Re: [tor-relays] Is it safe to run an exit node from a VPS provider?

2013-08-13 Thread grarpamp 
> I would like to propose that you take a look from a different perspective (and
> I thought from the mail subject the question will be about that) on this.
>
> To run an exit node from a VPS provider is not safer -- TO YOU -- than running
> an exit node from your personal home connection.
>
> This man[1] had his house raided and his computers confiscated because of a
> Tor Exit node that he was running **NOT EVEN AT HOME** but in a datacenter, in
> a different country, on a server that he was renting (of course in his name).
>
> From what I gather from discussions surrounding that incident, the only
> reasonably safe way (again - to you) to run an Exit Node, is to do so on an IP
> range that's SWIPed to an LLC or a similar company, and not just has one
> physical person (you) responsible for it.

Some providers accept Bitcoin, cash, MO's and the like. Alternatively,
companies in general (even small LLC's) often have lawyers, who have
formal business offices, and will often let/encourage all business registration,
whois, banking, etc... the use of that physical address while they are on
retainer under concerns as to legitimate privacy, mobile convenience, and
proper familiar and legal response to process of service.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Is it safe to run an exit node from a VPS provider?

2013-08-13 Thread grarpamp 
> On Tue, Aug 13, 2013  wrote:

VPS, containers, dedicated, encrypted disk, whatever...
it's all the same, the filesystem and bits on disk, particular
when running, are exposed to whoever is holding the box.
Since it's not your box in your DC where you stand guard
24x7, nor have you audited Tor against remote exploit, all
bets regarding the Tor keys are void.

That said, reasonable gains to the limit of what tpo could do:
I've suggested that the controller be enhanced so that you
can add/drop/mod the controller access token and Tor keys
directly to a Tor in standby mode without ever requiring disk.
Some modes of node deployment/use are disposable anyway
so just autogenerate them and never write them out in that case.

It's better than most people's weak passphrase on
a disk based Tor key (not yet possible either) or cryptdisk
would be. And better than FS mounted ramdisk too. Yet
there's still dump memory or cold boot, but it's harder and
not immediately obvious as being necessary to do.

privatecore.com? Userland requires cleartext. At the app level you
could have the equivalent of the user kernel doing encryption within
its malloc(3/9), as with zeroing/randomizing today. And if the hypervisor
is doing it above and for the user kernel, then the whole per VM space
under that is internally accesible. Depending on what parts of the system
are exploited you could get some protection against trolling the ram of
other containers through non-zeroed ram and top level dumb dma/cold
dumps, excluding the encryption buffers. But that's probably it. And it
won't be fast. They don't have publicly posted whitepapers. Its software
and could be reimplemented by opensource projects.

Ultimately, if you don't own the entire physical and logical path
to your app, you can't trust it.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Is it safe to run an exit node from a VPS provider?

2013-08-13 Thread Moritz Bartl 
On 13.08.2013 18:52, Tom Ritter wrote:
>> In my case, I keep
>> all the keys and [other sensitive data] on a partition that's created with
>> a random key at
>> boot time.  If the machine dies, the keys and messages are lost but,
>> such is the reliability of Debian, this hasn't happened yet.  I probably
>> reboot about once a year on average and have to remember to take copies
>> of these files prior to doing it.

For Tor specifically, you can shred/delete the keys from disk
completely, and only retain the copy in memory.

For further hardening and details on this, see
https://trac.torproject.org/projects/tor/wiki/doc/TorRelaySecurity

-- 
Moritz Bartl
https://www.torservers.net/
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Is it safe to run an exit node from a VPS provider?

2013-08-13 Thread Tom Ritter 
On 13 August 2013 11:51, Steve Snyder  wrote:
> Well, any VM host can mount and read an unencrypted disk image.
>
> I guess the difference is ease of snooping.  While access to disk contents
> and process info can be gotten by any hypervisor, some platforms make it
> easier than others.

Exactly, that's the name of the game here.  Let's raise the bar.
(Same with censorship bypassing - it's always going to be an arms
race.)

What one person I respect does is

> In my case, I keep
> all the keys and [other sensitive data] on a partition that's created with
> a random key at
> boot time.  If the machine dies, the keys and messages are lost but,
> such is the reliability of Debian, this hasn't happened yet.  I probably
> reboot about once a year on average and have to remember to take copies
> of these files prior to doing it.

So the hypervisor can, as always, look into the memory* of the running
guest and get that data, but if they shut down the node or machine
unexpectedly, you gain a little bit more security.

All that said... Tor nodes don't store state.  You aren't keeping
people's email, or even a pool of data for a couple of hours.  So this
level of security for a tor exit node is nice, but IMO you shouldn't
_not_ do an exit node because you aren't ready to set up a complicated
encrypted filesystem just yet.

-tom

* Steve Weis is a cryptographer who's working on a (commercial)
product that encrypts memory.  http://privatecore.com/
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Is it safe to run an exit node from a VPS provider?

2013-08-13 Thread Roman Mamedov 
Hello,

I would like to propose that you take a look from a different perspective (and
I thought from the mail subject the question will be about that) on this.

To run an exit node from a VPS provider is not safer -- TO YOU -- than running
an exit node from your personal home connection.

This man[1] had his house raided and his computers confiscated because of a
Tor Exit node that he was running **NOT EVEN AT HOME** but in a datacenter, in
a different country, on a server that he was renting (of course in his name).

From what I gather from discussions surrounding that incident, the only
reasonably safe way (again - to you) to run an Exit Node, is to do so on an IP
range that's SWIPed to an LLC or a similar company, and not just has one
physical person (you) responsible for it.

[1]
http://www.zdnet.com/austrian-man-raided-for-operating-tor-exit-node-708133/

-- 
With respect,
Roman


signature.asc
Description: PGP signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Is it safe to run an exit node from a VPS provider?

2013-08-13 Thread Steve Snyder 



On 08/13/2013 11:10 AM, Sindhudweep Sarkar wrote:

Apologies if the reply goes to the wrong location in the thread.

"... At least with Xen/KVM/VMware you're running on your own virtual disk..."


Can't the virtual disk just be mounted by whoever has access? I don't think 
this is a large barrier to entry for anyone or a script looking for private 
keys. I could argue that pretty much every mac user has been getting software 
in the form of disk images, and these possibly non-technical users seem to have 
no issues.


Well, any VM host can mount and read an unencrypted disk image.

I guess the difference is ease of snooping.  While access to disk 
contents and process info can be gotten by any hypervisor, some 
platforms make it easier than others.


Again, though: running an exit node in a VM is better than not running 
an exit node at all.

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Is it safe to run an exit node from a VPS provider?

2013-08-13 Thread Sindhudweep Sarkar 
Apologies if the reply goes to the wrong location in the thread.

"... At least with Xen/KVM/VMware you're running on your own virtual disk..."

Can't the virtual disk just be mounted by whoever has access? I don't
think this is a large barrier to entry for anyone or a script looking
for private keys. I could argue that pretty much every mac user has
been getting software in the form of disk images, and these possibly
non-technical users seem to have no issues.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Is it safe to run an exit node from a VPS provider?

2013-08-13 Thread Steve Snyder 



On 08/13/2013 09:04 AM, Sindhudweep Sarkar wrote:

Hi,

Over the past month I've been running a tor exit relay in a spare VPS
machine that I am not using.

It occurs to me know that this was probably a very poor idea, as I can't
control the physical access to the machine or encrypt private key.


Running an exit node in a VM is better than not running an exit node at all.

That said, not all virtualization is created equally.  An OpenVZ 
container (which is really not virtualization at all) leaves all your 
files being just files on the host disk.


Anyone on the host console can just do a "locate fingerprint" to see 
those files in all containers and can list the processes running to see 
your relay.


At least with Xen/KVM/VMware you're running on your own virtual disk, 
and are running all processes in a self-contained environment.  The 
traffic can still be sniffed by the host, of course, but you get more 
privacy than you would in an OpenVZ container.

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Is it safe to run an exit node from a VPS provider?

2013-08-13 Thread Moritz Bartl 
On 13.08.2013 15:04, Sindhudweep Sarkar wrote:
> Over the past month I've been running a tor exit relay in a spare VPS
> machine that I am not using.
> It occurs to me know that this was probably a very poor idea, as I can't
> control the physical access to the machine or encrypt private key.

This is a very valid question. So far, we have weighted in favor of
"more exit capacity". If you require all exits to be on dedicated
machines, you lose a lot of diversity and thus, potentially, anonymity.

Of course, you should prefer dedicated machines over virtual machines,
and own hardened hardware over off-the-shelf servers. We're not yet in a
(well-funded?) state where we can expect everyone to do this.

-- 
Moritz Bartl
https://www.torservers.net/
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

[tor-relays] Is it safe to run an exit node from a VPS provider?

2013-08-13 Thread Sindhudweep Sarkar 
Hi,

Over the past month I've been running a tor exit relay in a spare VPS
machine that I am not using.

It occurs to me know that this was probably a very poor idea, as I can't
control the physical access to the machine or encrypt private key.

In the good bad ISPs
page,
I see that some cloud providers are listed (aws, etc). This implies that
such a practice is okay, but If linode or a malicious party wanted to read
the contents of /var/lib/tor/keys I don't think they'd have any difficulty
whatsoever. How do folks secure their relay's keys on a vps environment? Or
should I shutdown this relay and run a relay only when I am sure the keys
are secured?


-JB
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays