Re: [tor-relays] [tor-dev] Hidden service policies

[Scott Bennett]

Thomas White  wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> > Sorry, wrong answer.  If you block connections from other relays, 
> > you break the tor network.  I don't recall offhand whether that
> > sort of breakage might earn your relay either an Invalid flag or
> > being simply dropped from the consensus.
>
> For a single relay to my knowledge, it shouldn't do. There are many
> reasons some relays can't connect to each other so it doesn't "break"
> Tor as an alternative route is simply found.
>
 Yes, tor, like many other Internet operations, has some ability to
route around breakage in its network.  However, each time it is necessary
to find a way around it, a cost to the network is incurred in the form
of wasted processing time over many pieces of equipment, wasted traffic,
and likely wasted end-user time.
>
> > Are you suggesting that the mobbing attacks on HSDIR relays are the
> > actions of botnets?  If so, then you are suggesting that the
> > problem of mobbing of HSDIR relays is probably insoluble because it
> > would not be the symptom of a bug in tor. :-(
>
> The question is botnet CnC's, the proposal has nothing to do with
> solving the botnet CnC problem and I am also stating Tor is not the
> one who needs to tackle them right at this moment, the budget and

 Agreed.

> resources are just not there. However creating a system where
> operators start blacklisting hidden services is extremely bad for
> anonymity both for the hidden service and the user.
>
 Also agreed.
 I was referring to the as yet unsolved problem of HSDIR mobbing,
which I have long thought was due to a bug somewhere in tor, just as
there used to be a problem with DirPort mobbing.  The DirPort mobbing
bug was eventually found and fixed a long time ago, but the HSDIR
mobbing still hasn't been.  But now you have given me the idea that
perhaps HSDIR mobbing is actually due to other software applying a
malicious attack upon tor relays that have the HSDIR flag.  IOW, I
wasn't arguing with you, just commenting about this other problem in
light of what you had written.

> To answer the rest of your question, I am not a developer. I am
> somebody who cares about anonymity and that is why I run the 2nd
> largest server cluster on the Tor network from my own pocket.
> Filtering or proposing to blacklist anything is not acceptable in my
> view. Whatever solutions individuals care to launch to protect their
> relay is their own responsibility, but actively developing something
> by the core developers to blacklist hidden service is a completely
> despicable idea. To elaborate only on the legal side of things, if I
> can easily block hidden services passing through my relays or if I am
> the RV point for one the government can then serve me a notice

 AFAICT, the introduction point and the rendez-vous point are about
the only places you might be able to block them, though by doing so, you
would again be introducing a form of breakage.  If your relay were at
any other points in the hidden service protocol, you wouldn't have any
way of distinguishing it from any other middle node along a tor circuit.
But I would need to reread the protocol specification in detail again
see whether you could actually deny service even at the invitation and
rendez-vous points.

> ordering me to block it, this I have already run through my solicitor
> and there no escaping that fact unfortunately.
>
> Also note, botnets in this sense are not the topic. The proposal is an
> easy mechanism to censor hidden services and let it not be portrayed
> as anything other than that. I can see why 90% of people opposed his
> "coin taint" idea and 75% wanted him to leave the bitcoin foundation.
> If Tor did introduce such measures, I would be swiftly leaving Tor's
> ranks and withdrawing all support (both all 25 relays/exits/guards,
> and financial) from it.
>
> So to state clearly:
>
> Should Tor Project develop a system to filter hidden services?
>
> I'll let people decide that for themselves. But my opinion, is that
> doing so defies the point of a hidden service and people who push for
> it should be ashamed of themselves.
>
 Also fully agreed.  To develop such a system would require weakening
or breaking the current level of protection offered to users, as well as
being a special gift to the NSA and its peers in other countries.


  Scott Bennett, Comm. ASMELG, CFIAG
**
* Internet:   bennett at sdf.org   *or*   bennett at freeshell.org   *
**
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."   *
*-- Gov. John Hancock, New York Journal, 28 January 1790 *
*

Re: [tor-relays] Speed of my relay not correct on global list

[Josh]

I don't know the answer to your question and I am sorry that you are
having this issue. That said even if you are not doing anything besides
running a relay it is a security risk to be running a tor node on
Windows XP.

There are exploits that do not require any interaction from the user.
The sentiment that the rest of the list is trying to impress on you is
that by running a Tor nod on XP you are potential putting the entire Tor
network at risk to a malicious actor.

This is by far a more pressing concern than speeds being reported
correctly. As others have said since you say cost is a factor in
purchasing a Windows 7 license then install Linux or BSD. I cannot
express how easy it is if you follow the guide to set up a Debian node.



On 07/21/2014 05:19 PM, B00ze/Empire wrote:
>
> On 2014-07-20 23:53, Joel Cretan  wrote:
>> On Sun, Jul 20, 2014 at 4:30 PM, B00ze/Empire > > wrote:
>>
>> Who cares that MS doesn't support it. So you are claiming that
>> because it runs on Xp the speed testing is failing? I find that
>> hard to believe.
>>
>>
>> Everyone using Tor cares. I believe the other posters are seizing on
>> this detail because it is much more important for you to upgrade your
>> vulnerable machine than to worry about what speed is reported.
>> Perhaps it is better for now that your speed is under-reported, to
>> keep too many clients from connecting to a potentially dangerous relay.
>>
> I cant upgrade the machine, I'd have to buy hardware and since the
> machine is 12 years old, I have no intention of replacing the failing
> parts. I am slowly building a replacement server, but until then, Xp
> it is. I do not browse, read email, open PDFs, run Flash, install
> programs - I dont do anything on that server besides running the Tor
> relay (and polipo) and serving files on the local network. The machine
> is behind a hardware and a software firewall. The chances of infection
> is basically zero, so there is no great rush to setup the replacement
> server.
>
> But since everyone just cannot get passed the fact that it runs Xp, I
> guess we will have to wait some months before I can get some real
> answers as to the problem I wish resolved.
>
> Thank you.
> Best Regards,
>
> -- 
>_\|/_Sylvain / b00z...@hotmail.com
>(o o)Member-+-David-Suzuki-Foundation-+-Planetary-Society-
>  oO-( )-Oo  C Error #009: FATAL! Portable code found!
>
>
>
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Speed of my relay not correct on global list

[B00ze/Empire]

On 2014-07-20 23:53, Joel Cretan  wrote:
On Sun, Jul 20, 2014 at 4:30 PM, B00ze/Empire > wrote:


Who cares that MS doesn't support it. So you are claiming that
because it runs on Xp the speed testing is failing? I find that
hard to believe.


Everyone using Tor cares. I believe the other posters are seizing on 
this detail because it is much more important for you to upgrade your 
vulnerable machine than to worry about what speed is reported. Perhaps 
it is better for now that your speed is under-reported, to keep too 
many clients from connecting to a potentially dangerous relay.


I cant upgrade the machine, I'd have to buy hardware and since the 
machine is 12 years old, I have no intention of replacing the failing 
parts. I am slowly building a replacement server, but until then, Xp it 
is. I do not browse, read email, open PDFs, run Flash, install programs 
- I dont do anything on that server besides running the Tor relay (and 
polipo) and serving files on the local network. The machine is behind a 
hardware and a software firewall. The chances of infection is basically 
zero, so there is no great rush to setup the replacement server.


But since everyone just cannot get passed the fact that it runs Xp, I 
guess we will have to wait some months before I can get some real 
answers as to the problem I wish resolved.


Thank you.
Best Regards,

--
   _\|/_Sylvain / b00z...@hotmail.com
   (o o)Member-+-David-Suzuki-Foundation-+-Planetary-Society-
 oO-( )-Oo  C Error #009: FATAL! Portable code found!

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] [tor-dev] Hidden service policies

[Lance Hathaway]

On 21/07/2014 7:34 AM, Thomas White wrote:
> Seemed a little targeted at me and I am the one agreeing with you xD

Wasn't so much targeted at you, as I was chiming in to agree with what
you had said. :) Just in my own words.

> Furthermore, I'm going to see what the authority directories think
> about his relay because that is just playing silly bugger only
> allowing bitcoin related traffic.

I don't see an issue with his relay only choosing to allow bitcoin
traffic. Again, that comes down to allowing each relay operator to allow
or reject whatever ports they are comfortable with through their relays.
Just as we can't go around censoring services however we please, we
can't go around telling relay operators that they need to allow
arbitrary traffic on our say-so.

If he only allows a single port, he won't get the Exit flag (as long as
the policy on that flag is that any two of [HTTP, HTTPS, IRC] must be
exited). As far as the rest goes, As long as he's using the Tor-readable
method of limiting ports (ExitPolicy, rather than some silly buggered
firewall that Tor can't understand), my opinion would be to leave him be.

 -Lance




signature.asc
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] [tor-dev] Hidden service policies

[Thomas White]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Seemed a little targeted at me and I am the one agreeing with you xD

Anyway yes this is what I stated originally before the pro-censorship
people come out of their caves. Once the tools are developed to
censor, it is very easy to start blocking arbitrarily. Imagine the day
our ISP's say "now block x and y hidden services because we don't like
them or we'll close your account". I can see the reasons some people
block ports, which comes back to my "greater good" argument that
keeping their relays online albeit have some ports blocked is better
than no relay, because users in that situation can route around it if
required.

So I think we're agreed. No tool for censoring, not even a step near
that direction because it rapidly goes downhill from there. Again I
reiterate, the fact that Mike Hearn has come to Tor Project (with his
own relay only allowing bitcoin traffic is particularly peeving me
off) and tried to tell us to develop tools of censorship, has
particularly annoyed me. So to address this,  I'll be sending a copy
of his proposal to some friends of mine on the bitcoin scene.

Furthermore, I'm going to see what the authority directories think
about his relay because that is just playing silly bugger only
allowing bitcoin related traffic.

- -T

On 21/07/2014 15:25, Lance Hathaway wrote:
> 
> On 21/07/2014 6:21 AM, Thomas White wrote:
>> Also note, botnets in this sense are not the topic. The proposal
>> is an easy mechanism to censor hidden services and let it not be 
>> portrayed as anything other than that. ...
> 
>> So to state clearly:
> 
>> Should Tor Project develop a system to filter hidden services?
> 
> 
> The simple fact of the matter is this: However good and pure our 
> intentions may be ("We'll only block malware and child porn!"), a 
> system would have to be developed to allow us to block arbitrary
> services.
> 
> Something I have noticed which trips up most people is their
> inability to see beyond themselves. YOU may have only the best
> intentions. YOU may never countenance blocking inconvenient truths
> on Twitter / Slashdot / news-feed-of-the-day. But once a system is
> created that can block arbitrary services, it's only a matter of
> time before somebody with intentions less pure than your own decide
> to start blocking other things. Maybe somebody with an upright
> moral standing decides it would be better to block everything PG-13
> and up. Maybe somebody decides their government is taking too much
> flack on an issue, and tries to "help out" by filtering some news
> sites they feel are particularly biased. Maybe I decide that
> tabloid magazines are total trash, and nobody should be allowed to
> give them business so they'll just die off in the end.
> 
> Why would we want to replace a system of government censorship
> with censorship-by-the-masses? I thought we wanted to decide for 
> ourselves--what we read, to whom we listen, what we do, and with
> whom we associate.
> 
> (Never mind the legal fact that, if we CAN filter / exert
> legitimate control over the traffic flowing over the network,
> somebody will figure out a way to MAKE us do so--and it may not be
> what we personally agree should be blocked.)
> 
> Insofar as botnets create an infrastructure problem with Tor (ie.
> the HSDir mobbing issue), that's something that we can work on
> addressing. Maybe a more load-tolerant design or what-have-you.
> Filtering things is not the answer.
> 
> (I should add as a final note: filtering ports is not the same as 
> filtering sites or traffic. I don't care what traffic passes over
> port 80, nor should I. But traffic on port 25 gets me marked as a
> spammer and shuts down my exit nodes, so I can't have that. Anybody
> who wants to change that traffic to tunnel over port 80 or 22 or
> whatever is free to do so, and I do not and should not know about
> it. If I can find a provider within my budget range who allows full
> exits and lets me handle all the abuse issues myself, I dare say
> I'll allow all ports through that exit.)
> 
> -Lance ___ tor-relays
> mailing list tor-relays@lists.torproject.org 
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> 
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQIcBAEBAgAGBQJTzST/AAoJEE2uQiaesOsLSmMP/29M8qzJzIKhiGGcat/Th+yl
eU0LgLdlg/Ld4yjKehEQ0PmWdmEYpUzfPubY0IMwv9RMmfsrzIqzsWSShvaQxVK4
4IlrwpDNMQHUhEqRzXwFIu0CNgH+OCxwS79x2pwnTCXPjwePfd3SP38pob4B7Q7+
xuCdK/fjtsPbW9IRJOUkSNKFpMSlD1PJTshUl8KJH1msJ7MbKXl7SKBs04IMFLxw
Q++3ze4Kab0Ndot5H2sPq6RvJlFZaiaFSrjoAz6Sz6lUWFMTwlXUwxWsoOdAJlXv
fIgGsfamWA68y6+2fnMy0N9vYmWl/A12mOzjEIkLRvGN7TC52ii7JlnrcEEdheHA
7DOvk2hDLuhXT8G7Tk57HZ4kdxbk0ThwTh0k9Crr8Al4hhabdco6+G6mb1NZfYxw
0Q6LoJRTQ1a6DwAkxU4TJCOce5KtJf5z4VG5JT3xtMVuQAuP7gtXNGxoPHmL3t8Y
RY1sj1kWdQ3harj0/vcjASDOJAjLx9bFyuteV7Drm183TYObOm8ggUzYVqePJySA
1DEkslP3/U1mWhoLBLVqy7SrzQH6d/V/EiCms44yLm+BZ0McmaL3oDIX3a56Sf5y
7HqrHhQOwM1dc6PgeR4R1

Re: [tor-relays] [tor-dev] Hidden service policies

[Lance Hathaway]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512


On 21/07/2014 6:21 AM, Thomas White wrote:
> Also note, botnets in this sense are not the topic. The proposal is
> an easy mechanism to censor hidden services and let it not be
> portrayed as anything other than that. ...
> 
> So to state clearly:
> 
> Should Tor Project develop a system to filter hidden services?
> 

The simple fact of the matter is this: However good and pure our
intentions may be ("We'll only block malware and child porn!"), a
system would have to be developed to allow us to block arbitrary services.

Something I have noticed which trips up most people is their inability
to see beyond themselves. YOU may have only the best intentions. YOU
may never countenance blocking inconvenient truths on Twitter /
Slashdot / news-feed-of-the-day. But once a system is created that can
block arbitrary services, it's only a matter of time before somebody
with intentions less pure than your own decide to start blocking other
things. Maybe somebody with an upright moral standing decides it would
be better to block everything PG-13 and up. Maybe somebody decides
their government is taking too much flack on an issue, and tries to
"help out" by filtering some news sites they feel are particularly
biased. Maybe I decide that tabloid magazines are total trash, and
nobody should be allowed to give them business so they'll just die off
in the end.

Why would we want to replace a system of government censorship with
censorship-by-the-masses? I thought we wanted to decide for
ourselves--what we read, to whom we listen, what we do, and with whom
we associate.

(Never mind the legal fact that, if we CAN filter / exert legitimate
control over the traffic flowing over the network, somebody will
figure out a way to MAKE us do so--and it may not be what we
personally agree should be blocked.)

Insofar as botnets create an infrastructure problem with Tor (ie. the
HSDir mobbing issue), that's something that we can work on addressing.
Maybe a more load-tolerant design or what-have-you. Filtering things
is not the answer.

(I should add as a final note: filtering ports is not the same as
filtering sites or traffic. I don't care what traffic passes over port
80, nor should I. But traffic on port 25 gets me marked as a spammer
and shuts down my exit nodes, so I can't have that. Anybody who wants
to change that traffic to tunnel over port 80 or 22 or whatever is
free to do so, and I do not and should not know about it. If I can
find a provider within my budget range who allows full exits and lets
me handle all the abuse issues myself, I dare say I'll allow all ports
through that exit.)

 -Lance
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQJ8BAEBCgBmBQJTzSLQXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRFOTU0QzY1NzkzNzU1NkQ0RTgwNzA3REY0
MEE2MDZBN0U4MDYwNUU3AAoJEECmBqfoBgXn1yAP/1WkRN8/AQCw1CQeyjla95gM
8XArNV08OuKIBcvds/SHAH17ZSyo/d84WITw95583+PPjbH8jwTFsv0ja2c7ydT8
vMcWUnio2rNnor1lVuQNcdwK8YrhjUecqeRA6LZ9EKgIhmHzIj/yDSvCJcSkcccp
8VNOx9y6dTPHD6srDi7RaFBX6VBDSOFpvmqNWgdAy8xpBQLpalM39zkYCTDRJo8r
lYj7/Tey+xukBn0LOggs7IkQkaDRAkDh5k4HGH+z8ZIanSnNun0N7qtN+oBuIz/h
vpNpHw9ECSPRzSOWKuAHqYPf2mUPf7FEXKSFvHixdtjtzDgfdVH9yalSFv1ckQtD
fkNtd5qKwdB6AGk6pL32QFhld8OsWGqY05ekHpa8BnItKwR1dxy7pANf9T9jFkzK
Y0QQxPdtZQLKFXGGmd4r0iFGKk4UXnH9+oF3T3uSUU0j++o0eubXpxwBPYgq0hST
pvDY3OGd+ht/28ebZYQfCw5K+1SjZ2WISFur8BKe3ugobq0xpNProl128eIQMDjP
X5jtCI6H2zOPEcc3DfnISP+v/3WXjfQDumJu4vfOnbOaooextfcxRI1Qxs4MXRWp
EmEQlHFO0QM3zvR+4QNkglI4lSwtbGpD6nVmECFJoKxOObLGq9c5lDmYQYuYZMdU
SGW3OOyENag1dnNzPBCu
=/euC
-END PGP SIGNATURE-
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] [tor-dev] Hidden service policies

[Thomas White]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

> Sorry, wrong answer.  If you block connections from other relays, 
> you break the tor network.  I don't recall offhand whether that
> sort of breakage might earn your relay either an Invalid flag or
> being simply dropped from the consensus.

For a single relay to my knowledge, it shouldn't do. There are many
reasons some relays can't connect to each other so it doesn't "break"
Tor as an alternative route is simply found.


> Are you suggesting that the mobbing attacks on HSDIR relays are the
> actions of botnets?  If so, then you are suggesting that the
> problem of mobbing of HSDIR relays is probably insoluble because it
> would not be the symptom of a bug in tor. :-(

The question is botnet CnC's, the proposal has nothing to do with
solving the botnet CnC problem and I am also stating Tor is not the
one who needs to tackle them right at this moment, the budget and
resources are just not there. However creating a system where
operators start blacklisting hidden services is extremely bad for
anonymity both for the hidden service and the user.

To answer the rest of your question, I am not a developer. I am
somebody who cares about anonymity and that is why I run the 2nd
largest server cluster on the Tor network from my own pocket.
Filtering or proposing to blacklist anything is not acceptable in my
view. Whatever solutions individuals care to launch to protect their
relay is their own responsibility, but actively developing something
by the core developers to blacklist hidden service is a completely
despicable idea. To elaborate only on the legal side of things, if I
can easily block hidden services passing through my relays or if I am
the RV point for one the government can then serve me a notice
ordering me to block it, this I have already run through my solicitor
and there no escaping that fact unfortunately.

Also note, botnets in this sense are not the topic. The proposal is an
easy mechanism to censor hidden services and let it not be portrayed
as anything other than that. I can see why 90% of people opposed his
"coin taint" idea and 75% wanted him to leave the bitcoin foundation.
If Tor did introduce such measures, I would be swiftly leaving Tor's
ranks and withdrawing all support (both all 25 relays/exits/guards,
and financial) from it.

So to state clearly:

Should Tor Project develop a system to filter hidden services?

I'll let people decide that for themselves. But my opinion, is that
doing so defies the point of a hidden service and people who push for
it should be ashamed of themselves.

- -T






On 21/07/2014 12:22, Scott Bennett wrote:
> Thomas White  wrote:
> 
>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
>> 
>> Mike Hearn,
>> 
>> Simple. If you start filtering anything at all, regardless of
>> what it is (yes, even if you filter child porn or fraud sites)
>> then I will block any connection of your relays to mine (which
>> are exits and guards totally 4Gbps). There are uses for
>> preventing some connections
> 
> Sorry, wrong answer.  If you block connections from other relays, 
> you break the tor network.  I don't recall offhand whether that
> sort of breakage might earn your relay either an Invalid flag or
> being simply dropped from the consensus.
> 
>> like if you are legally required to then I guess the tradeoff of
>> some inconvenience for a handful of relays, but still providing
>> high-speed access to Tor for most people and sites is worth it.
>> When you begin to do it as a proactive censorship event is when I
>> will be firmly against you.
>> 
>> The moment people censor things because it is illegal, immoral
>> or "terrorist" is the moment that person accepts responsibility
>> for the traffic that passes through their nodes and is an active
>> attempt by them to filter what people can access. Freedom isn't
>> free unless it is totally free and a selective reading policy
>> through Tor is not just a bad idea as stated below, I find it
>> outright insulting to me and everyone else who cares about the
>> free and open internet. The fact somebody has the audacity to
>> come to a project like Tor and propose blacklisting mechanisms is
>> jaw-dropping.
>> 
>> In addition, botnets using Tor actually improve the security of
>> the network. Generally the more traffic there is, the harder it
>> is to conduct statistical attacks against the users. Now of
>> course it is not the most politic thing to say or the most
>> popular, but it's the truth.
> 
> Are you suggesting that the mobbing attacks on HSDIR relays are the
> actions of botnets?  If so, then you are suggesting that the
> problem of mobbing of HSDIR relays is probably insoluble because it
> would not be the symptom of a bug in tor. :-(
> 
>> We don't need to stop x y or z using Tor, we need to get more
>> people using Tor regardless of their purpose. Botnets are the
>> result of design/security flaws and not something within the
>> scope of Tor Project to address.
> 
> Wron

Re: [tor-relays] [tor-dev] Hidden service policies

[Scott Bennett]

Thomas White  wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Mike Hearn,
>
> Simple. If you start filtering anything at all, regardless of what it
> is (yes, even if you filter child porn or fraud sites) then I will
> block any connection of your relays to mine (which are exits and
> guards totally 4Gbps). There are uses for preventing some connections

 Sorry, wrong answer.  If you block connections from other relays,
you break the tor network.  I don't recall offhand whether that sort of
breakage might earn your relay either an Invalid flag or being simply
dropped from the consensus.

> like if you are legally required to then I guess the tradeoff of some
> inconvenience for a handful of relays, but still providing high-speed
> access to Tor for most people and sites is worth it. When you begin to
> do it as a proactive censorship event is when I will be firmly against
> you.
>
> The moment people censor things because it is illegal, immoral or
> "terrorist" is the moment that person accepts responsibility for the
> traffic that passes through their nodes and is an active attempt by
> them to filter what people can access. Freedom isn't free unless it is
> totally free and a selective reading policy through Tor is not just a
> bad idea as stated below, I find it outright insulting to me and
> everyone else who cares about the free and open internet. The fact
> somebody has the audacity to come to a project like Tor and propose
> blacklisting mechanisms is jaw-dropping.
>
> In addition, botnets using Tor actually improve the security of the
> network. Generally the more traffic there is, the harder it is to
> conduct statistical attacks against the users. Now of course it is not
> the most politic thing to say or the most popular, but it's the truth.

 Are you suggesting that the mobbing attacks on HSDIR relays are
the actions of botnets?  If so, then you are suggesting that the problem
of mobbing of HSDIR relays is probably insoluble because it would not
be the symptom of a bug in tor. :-(

> We don't need to stop x y or z using Tor, we need to get more people
> using Tor regardless of their purpose. Botnets are the result of
> design/security flaws and not something within the scope of Tor
> Project to address.

 Wrong again.  See multitudinous previous threads regarding bittorrent
over tor.
 Let me give you an example of appropriate filtering.  My system logs
frequent attacks/probes that I consider illegitimate.  I enter the source
addresses of those probes into a pf table of addresses from which SYN
packets for any protocol or port get dropped with no response.  However,
there is a cron job that runs every 30 minutes that takes all the relay IP
addresses in the most recently downloaded consensus and puts them into
another pf table.  This latter table is used by pf rules to bypass the
check described above, but only for relays attempting to connect to my
relay's ORPort or DirPort.  This prevents the sort of breakage you
threaten to cause because currently active relays will still be able to
relay through my relay, although if they are also in the table described
first, then they will have no *other* type of access to my system.


  Scott Bennett, Comm. ASMELG, CFIAG
**
* Internet:   bennett at sdf.org   *or*   bennett at freeshell.org   *
**
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."   *
*-- Gov. John Hancock, New York Journal, 28 January 1790 *
**
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays