[tor-relays] UK Exit Node
Any tips for UK Exit Node operators on a Residential ISP (BT)? Running a reduced exit policy, informed various teams at the ISP, running PeerGuardian on the server in question (blocking P2P/kiddyporn/hacking related IPs), have a hostname setup tor-relay.itschip.com, planning to leave the thing running 24/7 So far, it's been live on and off (ironing out issues) for the past few days and it's transferred well in excess of 300GB already. Looks like I'm one of the fastest Exit Nodes in the UK c: ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] UK Exit Node
On 2014-07-06 07:06, Michael Banks wrote: Any tips for UK Exit Node operators on a Residential ISP (BT)? I would be EXTREMELY careful in running an exit on a residential location. There is no way for you to prove that it was not you causing that connection but the Tor process causing that connection and thus some 'other' user. The UK government has all kinds of regulations/systems in place to protect children and to enforce copyright laws. They are also known to index/analyze all traffic. You might want to consider changing that into a relay instead as then you at least are not reaching out to a scary host (unless it also runs Tor). Also: 150.57.130.86.in-addr.arpa PTR host86-130-57-150.range86-130.btcentralplus.com. As such, it looks just like any other link, it has no relation to tor-relay.itschip.com at all. Except for folks with access to dnsdb, which law enforcement typically does have, but as DNS is not used in Tor, it is all irrelevant. Greets, Jeroen ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] UK Exit Node
Advice taken I was debating to switch over to relay-only or not. I must note, the Tor node is on it's own address, under a residential contract. I was taking extra precaution by running PeerGuardian and specifically blocking malicious IPs, and will continue to do so while I have a relay node. I have tor-relay.itschip.com set in torrc.. guess I have to fiddle with more things? Anyone with Debian experience who can help in that field? On 06/07/2014 07:24, Jeroen Massar wrote: On 2014-07-06 07:06, Michael Banks wrote: Any tips for UK Exit Node operators on a Residential ISP (BT)? I would be EXTREMELY careful in running an exit on a residential location. There is no way for you to prove that it was not you causing that connection but the Tor process causing that connection and thus some 'other' user. The UK government has all kinds of regulations/systems in place to protect children and to enforce copyright laws. They are also known to index/analyze all traffic. You might want to consider changing that into a relay instead as then you at least are not reaching out to a scary host (unless it also runs Tor). Also: 150.57.130.86.in-addr.arpa PTR host86-130-57-150.range86-130.btcentralplus.com. As such, it looks just like any other link, it has no relation to tor-relay.itschip.com at all. Except for folks with access to dnsdb, which law enforcement typically does have, but as DNS is not used in Tor, it is all irrelevant. Greets, Jeroen ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] UK Exit Node
The block lists are very limited, i.e P2P, lists of known blackhats/paedophiles, unallocated IP ranges and most importantly: government-owned address and anti-tor addresses Original Message From: Sanjeev GuptaSent: Sunday, 6 July 2014 08:36To: tor-relays@lists.torproject.orgReply To: tor-relays@lists.torproject.orgSubject: Re: [tor-relays] UK Exit NodeOn Sun, Jul 6, 2014 at 3:14 PM, Michael Banks c...@starbs.net wrote: I was taking extra precaution by running PeerGuardian and specifically blocking malicious IPs, and will continue to do so while I have a relay node.If you are using PeerGuardian to filter Tor traffic, that is sub-optimal. The main reason that many people use Tor is precisely that their traffic is filtered, and blocking "malicious IPs". Substituting your judgements for those of their Govt might be an improvement, or not. As Tor has no way of knowing what you will block, traffic via your node will fail, but circuits will continue being created. -- Sanjeev Gupta+65 98551208 http://www.linkedin.com/in/ghane ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] UK Exit Node
On Sun, Jul 6, 2014 at 3:14 PM, Michael Banks c...@starbs.net wrote: I was taking extra precaution by running PeerGuardian and specifically blocking malicious IPs, and will continue to do so while I have a relay node. If you are using PeerGuardian to filter Tor traffic, that is sub-optimal. The main reason that many people use Tor is precisely that their traffic is filtered, and blocking malicious IPs. Substituting your judgements for those of their Govt might be an improvement, or not. As Tor has no way of knowing what you will block, traffic via your node will fail, but circuits will continue being created. -- Sanjeev Gupta +65 98551208 http://www.linkedin.com/in/ghane ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] UK Exit Node
On 2014-07-06 09:14, Michael Banks wrote: Advice taken I was debating to switch over to relay-only or not. I must note, the Tor node is on it's own address, under a residential contract. Does not matter. You cannot prove that you did not routed your connection over it or that it was or was not Tor. This is also why folks doing exit (and even relay) nodes use dedicated hosting: abuse does not cut of your home Internet link and there is a limited form of deniability (though that did not help for that Austrian guy it seems, then again he did a lot of other odd stuff too which probably did not help his case much... full facts are never known). I was taking extra precaution by running PeerGuardian and specifically blocking malicious IPs, and will continue to do so while I have a relay node. If you have a relay you will very unlikely be contacting anything on that 'list', at least through Tor. How exactly does PeerGuardian work? (seems there are a number of tools called that way and the first hit on google is unmaintained) Does it use a downloaded list, an RBL or something else? As when it is a list they are giving you the set of locations that are 'interesting' to peek at, when it is a RBL, they know who you are contacting. Unless a hash of some kind is involved you are likely giving away details or they are losing the details. I have tor-relay.itschip.com set in torrc.. guess I have to fiddle with more things? Anyone with Debian experience who can help in that field? Reverse DNS has little to do with the operating system, you'll have to ask your ISP to set that for you (who, if they allow then might inform you of a tool/protocol to use to do so). Typically though, for residential connections reverse DNS cannot be changed. Greets, Jeroen ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] UK Exit Node
On Sun, 06 Jul 2014 06:06:35 +0100 Michael Banks c...@starbs.net wrote: running PeerGuardian on the server in question (blocking P2P/kiddyporn/hacking related IPs) Thanks for notifying everyone, I hope your BadExit flag is already on its way. -- With respect, Roman signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] UK Exit Node
On 07/06/2014 09:39 AM, Michael Banks wrote: The block lists are very limited, i.e P2P, lists of known blackhats/paedophiles, unallocated IP ranges and most importantly: government-owned address and anti-tor addresses Please do not run PeerGuardian or any other blacklist. These lists are part of the problem, and in no way a solution. As stated earlier in this thread, it will break stuff. These lists are never up to date and always contain false information. It is your exit, you can indeed block IPs, but please do it on the level of ExitPolicy. In your world maybe government-owned addresses are a bad thing. For me and many other Tor users certainly not. You're free to run an exit on a residential line, but I doubt that your ISP will like the abuse complaints. You will likely get kicked off your contract sooner or later. Also, a residential ISP will not forward abuse complaints or even tell you about them, so there is no way for you to explain yourself. -- Moritz Bartl https://www.torservers.net/ ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Relay not making connections.
On 07/05/2014 08:09 PM, Lluís wrote: After reading the documentation and related FAQs I got my TOR relay installed and configured. It is listed in Atlas with the running, V2Dir and valid flags for more than 5 days. However, it receives almost no connections and the following notice appears frequently in the logs: [notice] No circuits are opened. Relaxed timeout for circuit 1331 (a Testing circuit 3-hop circuit in state doing handshakes with channel state open) to 6ms. However, it appears the circuit has timed out anyway. 6 guards are live. [7 similar message(s) suppressed in last 3600 seconds] What bandwidth rate did you set? Mind sharing the fingerprint? It can take a while for relays to attract more traffic, be patient. -- Moritz Bartl https://www.torservers.net/ ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Relay not making connections.
Of Course I can, the fingerprint is: Ione B827D00F6ED51B9397CA397E91D431E8 F60C67E4 My bandwidth rate is: 250 KBytes/s Thank You, Lluís On 07/06/2014 02:46 PM, Moritz Bartl wrote: On 07/05/2014 08:09 PM, Lluís wrote: After reading the documentation and related FAQs I got my TOR relay installed and configured. It is listed in Atlas with the running, V2Dir and valid flags for more than 5 days. However, it receives almost no connections and the following notice appears frequently in the logs: [notice] No circuits are opened. Relaxed timeout for circuit 1331 (a Testing circuit 3-hop circuit in state doing handshakes with channel state open) to 6ms. However, it appears the circuit has timed out anyway. 6 guards are live. [7 similar message(s) suppressed in last 3600 seconds] What bandwidth rate did you set? Mind sharing the fingerprint? It can take a while for relays to attract more traffic, be patient. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Trying Trusted Tor Traceroutes
Hi Sebestian, Just a quick update regarding the project. There are multiple GB's of data to analyse and it is still being worked on. We are also working on the public script(s) as well. is your project still on-going? I'm asking because your score board was not updated since May (except one test(?) upload in the phase foo-foo) and though the repository updates are interesting (dynamic download of relay ips) they were never approved for usage according to your installation notes. Renke signature.asc Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] UK Exit Node
In effect, as Moritz said (and Roman also tried to say) it's necessary for navigation over Tor, that every Exit Possibility/Restriction are listed into your Exit Policy. If your Exit Node is not going to connect to a given website, it's fine, but the Tor Client have to know it, in order to automatically choose another Exit to reach the destination. For Tor Exit Node on a residential DSL line, because I love challenges, I've done this in the past, from August 2013 to end of December 2013, with unlimited exit policy ;) on a Raspberry Pi. May be I was lucky but apart from 1 copyright infrigement (French Hadopi the second week), I never had any problem, and in such case the situation is not very comlicated to handle (you simply explain). If you're like me you will have no problem by thinking your Internet connexion have great chance to be looked by your ISP and/or bigger instition : it's part of the challenge, and a challenge is interesting when almost no one is plucky enough to do what you're going to do ;) In order to get your participation to last a long time, it's usefull to run your node on a dedicated machine, while you can focus on your hobbies and use your computer/desktop as before. Best regards, Julien ROBIN - Mail original - De: Moritz Bartl mor...@torservers.net À: tor-relays@lists.torproject.org Envoyé: Dimanche 6 Juillet 2014 14:41:23 Objet: Re: [tor-relays] UK Exit Node On 07/06/2014 09:39 AM, Michael Banks wrote: The block lists are very limited, i.e P2P, lists of known blackhats/paedophiles, unallocated IP ranges and most importantly: government-owned address and anti-tor addresses Please do not run PeerGuardian or any other blacklist. These lists are part of the problem, and in no way a solution. As stated earlier in this thread, it will break stuff. These lists are never up to date and always contain false information. It is your exit, you can indeed block IPs, but please do it on the level of ExitPolicy. In your world maybe government-owned addresses are a bad thing. For me and many other Tor users certainly not. You're free to run an exit on a residential line, but I doubt that your ISP will like the abuse complaints. You will likely get kicked off your contract sooner or later. Also, a residential ISP will not forward abuse complaints or even tell you about them, so there is no way for you to explain yourself. -- Moritz Bartl https://www.torservers.net/ ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] UK Exit Node
Node's on a dedicated machine, I have a couple of RasPis kicking about, might spin up nodes on them too. ~Chip On 06/07/2014 14:48, Julien ROBIN wrote: In effect, as Moritz said (and Roman also tried to say) it's necessary for navigation over Tor, that every Exit Possibility/Restriction are listed into your Exit Policy. If your Exit Node is not going to connect to a given website, it's fine, but the Tor Client have to know it, in order to automatically choose another Exit to reach the destination. For Tor Exit Node on a residential DSL line, because I love challenges, I've done this in the past, from August 2013 to end of December 2013, with unlimited exit policy ;) on a Raspberry Pi. May be I was lucky but apart from 1 copyright infrigement (French Hadopi the second week), I never had any problem, and in such case the situation is not very comlicated to handle (you simply explain). If you're like me you will have no problem by thinking your Internet connexion have great chance to be looked by your ISP and/or bigger instition : it's part of the challenge, and a challenge is interesting when almost no one is plucky enough to do what you're going to do ;) In order to get your participation to last a long time, it's usefull to run your node on a dedicated machine, while you can focus on your hobbies and use your computer/desktop as before. Best regards, Julien ROBIN - Mail original - De: Moritz Bartl mor...@torservers.net À: tor-relays@lists.torproject.org Envoyé: Dimanche 6 Juillet 2014 14:41:23 Objet: Re: [tor-relays] UK Exit Node On 07/06/2014 09:39 AM, Michael Banks wrote: The block lists are very limited, i.e P2P, lists of known blackhats/paedophiles, unallocated IP ranges and most importantly: government-owned address and anti-tor addresses Please do not run PeerGuardian or any other blacklist. These lists are part of the problem, and in no way a solution. As stated earlier in this thread, it will break stuff. These lists are never up to date and always contain false information. It is your exit, you can indeed block IPs, but please do it on the level of ExitPolicy. In your world maybe government-owned addresses are a bad thing. For me and many other Tor users certainly not. You're free to run an exit on a residential line, but I doubt that your ISP will like the abuse complaints. You will likely get kicked off your contract sooner or later. Also, a residential ISP will not forward abuse complaints or even tell you about them, so there is no way for you to explain yourself. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] UK Exit Node
It's a relay node now, so it should be fine, we'll see what happens. Google 'pglcmd debian' - I've removed most of the lists. It's essentially now only blocking known paedophiles/child porn related IPs - funnily enough, it's blocked quite a few connections to those known addresses. The broadband security team at my ISP is sorting the DNS records out. They even offered a SWIP. ~Chip On 06/07/2014 10:28, Jeroen Massar wrote: On 2014-07-06 09:14, Michael Banks wrote: Advice taken I was debating to switch over to relay-only or not. I must note, the Tor node is on it's own address, under a residential contract. Does not matter. You cannot prove that you did not routed your connection over it or that it was or was not Tor. This is also why folks doing exit (and even relay) nodes use dedicated hosting: abuse does not cut of your home Internet link and there is a limited form of deniability (though that did not help for that Austrian guy it seems, then again he did a lot of other odd stuff too which probably did not help his case much... full facts are never known). I was taking extra precaution by running PeerGuardian and specifically blocking malicious IPs, and will continue to do so while I have a relay node. If you have a relay you will very unlikely be contacting anything on that 'list', at least through Tor. How exactly does PeerGuardian work? (seems there are a number of tools called that way and the first hit on google is unmaintained) Does it use a downloaded list, an RBL or something else? As when it is a list they are giving you the set of locations that are 'interesting' to peek at, when it is a RBL, they know who you are contacting. Unless a hash of some kind is involved you are likely giving away details or they are losing the details. I have tor-relay.itschip.com set in torrc.. guess I have to fiddle with more things? Anyone with Debian experience who can help in that field? Reverse DNS has little to do with the operating system, you'll have to ask your ISP to set that for you (who, if they allow then might inform you of a tool/protocol to use to do so). Typically though, for residential connections reverse DNS cannot be changed. Greets, Jeroen ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] UK Exit Node
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Michael, First of all thank you for running an exit. I run a large series of exits in the Netherlands (https://globe.torproject.org/#/search/query=Chandlerfilters[country]=nl) and I am a UK citizen. Having experienced many troubles, including server seizures, I decided to move the servers to a jurisdiction I am not living in or plan on living in as if there is legal trouble, you want to put up as many layers as protection as you can. That means even if my node in NL is seized and I could face a conviction (theoretically), because it is not illegal in the UK there is nothing that the government can do to force me over there under the concept of dual-criminality. Furthermore, running a Tor exit at a residential address is a very, very bad idea. I speak from experience here after encountering UK police already and their version of knock and greet is at 4am with the door taken off when they don't realise it is an exit node. You want to separate your traffic from that of your exits wherever possible because assuming you were asked in court if you ever used your own exit, it would be conceivable that ANY traffic from that exit server COULD have been yours if you've used or were on the same IP as it. This is of course not the case if you don't use the same IP/residence for your personal traffic. Also, on the topic of blacklisting IPs I find it a bad idea both morally and legally. Most believe morals would dictate blocking child porn/peer to peer is a good act, but this is the same guise governments have used to overextend their reach and so I don't block any traffic regardless of how questionable it is. The second reason is because of your legal liability in the UK as my solicitor has advised me; by blocking one set of IP's you are then accepting control to filter and moderate the traffic of your servers and therefore you don't have the same (full set of) safe-harbor provisions protecting you. It then becomes a trivial matter for law enforcement to come to you and order you block more sites without a court order. So overall, freedom of speech and the right to read are inherently against the idea of blocking content merely because the overwhelming majority of people believe it should be blocked. Freedom isn't free if it isn't totally free. - -Tom On 06/07/2014 08:51, Sanjeev Gupta wrote: On Sun, Jul 6, 2014 at 3:39 PM, Michael Banks c...@starbs.net wrote: The block lists are very limited, i.e P2P, lists of known blackhats/paedophiles, unallocated IP ranges and most importantly: government-owned address and anti-tor addresses True, and I agree with your definition of malicious. My concern is that it is not either my place, or yours, to define what is good or bad for the Random User to visit, _IF_ we are offering a Tor relay. Our intentions in using this list, in particular, are not relevant. After all, the Govt of China also claims to be shielding its users from known bad guys. We are against such censorship, so why should we add our own blocks, without warning, without anyway for the user to even know we have such a block? ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQIcBAEBAgAGBQJTuZIYAAoJEE2uQiaesOsL0ycQAKn1kFwjLMVAEvQ8v3hQUvOl dFzDhDLHR+SMUO+K6M8PvwsKHVB1og3jN4UN4hYvzGJl1qOsOhMGaWp6uvAxwJJJ JqjwyCnpHSTdYH2LKVjtKz3o/W00TDl8fJxXt5AfmDNUX9M/MsHieq7U6KPpKWyy K8U0xAxrLyFzaaFVVHjotZzRoCg67IMiLPXx/l6QurD+MCwNG7DWf+aMAgjxTQvJ 5OFQ938hmhAe7bXEkz0uc3zg5C36GOlif42Z7s3kqNMbP//yBBzSnV1dCtggGNqt F/IRMcK8TKkBecC5IlW3E3rHh1lcXH6VmkSKYC6/2KTkYlhdkROM8blGbt4P3kkf EHKmSa6kN0/iwUTdNsoY/duu2P96bWpZ69WFywf95WqRq6I/pwBMs2crN/QQWJ0t qu67OAIb4daBccBtf4XSq5S9W9KWej7cE6tdyoxBxBZlSTkmEljdhtLr5qkahtdL SEVHdY8ko4bFOBNMjZxGl8HKQbE2UlCiF3ErK8IyRGeLBwUlB29OlinaoJrewXud CHrkrNEXrDjePcUerz74Y7sRgtv2yOSKBhF4L/1kVV/govvysz3TuLQjmU9e1rQf alHm4wvRF18Lodlp+AnlKTlmVCP9cklTAsfNVb/TCOyjRmQewHXJd0JFdXpBQD8J x12SnIhToKOq0Q/iQOCF =doV0 -END PGP SIGNATURE- ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Trying Trusted Tor Traceroutes
Dear Renke, Dear list-members, Yes, the project is alive. Thank you for asking and for your ongoing support. Yes the repo was updated but it is not ready for review yet. We are making changes for the next traceroute round and will ask for testing / testers as soon as it is ready. There is also being worked on a reverse traceroute and we had people at the last tor-dev meeting as well who are trying to figure out what step to do next. Regarding your comment on Dynamic download of relay IPs. It's just downloading the current list of relay IP instead of using a static list. I don't see any harm in that as one of the participant in the past pointed out to use the latest IPs anyway. Theres a lot of work to do with limited human resources, please stay tuned. We will be back ;-) Hi Sebestian, Just a quick update regarding the project. There are multiple GB's of data to analyse and it is still being worked on. We are also working on the public script(s) as well. is your project still on-going? I'm asking because your score board was not updated since May (except one test(?) upload in the phase foo-foo) and though the repository updates are interesting (dynamic download of relay ips) they were never approved for usage according to your installation notes. Renke -- ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] Reliable way to gauge tor throttling?
What would be a good method to determine if tor traffic is being throttled on a exit relay vs normal internet traffic? -J ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays