Re: [tor-relays] Emerald Onion's new relays

[Gareth Llewellyn]

‐‐‐ Original Message ‐‐‐
On Tuesday, April 2, 2019 4:50 AM, Roger Dingledine  wrote:

> On Tue, Apr 02, 2019 at 04:36:37AM +, Christopher Sheats wrote:
>
> it's the perfect time for some
> of the other relay running nonprofits to step up and add some capacity
> too. :)

Would if I could (BrassHorn) :)

UK fibre (and London co-location) is obscenely expensive :/
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] IPv6 for the nifty?

[Gareth Llewellyn]

 Original Message 
On 26 Feb 2018, 19:52, nusenu wrote:

> I was wondering if you have any plans to get IPv6 connectivity?

As it happens AS28715 (BrassHornComms) is looking for any datacenters / ISPs 
that support IPv6 BGP peering from small (~1u / VPS) customers.

I've got a /32 to allocate but the expensive part is transit capacity (at least 
here in the UK) so once I hit ~1.5Gbit/s I can't push any more.

Vultr support BGP announcement from their VPS' but have adjusted their T's 
and you can't run Tor Exits even on your own IPs which is a shame.

Gareth___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] companies and organizations running relays

[Gareth Llewellyn]

 Original Message 
On 5 Dec 2017, 19:03, Alison Macrina wrote:
I'm wondering if folks on this list can help me by confirming the organizations 
that they know of running relays.

Checking in on behalf of AS28715 / BrassHornCommunications.uk / 
https://atlas.torproject.org/#search/family:518FF8708698E1DA09C823C36D35DF89A2CAD956___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH brute force attempts to connect to my Middle Relay IP address

[Gareth Llewellyn]

 Original Message 
On 4 Oct 2017, 07:02, Fr33d0m4all wrote: Hi, My Tor middle relay public IP 
address is victim of SSH brute force connections’ attempts

Welcome to the Internet!

Any Internet connected machine will be port scanned, vuln probed, brute forced, 
blindly hit with ancient "1 shot" exploits (think wordpress plugins) and 
trawled for include vulnerabilities (e.g. ?file=../../../etc/passwd ) on a 
daily basis.

It's not normally something to worry about.

Disable root login, enable certificate authentication and if you feel 
particularly strongly about the log noise firewall off TCP/22 or move sshd to a 
high numbered port.___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] torservers.net: some exits became guards? (deanonymization risk)

[Gareth Llewellyn]

On Sat, Jun 10, 2017 at 10:39 AM, Moritz Bartl 
wrote:

>
> We had to temporarily disable some of our exits due to ongoing
> negotiations with the provider.
>
>
Will your provider allow BGP announcements of other IP space?

Depending on how many exits we're talking about I (BrassHornCommunications
/ AS28715) will happily 'loan' you a /24 and a /48-/36 to route from which
will remove the abuse complaints from your provider.

(FWIW I'd rather not give up a /24 if you're happy using your providers v4
for general Tor routing and AS28715's IPv6 for exiting that'd be ideal).

Alternatively I can sponsor your RIPE v6 PI application (subject to the new
rules about having a 'contractual relationship yadda yadda) if you'd like
to do that.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Hackers

[Gareth Llewellyn]

Whilst your complainant seems to have a bee in their bonnet I'm not sure
you're doing anyone anyone any favours by CC'ing pseudo-private
correspondence into a mailing list.

As a fellow ISP owner running Tor Exits (AS28715) I also enjoy the "right"
to treat abuse requests according to rules that only I write (UK
legislation not withstanding) but IMHO we have a responsibility
proportional to our "mere conduit" superpowers, both to the privacy of Tor
users *and* crazy abuse@ emails from individuals.

This could turn into another Mozilla / Oil and Gas thing (
https://arstechnica.co.uk/security/2017/03/firefox-gets-complaint-for-labeling-unencrypted-login-page-insecure/
)
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] ISP, Abuses , Intrusion Prevention etc.

[Gareth Llewellyn]

On 9 Oct 2016 11:36, "pa011"  wrote:
>
> - what forces drive ISP's to behave like they do with abuses?
> - maybe Exit volunteers and here especially the big ones could
ask some questions to their ISP to get more light on this

I set up my own ISP (AS28715) so I could run Tor exits etc without any
trouble.

>
> I do refer to my old questions -still unanswered:
>
> -is it just the more work for rather poor money
handling(forwarding)
> those abuses ?

Yes. Every abuse ticket is a person answering that abuse ticket instead of
helping a customer who is potentially paying for support.

It's also that some of the abuse emails can be quite threatening (e.g.
blacklisting the entire /24 or reporting the "crime" to local Police etc)
some of the smaller ISPs can get intimidated by those threats.

> - to whom else do ISP's have to report what they are
doing with received
>   abuses?

In the UK; No one.

> - must ISP's answer to the origin of the abuse?

No. But is polite to do so.

> - who is getting a copy of all that conversation(if at
all)?

Depends on the ISPs policies / any applicable laws. (In the UK and at least
as far as my ISP is concerned; no-one)

> - can an ISP loose its license (with too many or badly
handled abuses)?

AFAIK; No. In the UK I guess one could appeal to Court if an ISP wasn't
preventing its network from being used to your detriment but I'm not sure
how far you'd get.

> - are there any regulatory burdens for them - if so which
ones?

Yes. Lots depending on the country.

> - are ISP's treated different in different parts of the
world?

Very much so.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] [tor-relays-universities] Legal issues relevant to UK

[Gareth Llewellyn]

On Sun, Sep 4, 2016 at 8:08 PM, Jens Kubieziel 
wrote:

> X-Post from tor-relays-universities@
>
> I ran some relays at Geman universities in the past. I guess my
> experiences won't help here. Maybe someone on tor-relays has experience
> with running a relay at an UK university, so I send this mail to
> tor-relays@ too.
>
> * Duncan Guthrie schrieb am 2016-09-01 um 01:09 Uhr:
> > I'm hoping to run a Tor relay here at a University in the UK.
> > Is there anyone here who might have some experience with this in the
> > past? I have been researching legal issues but information is
> > extremely sparse (mostly relating to the DMCA). All I can really work
> > out is that the issues relating to ISPs apply more generally, and more
> > strictly to a Tor exit node operator.
> > What protections, if any, exist here in the UK for a Tor exit node
> > operator?
>

The Tor Exits / relays I operate in the UK are done so in my capacity as an
ISP which as you mention has various protections.

Are you planning on doing this officially as part of the university (
https://ins.jku.at/infrastructure/tor-exit-node ) or are you a student /
faculty who wants to run a relay on spare hardware (and is therefore at the
will of the University AUP etc)?

I don't think you'll find any explicit protections in law and may even find
yourself at the receiving end of being designated a "communications service
provider" (especially so once the Investigatory Powers Bill comes into
force!)
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Tor Weather has been discontinued

[Gareth Llewellyn]

As it happens I started work on something too, will put what I've done on
GitHub in a few days (it's still very rough and not very scalable).

FWIW I registered OnionWatch.email for use with this.
On 24 Jun 2016 21:21,  wrote:

> I actually provisioned a server for it, and started development on a
> new weather service yesterday. I am not sure if someone else is
> already working on it or not but If I can get it up and running, I'll
> offer to host it myself.
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Filter Tor Exit Node for blatant attacks on servers

[Gareth Llewellyn]

On 12 Jun 2016 5:49 p.m., "Jonathan Baker-Bates" 
wrote:
> But along the way I asked some others about the legal implications of
doing what the ISP had asked. The rough consensus was that in the UK at
least, I would only be able to evesdrop on traffic once consent had been
given by those being monitored. Otherwise I'd be illegally wiretapping and
open to prosecution. But it was far from clear what would happen if
somebody took me a court!
>

Indeed the Regulation of Investigatory Powers Act 2000 and the
Investigatory Powers Bill contain offences relating to surveillance of
traffic without a warrant / permission etc. (Caveats etc apply)

> On 12 June 2016 at 16:12, Dr Gerard Bulger  wrote:
>> Once TOR
>> exits attempts any filtering where would it stop?   It is a slippery
slope.

FWIW one of the reasons we have the "pirate" blocks (in the UK) is that the
High Court Judge (Hon. justice Arnold) in the case was informed that the
ISPs in question had the ability to block sites (e.g. Cleanfeed) therefore
it was possible for them to block more.

Had this ISP level censorship technology not existed then we wouldn't be in
*quite* the situation we are now.

>> It is more than embarrassing to run an exit node and get abuse complaints
>> about persistent and repeated attacks on an IP. The intent is clearly
>> criminal.  VPS providers in the UK are increasing intolerant in receiving
>> such complaints.  The whole VPS can be closed down by the ISP/VPS
provider
>> not forcing a closure of the TOR exit.  Fewer ISPs will allow you to
install
>> an exit node at all.

This is one of the reasons why I started a UK ISP (AS28715) - I now run UK
exits and don't have issues with them getting shutdown because the ISP got
cold feet / got bored of abuse emails / complaints from other customers
(entire /24 blocked by anti-tor blacklists) etc etc.

Good ISPs don't deploy web filtering, transparent proxies or IDS' that
interfere with traffic. IMHO well behaved Tor Exits shouldn't either.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Legal status of operating Tor exit in UK?

[Gareth Llewellyn]

On Tue, Sep 8, 2015 at 9:04 PM, Jonathan Baker-Bates <
jonat...@bakerbates.com> wrote:

> So does anyone know of any reliable source of information on running Tor
> exits in the UK?
>

No but I run several UK based Tor exits and have had little issue other
than the usual abuse reports, that said the relays in question are operated
by a separate legal entity that is it's own ISP (RIR allocation / ASN etc).


What would happen if my ISP pressed me to monitor my traffic, and I refused
> on legal grounds? I'm not suggesting I actually do that, or that there are
> even any legal grounds to refuse.
>

 IANAL  but to elaborate on something that Thomas said there is
also a consideration of the Regulation of Investigatory Powers Act, the
Data Retention and Investigatory Powers Act and Counter Terrorism and
Security Act.

Starting with RIPA s1.

> It shall be an offence for a person intentionally and without lawful
> authority to intercept, at any place in the United Kingdom, any
> communication in the course of its transmission by means of—
>
> (a)a public postal service; or
>
> (b)a public telecommunication system.
>

 RIPA s2. defines interception;

> (2)For the purposes of this Act, but subject to the following provisions
> of this section, a person intercepts a communication in the course of its
> transmission by means of a telecommunication system if, and only if, he—
>
> (a)so modifies or interferes with the system, or its operation,
>
> (b)so monitors transmissions made by means of the system, or
>
> (c)so monitors transmissions made by wireless telegraphy to or from
> apparatus comprised in the system,
>
> as to make some or all of the contents of the communication available,
> while being transmitted, to a person other than the sender or intended
> recipient of the communication.
>

Finally an act is unlawful if it falls foul of s1 (5);

> (5) Conduct has lawful authority for the purposes of this section if, and
> only if—
>
> (a) it is authorised by or under section 3 or 4;
>
> (b) it takes place in accordance with a warrant under section 5 (“an
> interception warrant”); or
>
> (c) it is in exercise, in relation to any stored communication, of any
> statutory power that is exercised (apart from this section) for the purpose
> of obtaining information or of taking possession of any document or other
> property;
>

So it would seem that RIPA (which is due to be replaced in the next couple
of months by the Investigatory Powers Bill) says that you are not allowed
to intercept data.

Moving on to the Data Retention and Investigatory Powers Act (and by
extension the Counter Terrorism and Security Act) there is s1. of DRIPA
which says;

The Secretary of State may by notice (a “retention notice”) require a
> public telecommunications operator to retain relevant communications data
> if the Secretary of State considers that the requirement is necessary and
> proportionate for one or more of the purposes falling within paragraphs (a)
> to (h) of section 22(2) of the Regulation of Investigatory Powers Act 2000
> (purposes for which communications data may be obtained


s2. defines a telecommunications operator;

“public telecommunications operator” means a person who—
> (a) controls or provides a public telecommunication system, or
> (b) provides a public telecommunications service;
>
> “public telecommunications service” and “public telecommunication system”
> have the meanings given by section 2(1) of the Regulation of Investigatory
> Powers Act 2000;
>

Section 2(1) of RIPA has many definitions but this one closest applies to
Tor;

“telecommunication system” means any system (including the apparatus
> comprised in it) which exists (whether wholly or partly in the United
> Kingdom or elsewhere) for the purpose of facilitating the transmission of
> communications by any means involving the use of electrical or
> electro-magnetic energy.
>



So, the Secretary of State or the Police can serve you a retention notice
or an interception warrant *allowing* you to intercept data, past that
point you can probably point to RIPA and say it'd be illegal.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Please enable IPv6 on your relay!

[Gareth Llewellyn]

On Tue, May 12, 2015 at 11:09 PM, Moritz Bartl mor...@torservers.net
wrote:

 especially if you run an exit!


1 exit, 2 bridges and 4 general relays are now explicitly IPv6 enabled

Once https://trac.torproject.org/projects/tor/ticket/5788 is done I'll be
able to bring several more online
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Node Operators Web Of Trust

[Gareth Llewellyn]

On Fri, Nov 7, 2014 at 8:26 PM, grarpamp grarp...@gmail.com wrote:

 Is it not time to establish a node operator web of trust?
 Look at all the nodes out there with or without 'contact' info,
 do you really know who runs them? Have you talked with
 them? What are their motivations? Are they your friends?
 Do you know where they work, such as you see them every day
 stocking grocery store, or in some building with a badge on it?
 Does their story jive? Are they active in the community/spaces
 we are? Etc. This is huge potential problem.


I had an idea for this a little while ago; https://tortbv.link/ using the
published GPG signature in the contact info to sign the node fingerprint,
if you trust the GPG key then you can _possibly_ trust that the node is run
by the named operator.

Never got round to actually doing anything with it though...
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays