Re: [tor-relays] [tor-talk] Platform diversity in Tor network [was: OpenBSD doc/TUNING]
grarpamp schreef op 07/11/14 08:46: On Thu, Nov 6, 2014 at 2:43 AM, David Serrano wrote: On 2014-11-05 23:58:43 (-0500), grarpamp wrote: The real problem below is the 96% allocation of opensource to Linux and 4% to Other opensource. Someone should really do an analysis of platform vs. exit bandwidth as well. Anyone? Here ya go. Observed bandwidth per OS in relays having the exit flag: 93.62% 4459816582 Linux 4.51% 214639363 FreeBSD 1.25% 59672066 Windows 0.25% 11754598 Darwin 0.17%7896687 Bitrig 0.15%6964863 OpenBSD 0.06%3091495 SunOS This excessive Linux dominance in both node count and bandwidth really should be balanced out, like why not? I'd expect if some of the big relays switch to any other OS that would flatten out the bandwidth part pretty easily. You'd have to check say the top 10, 25, 50 or so relays to see to what extent they are part of this mess, I'm sure it's similar. Hi, I run a bunch of top50 relays (about 5.5% of global exit traffic), I'll have a look at converting my setup to OpenBSD - preferably without too much downtime. Tom smime.p7s Description: S/MIME-cryptografische ondertekening ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] [tor-talk] Platform diversity in Tor network [was: OpenBSD doc/TUNING]
On 2014-11-07 02:46:40 (-0500), grarpamp wrote: > > You'd > have to check say the top 10, 25, 50 or so relays to see to > what extent they are part of this mess, I'm sure it's similar. Top 200: 94.90% 2850128913 Linux 4.86% 146110227 FreeBSD 0.24%7156736 Darwin Top 50: 93.08% 1317726797 Linux 6.92% 97980759 FreeBSD Top 20: 91.93% 678898278 Linux 8.07% 59598665 FreeBSD Top 10: 100.00% 444716242 Linux The first non-Linux is a FreeBSD on 13th place, then the next new one is Darwin on 185th, and the next is Windows on 404th. Same data as yesterday, grabbed from onionoo.tpo/details. -- David Serrano PGP: 1BCC1A1F280A01F9 signature.asc Description: Digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] [tor-talk] Platform diversity in Tor network [was: OpenBSD doc/TUNING]
On Thu, Nov 6, 2014 at 2:43 AM, David Serrano wrote: > On 2014-11-05 23:58:43 (-0500), grarpamp wrote: >> >> The real problem below is the 96% allocation of opensource to >> Linux and 4% to Other opensource. > >> Someone should really do an analysis of platform vs. exit bandwidth >> as well. Anyone? > > Here ya go. Observed bandwidth per OS in relays having the exit flag: > > 93.62% 4459816582 Linux > 4.51% 214639363 FreeBSD > 1.25% 59672066 Windows > 0.25% 11754598 Darwin > 0.17%7896687 Bitrig > 0.15%6964863 OpenBSD > 0.06%3091495 SunOS This excessive Linux dominance in both node count and bandwidth really should be balanced out, like why not? I'd expect if some of the big relays switch to any other OS that would flatten out the bandwidth part pretty easily. You'd have to check say the top 10, 25, 50 or so relays to see to what extent they are part of this mess, I'm sure it's similar. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] [tor-talk] Platform diversity in Tor network [was: OpenBSD doc/TUNING]
On 2014-11-05 23:58:43 (-0500), grarpamp wrote: > > The real problem below is the 96% allocation of opensource to > Linux and 4% to Other opensource. > Someone should really do an analysis of platform vs. exit bandwidth > as well. Anyone? Here ya go. Observed bandwidth per OS in relays having the exit flag: 93.62% 4459816582 Linux 4.51% 214639363 FreeBSD 1.25% 59672066 Windows 0.25% 11754598 Darwin 0.17%7896687 Bitrig 0.15%6964863 OpenBSD 0.06%3091495 SunOS -- David Serrano PGP: 1BCC1A1F280A01F9 signature.asc Description: Digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] [tor-talk] Platform diversity in Tor network [was: OpenBSD doc/TUNING]
>> I'd agree simply because Windows presents a much larger attack surface. The >> amount of code running on a minimal Unix installation plus Tor is a lot less >> than a Windows system, especially network facing code. > ... > Running code, or network accessible code? Either way I don't see how > you came to that calculation. 'Minimal' Unix + Tor + SSH restricted > by SSH Key vs 'Minimal' Windows + Tor + RDP restricted by Client > Certificate. I also don't know what you mean by 'minimal' as very few > ... > I think a Windows Server, properly configured, is roughly as secure as > a properly configured Linux Server. > ... > I think there have been more bugs that result in RCE on production > Linux servers running SSH and a webserver in the past 4 years than > there have been in production Windows servers running RDP and IIS. > ... > I think if you're pointing fingers at China and the NSA, you should > assume they have RCE in both Windows and Linux. > ... > I think running relays on Windows Servers is no worse than running > relays on Linux Servers, and therefore it is good to do, because it > adds diversity to the network. Attack surface on a well adminned relay comes down to three things: - Network stack itself (kernel) - Daemon software itself (tor + remote admin) - Their respective use of other kernel/library/shell provided resources. I might suggest the current proportion of Windows to Linux is roughly ideal. This is primarily because, all other things set equal at 'minimal' (= tor + remote admin), good adminning, and good control of corporate secrets (or moles)... Windows still has one huge strategic weakness at that point... the magic packet. It's the whole binary vs. opensource argument. So essentially, the correct ratio of the two might be the odds you place that a binary OS has a magic packet. Today's node count shows 73% to opensource platforms. I'd suspect 73% is about where a lot of analysts might bet on Windows being magical, whether by/for the NSA, or any other reason or source. (Remember this... https://en.wikipedia.org/wiki/NSAKEY That was just from running 'strings'. Good luck trolling all of Windows with a disassembler... a nice fat payoff if you do. And the number of disassembling vs. opensource auditors is probably even more heavily skewed. And Windows is 'trusted' by buyers, nor can you replicate their binaries from any 'source code sharing agreements'. Then it's Patch Tuesday again... so it could be no one has or ever will disassemble audit it. So odds end up being pitched instead. And for many applications, that's good enough.) The real problem below is the 96% allocation of opensource to Linux and 4% to Other opensource. That's something that should be fixed. For these purposes, it doesn't matter which BSD/Other you pick... once you get the security odds there back towards say 50:50 Linux:Other, then you can debate userland and relative security amongst them all you want. Here's some links to get you started, including two other main branches of the Unix Kernel family tree at the bottom... 5939 Linux 1591 Windows 173 FreeBSD http://www.freebsd.org/ 56 Darwin 44 OpenBSD http://www.openbsd.org/ 7 NetBSD http://netbsd.org/ 6 SunOS 4 Bitrig https://www.bitrig.org/ 2 GNU/kFreeBSD https://www.debian.org/ports/kfreebsd-gnu/ 2 DragonFly http://www.dragonflybsd.org/ 0 Illumos (OpenSolaris) http://wiki.illumos.org/display/illumos/Distributions 0 Minix http://www.minix3.org/ Official metrics... https://metrics.torproject.org/network.html Someone should really do an analysis of platform vs. exit bandwidth as well. Anyone? Also, isn't there some project out there that is counting the historical number of kernel bugs+severity per OS over time? [To cpunks to cover all the other volunteer node based networks out there that could benefit from tuning their platform ratios.] ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] [tor-talk] Platform diversity in Tor network [was: OpenBSD doc/TUNING]
On 11/5/14, grarpamp wrote: > ... >1 DragonFly kudos, whoever you are! (i love this flavor more than most :) best regards, ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] [tor-talk] Platform diversity in Tor network [was: OpenBSD doc/TUNING]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 > Also, they can't buy Linux exploits? Of course. You clipped out the part where I acknowledged this. > I'm not sure 'rarer' and 'less expensive' go together, did you > mean more expensive? (I'll assume yes.) I did in fact mean "more expensive". > I'm confused by this - what bugs are you talking about? The only > bugs that 'can't be prevented by user configuration' would be in > the networking stack. And that applies just as much to Linux as it > does to Windows. As you guessed, I was referring mostly to networking stack bugs. It does apply to all networked OSs, but I've generally been told that Microsoft has had a worse history of this, and that it's made even worse by the lack of open source code. As you pointed out, maybe that was mistaken. I think that a lot of the publicity of Linux bugs is because of how much of the Internet runs on it. Based on the government surveillance documents I've read, it seems that they have a very easy time getting access to Windows servers, and that they have a big corporate pipeline for Windows exploits. I've also read that Windows is the primary target of exploit markets, whereas Linux exploits tend to be much more publicly documented or high-profile (NSA trade secrets, etc.). The second tier of hackers (non-Five Eyes governments and big commercial blackhats) are probably the biggest threat to Tor relays, and they seem to have more access to Windows exploits than Linux exploits. I don't have enough knowledge or experience to comment on this much more. I will point out, however, that I'm promoting OpenBSD rather than Linux as an alternative. I think almost no one would argue that Windows is more secure than OpenBSD for this sort of application. I suspect most would side with Linux over Windows as well. > I think it is more secure than you think. Fair point, I think you're right. Libertas On 11/05/2014 01:53 PM, Tom Ritter wrote: > On 5 November 2014 11:55, Libertas wrote: >> I hope I don't sound too pompous saying this, but I really don't >> think relays should run on Windows. Windows is the primary target >> of weaponized and general exploits, > > Windows desktops, yes. Where users are browsing websites on IE, > with plugins and Flash Player and old versions of Adobe Reader and > Java. Windows Servers have none of those things, most importantly > users fiddling around on them regularly. > >> and it's less secure than a properly configured Unix >> distribution. > > Are you comparing a Linux Server to a Windows Desktop? Or a Linux > Server to a Windows Server? If it's the latter - I'm going to > disagree and try and provide supporting evidence... > >> This is especially relevant with potential adversaries like the >> Chinese government, who can buy Windows exploits that can't be >> prevented by user configuration, > > I'm confused by this - what bugs are you talking about? The only > bugs that 'can't be prevented by user configuration' would be in > the networking stack. And that applies just as much to Linux as it > does to Windows. > > Now yes, you can patch your kernel yourself on Linux, which you > can't on Windows - but when Shellshock came out, were you going > into Bash to patch it yourself? Or were you waiting for bash itself > to provide patches? > > Also, they can't buy Linux exploits? > >> and can't be recognized by public auditors because of the closed >> source code. > > That's true, it's definitely easier to audit open source than > Windows. But from a "is this bug serious" point of view - MSFT > gives pretty good insight into what they're patching and the impact > of it. "Public Auditors" (like myself) have a good deal of > confidence in understanding risk based on this information. For > example [0] [1] last month, You've got: 1 RCE in IE 1 RCE in .Net > WebApps with understanding about how to determine if you're > vulnerable 3 CE if you phish a user into opening a document or > browsing a website (two of them in office, not windows) 1 UXSS if > you phish someone 1 Local EOP in default config 1 Local EOP if it's > not a default configuration > > None of these are realistically exploitable on a Windows Server. > > On a tor relay on a Windows Server you've got (maybe) IIS running, > the Windows networking stack, and maybe but usually not RDP open to > the world. > > I can only think of two or three bugs in the last 3 years that > _could_ have been exploitable in that configuration. The weak > point is (as usual) whatever random web application the user has > running on the relay. (Ideally, none. But I expect most relays > that run on servers pull double duty.) > >> Market *nix exploits also exist, but (IIRC) they're much rarer >> and less expensive. > > I'm not sure 'rarer' and 'less expensive' go together, did you > mean more expensive? (I'll assume yes.) I don't like arguing > economics because I don't think either of us buys or sells > exploits, so everything is jus
Re: [tor-relays] [tor-talk] Platform diversity in Tor network [was: OpenBSD doc/TUNING]
On 5 November 2014 11:55, Libertas wrote: > I hope I don't sound too pompous saying this, but I really don't think > relays should run on Windows. Windows is the primary target of > weaponized and general exploits, Windows desktops, yes. Where users are browsing websites on IE, with plugins and Flash Player and old versions of Adobe Reader and Java. Windows Servers have none of those things, most importantly users fiddling around on them regularly. > and it's less secure than a properly > configured Unix distribution. Are you comparing a Linux Server to a Windows Desktop? Or a Linux Server to a Windows Server? If it's the latter - I'm going to disagree and try and provide supporting evidence... > This is especially relevant with potential adversaries like the > Chinese government, who can buy Windows exploits > that can't be > prevented by user configuration, I'm confused by this - what bugs are you talking about? The only bugs that 'can't be prevented by user configuration' would be in the networking stack. And that applies just as much to Linux as it does to Windows. Now yes, you can patch your kernel yourself on Linux, which you can't on Windows - but when Shellshock came out, were you going into Bash to patch it yourself? Or were you waiting for bash itself to provide patches? Also, they can't buy Linux exploits? > and can't be recognized by public > auditors because of the closed source code. That's true, it's definitely easier to audit open source than Windows. But from a "is this bug serious" point of view - MSFT gives pretty good insight into what they're patching and the impact of it. "Public Auditors" (like myself) have a good deal of confidence in understanding risk based on this information. For example [0] [1] last month, You've got: 1 RCE in IE 1 RCE in .Net WebApps with understanding about how to determine if you're vulnerable 3 CE if you phish a user into opening a document or browsing a website (two of them in office, not windows) 1 UXSS if you phish someone 1 Local EOP in default config 1 Local EOP if it's not a default configuration None of these are realistically exploitable on a Windows Server. On a tor relay on a Windows Server you've got (maybe) IIS running, the Windows networking stack, and maybe but usually not RDP open to the world. I can only think of two or three bugs in the last 3 years that _could_ have been exploitable in that configuration. The weak point is (as usual) whatever random web application the user has running on the relay. (Ideally, none. But I expect most relays that run on servers pull double duty.) > Market *nix exploits also > exist, but (IIRC) they're much rarer and less expensive. I'm not sure 'rarer' and 'less expensive' go together, did you mean more expensive? (I'll assume yes.) I don't like arguing economics because I don't think either of us buys or sells exploits, so everything is just hearsay. But it's definitely easier to write exploits for open source code than it is closed source. That would push the price down. They're also more common. I can point to several remotely exploitable bugs in Linux-land. I have a hard time pointing to equivalent bugs in the equivalent Windows subsystem. Big bugs are remotely exploitable, and they get remotely exploited, and have easy-to-use attack tools - regardless of platform. So going by that yardstick: nginx RCE (2013) vs IIS RCE (any?) several rails RCEs vs .Net Framework RCE (can't think of any, but maybe one or two somewhere) OpenSSL, which runs on Windows in Tor also, but I'm going to count as 'Linux' because Windows has its own SSL stack: SRTP DoS last month, Heartbleed, EarlyCCS vs MSFT SSL stack bugs (can't think of any) Linux networking stack (can't think of any) vs Windows (there was that one bug a couple years ago, can't recall all the details, but iirc no one managed to make an exploit out of it) OpenSSH (none) vs RDP (again, one a couple years ago, but it required open RDP, without Client Certificates, and while I think someone may have pulled off an exploit, I don't think it was public.) > It's possible that I'm wrong, though. Let me know if Windows is more > secure than I think. I think it is more secure than you think. On 5 November 2014 12:20, Niklas Kielblock wrote: > I'd agree simply because Windows presents a much larger attack surface. The > amount of code running on a minimal Unix installation plus Tor is a lot less > than a Windows system, especially network facing code. Running code, or network accessible code? Either way I don't see how you came to that calculation. 'Minimal' Unix + Tor + SSH restricted by SSH Key vs 'Minimal' Windows + Tor + RDP restricted by Client Certificate. I also don't know what you mean by 'minimal' as very few people actually configure their kernels themselves - most use debian/ubuntu. On the face, I'm not thinking Ubuntu is any more 'minimal' than Windows. I'm going off of my experience, which comes across in the
Re: [tor-relays] [tor-talk] Platform diversity in Tor network [was: OpenBSD doc/TUNING]
I'd agree simply because Windows presents a much larger attack surface. The amount of code running on a minimal Unix installation plus Tor is a lot less than a Windows system, especially network facing code. On 05/11/2014 18:55, Libertas wrote: I hope I don't sound too pompous saying this, but I really don't think relays should run on Windows. Windows is the primary target of weaponized and general exploits, and it's less secure than a properly configured Unix distribution. People running nodes, especially exit nodes, have a responsibility to their users, and I just don't think Windows is the best choice in that regard. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] [tor-talk] Platform diversity in Tor network [was: OpenBSD doc/TUNING]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I hope I don't sound too pompous saying this, but I really don't think relays should run on Windows. Windows is the primary target of weaponized and general exploits, and it's less secure than a properly configured Unix distribution. People running nodes, especially exit nodes, have a responsibility to their users, and I just don't think Windows is the best choice in that regard. This is especially relevant with potential adversaries like the Chinese government, who can buy Windows exploits that can't be prevented by user configuration, and can't be recognized by public auditors because of the closed source code. Market *nix exploits also exist, but (IIRC) they're much rarer and less expensive. It's possible that I'm wrong, though. Let me know if Windows is more secure than I think. Libertas On 11/05/2014 11:15 AM, Tom Ritter wrote: > On 5 November 2014 03:04, grarpamp wrote: >> On Tue, Nov 4, 2014 at 12:25 PM, Libertas >> wrote: >>> I think it would be a good idea to add OpenBSD to doc/TUNING >>> because [...] promoting OpenBSD relays benefits the Tor >>> network's security. >> >> Absolutely. Not just due to OpenBSD's security positioning, but >> moreso from network diversity. Windows is its own world. > > I tried installing OpenBSD once... it was tough, heh. > > Coming from a Windows background, I like the idea of running more > nodes on (up-to-date, maintained) Windows servers. > > I'll also throw out the obvious that if we're talking about > diversity for the purposes of security, the network-accessible > parts of tor rely on OpenSSL, which would probably be difficult to > swap out, but might be worth it as an experiment. Even if it's to > LibreSSL. Maybe the zlib library also, but that one's had a lot > fewer problems than OpenSSL. > > -tom ___ tor-relays > mailing list tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJUWmSgAAoJELxHvGCsI27NfukP/ie52CTXDH4sKGjArvPTeJZM 6IsZWmjobAfS+WzzfUGj0n2bPLgPF7t63532H5FVdZpdtYpKW1CfD9N2JIQ+QU/Y JtLjfUt94a98PyRj1K4+aCS7EhpCyrL6/xuOUuBe+7mtAOSSbMzItD85TEepMG6M foRTGgkYBLpfsHhi+UglA0MQGrR1TFK9uXlza7mEJKP+dll1ihjrYxf5HgP0wbXY j2TAXg319ldW1VddynJyux7cP0hiZ4yc8i5VvSwqPHe8BDc+MHy96gbqwLam3/XD yOkUNjItfcHfQfBCZh5F8S/qTKV7YJGD12EdBPclHkRCGULQ/gu2awVVEluWe/Q8 uYcYJKvG1BONr5/6ycIUUFVtWgZKnNrA+88bVkndvyAwqgTVcaJPYjj9yKemHysa xNyJYY3/DkiJa3UaLqZVzahe8HJYSanglWecIk/Jhk8JATS/dgca/ETaBWiJlTsC lC+vDj93wB7NxVdMdcnbeQZynTD38midDHJ+VYglMJuApCNils4OOJgI4D+5VJhQ 4xkOuBoNRFAsRqsXIzmUX3/5DkpJWCGL2rRxyqwXO1BRSck8ri6EOZ5jxJAznFoG izb2ykPPWWCemf/JaVPQLKPbahA4nvTIT0IH7PFgmg3ShDi6eU2fBWxJVwpNalOd 4FooMwRuainfoP+PGWm/ =Qa6H -END PGP SIGNATURE- ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] [tor-talk] Platform diversity in Tor network [was: OpenBSD doc/TUNING]
On 5 November 2014 03:04, grarpamp wrote: > On Tue, Nov 4, 2014 at 12:25 PM, Libertas wrote: >> I think it would be a good idea to add OpenBSD to doc/TUNING because [...] >> promoting OpenBSD relays benefits the Tor network's security. > > Absolutely. Not just due to OpenBSD's security positioning, but > moreso from network diversity. Windows is its own world. I tried installing OpenBSD once... it was tough, heh. Coming from a Windows background, I like the idea of running more nodes on (up-to-date, maintained) Windows servers. I'll also throw out the obvious that if we're talking about diversity for the purposes of security, the network-accessible parts of tor rely on OpenSSL, which would probably be difficult to swap out, but might be worth it as an experiment. Even if it's to LibreSSL. Maybe the zlib library also, but that one's had a lot fewer problems than OpenSSL. -tom ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays