anybody will. There are too many ways to abuse that setup and more importantly, too easy to detect. >> I am pretty-much-completely pro-Tor as there are good uses, but for >> controlling who logs in and who abuses you, Tor is a bad thing as you >> don't know what the source is. As an operator of a (server) site, being >> able to say "sorry, we do not accept connections from Tor" is a good >> thing, as there are situations where that is needed. > > You just stated "[users] who 'log in' to sites", therefore you already > have the tools you need... block the abusive account. Tor has nothing > to do with it. Tor and other "open proxies" have a lot to do with abusive users. Typically they come hand in hand. There are good users, and there are bad ones. Depending on how your user base works and how much time one wants to spend, you might not want to keep on banning the people who are obviously trying to hide. There is a list of these kind of services here: https://trac.torproject.org/projects/tor/wiki/org/doc/ListOfServicesBlockingTor Attempting to bypassing those restrictions will only cause them to block that method too, and IMHO with good reason. >>> Yes, blocklists could try the 'one IP up/down' scan method and list >>> this project of ours too >> >> As it can be done automatically, it is not "more work" for them. > > I beg to you that it will be substantial work such certain subsets > of them will not engage in it. Furthermore, they are bound to > certain legalities which may prevent them from doing such > scanning/testing. Either way, it is an advance of the art on > our part. Haha, yeah China and legalities so yes, obviously you are NOT trying to circumvent entity like the GFW. Thus what are you trying to circumvent? > You do not need to participate if you do not wish. > >> And actually, they are likely already scanning every IP in the /24 where > > No, what would they [gfw] scan for if they already have the > consensus. And we are not talking bridges here, they can already > poll for those. This scanning /24 topic is all moot, might as well > scan for open 8080, etc. Again we are not talking about gfw or access > to tor. You totally avoided to state in your message that all you are about is circumventing a sites blo
[tor-relays] How to handle an abuse report
Hi all,
Since 3 weeks, I'm running a TOR exit node [1] on a server I rent from
Hetzner (A German hosting company), after reading about using Hetzner to
run a TOR node, I decided to go for the "restricted" mode to avoid any
stupid copywrong issue (That is, I allowed only a limited set of ports,
which sadly excludes p2p).
Everything went well so far, until today. Someone, let's call this
person/group "A", reported an abuse to Hetzner. A TOR User, "B", is
spamming chat/forums with vociferous insults and disrespectful messages,
I got a copy of few of them and the insults from B are as bad as the
ideas defended by A, but I'm not here to judge anyone...
From A's timezone, it happened from the 9th of May, 8:20PM to the 10th
of May, 2:30 AM. Given the nature of the TOR network, I assumed that it
is very unlikely that stupid-B will use my server's IP to insult
stupid-A any time soon... or is it?
Now, I have to report to Hetzner, I will tell them that I'm running a
TOR exit node in "restricted" mode, but how can I defend myself, I am
not sure that my "restricted node" and "given the nature of the TOR
network" arguments will convinced them the Hetzner dudes.
Could anyone gives advice, feedback or stories on how to deal with this
situation?
Best regards,
Chris
[1]
https://atlas.torproject.org/#details/18B6EBAF10814335242ECA5705A04AAD29774078
--
QtCreator/qmakeparser.cpp:42
// Parser ///
#define fL1S(s) QString::fromLatin1(s)
namespace { // MSVC2010 doesn't seem to know the semantics of "static" ...
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
