Re: [tor-relays] new relays
I feel like you are SO missing the point. Making Tor block morally horrible things does not involve telling exit notes to block traffic to known porn sites. The porn sites with the boobies that someone might hit on port 80 on the public internet represent the Catholic Church of porn, metaphorically-speaking. The truly terrible stuff is hidden to where you as an exit node operator would never be able to simply block it by IP address or domain name. It seems clear that it would require designing into Tor the ability to inspect the content of its packets in the unencrypted form, plus be able to be configured to identify and reject files with certain identifiable signatures. This capability would have to be implemented in all nodes, in order to detect the reject-files should they come from the .onion sites. That kind of capability would damage Tor's anonymity at the technical level (/understate). If someone believes that making a G-rated Tor is a good idea, they must not be considering the wisdom behind why it was designed the way it was, with each node not knowing the nature of the data it passes. The same technical characteristics which protect the investigators and whistleblowers and rights of humanity will also by their nature protect the boobie-watchers. Think about this, understand this. It is not about the concept of anonymity and privacy, it's about the technical requirements necessary to provide it in the face of the hostile environment we have now. On Sunday 01/09/2013 at 5:48 pm, Jon Gardner wrote: On Aug 28, 2013, at 5:09 PM, Roger Dingledine a...@mit.edu wrote: On Tue, Aug 27, 2013 at 11:12:01PM +0200, Tor Exit wrote: Why is it so bad if a Tor exit operator tries to match the use of their node with their own moral beliefs? I really would like to support this if I could. I appreciate your kind and well-reasoned response, Roger. For those others who, through (unkind, often poorly spelled, and logically flawed) mockery and name-calling, hypocritically demanded censorship of the very idea that individual liberty necessarily involves individual moral responsibility, I have composed a poem. A few puerile punks would use Tor To browse for big boobs, nothing more Rights of humanity Was just false piety So bit by bit all the web closed the door. If you want to use Tor for immoral things, go ahead--it will obviously accommodate you--but please stop pretending to speak for those of us who run Tor nodes because we actually care about human rights and liberty, and aren't just using those nice catch-phrases as a cover for licentiousness and mindless self-gratification. You're a large part of the reason that Tor is technology non grata in so many places, to so many people that would otherwise fully support its mission. Hugs, Jon ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] new relays
I'm not sure if this applies but - [1]http://thenextweb.com/asia/2013/08/01/vietnam-adopts-regulations-to- ban-internet-users-from-sharing-news-reports-online/ Sustain On Sun, Sep 1, 2013, at 05:43 PM, Jon Gardner wrote: On Aug 28, 2013, at 5:09 PM, Roger Dingledine a...@mit.edu wrote: On Tue, Aug 27, 2013 at 11:12:01PM +0200, Tor Exit wrote: Why is it so bad if a Tor exit operator tries to match the use of their node with their own moral beliefs? References 1. http://thenextweb.com/asia/2013/08/01/vietnam-adopts-regulations-to-ban-internet-users-from-sharing-news-reports-online/ -- http://www.fastmail.fm - Choose from over 50 domains or use your own ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] new relays
This is why we need to implement extended exit flags for exits that want to run post-exit filtering/enhancement policies, say for example noporn that way we can get all the religious groups dumping their tithes into not just beaming reruns of the 700 club around the world, but a pile of uber fast exits too. What a disastrous notion; the exit policy system works because clients can predict in advance whether an exit will pass a given connection; it depends only on the destination host/port. It works because clients can reject some exits they figure they shouldn't waste their time on trying and can proceed trying matching ones. And because the matching ones have historically not been much problem. Predicting the future behavior of exits based on their past, or their current statements, is an odds game some wouldn't put much faith in. That could never be the case for any of these. As with dest ip:port, clients could similarly manage exits based on their postfilter flags. It could work for various purposes but it was more meant ... And how about novirus delivered by microsoft doublesyourcoins propped up by the donations of fools trusted run by legit governments Oh, please, do tell where you expect to find a 'legit' government and why one should 'trust' it? ... forthelols ... which would replace all web pages with (re-read as humor) proposals like this when tor-*@ is busy being too serious, flips the occaisional bird to each other in threads, etc ;) Hopefully all the plaintext protocols will die soon and some replacement for the CA cert model is agreed upon so that there isn't much left to bet on exitwise but the dest ip:port working. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] new relays
On 08/30/2013 08:05 PM, Andrea Shepard wrote: [snip] If I were going to work on filtering by technical means, it'd be filters to keep neo-Puritans like you out of my life, thanks. Well said. This whole thread is example 87653478965432 of the censorship is A-OK if I don't like it mindset. Maybe we need a competitor to Tor, a privacy network that only allows pictures of cute kittens and puppies as traffic. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] new relays
This thread did go goofy and bad (and off-topic, given the subject in the emails). It seems clear that there are important reasons Tor could never begin examining/taking direct responsibility for/filtering the content that flows through it (as opposed with disallowing specific ports, which is different). Asking for this seems naive. On Saturday 31/08/2013 at 8:54 am, Steve Snyder wrote: On 08/30/2013 08:05 PM, Andrea Shepard wrote: [snip] If I were going to work on filtering by technical means, it'd be filters to keep neo-Puritans like you out of my life, thanks. Well said. This whole thread is example 87653478965432 of the censorship is A-OK if I don't like it mindset. Maybe we need a competitor to Tor, a privacy network that only allows pictures of cute kittens and puppies as traffic. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] new relays
On Wed, 28 Aug 2013 07:22:16 +0200 Andreas Krey a.k...@gmx.de allegedly wrote: On Tue, 27 Aug 2013 23:12:01 +, Tor Exit wrote: GET /index.php?file=../../../../../../../etc/passwd Why not employ similar techniques on a Tor exit? We can be 100% sure about the malicious intent. No, you can't be sure. That request could quite well be totally legitimate; you are not in a position to judge for the site owner. Absolutely true. I could be using tor to test my own website's security mechanisms. In fact, I /have/ used tor to test my own websites.. Best Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] new relays
On Tue, 27 Aug 2013 19:34:13 -0700 Andy Isaacson a...@hexapodia.org allegedly wrote: If only there were a separate TCP port for HTTP-with-Porn and all the pornographers used it, then an exit policy for HTTP-without-porn would be possible. But alas, we don't even have vague agreement on what constitutes porn, much less a social contract requiring all pornographers to segregate their traffic for our convenience. RFC6969, Pornographic HTTP. #ideasforapril1 Wonderful! Love it. (I have often pondered the possibility of a DPI porn filter which rejects traffic based on the proportion of flesh coloured packets to the total or some such nonsense. Second order problem - define flesh coloured.) Best Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] new relays
HTTP-without-porn should be called BurkaHTTP. I'm sure there's a backronym that will fit… On Aug 28, 2013 4:15 AM, mick m...@rlogin.net wrote: On Tue, 27 Aug 2013 19:34:13 -0700 Andy Isaacson a...@hexapodia.org allegedly wrote: If only there were a separate TCP port for HTTP-with-Porn and all the pornographers used it, then an exit policy for HTTP-without-porn would be possible. But alas, we don't even have vague agreement on what constitutes porn, much less a social contract requiring all pornographers to segregate their traffic for our convenience. RFC6969, Pornographic HTTP. #ideasforapril1 Wonderful! Love it. (I have often pondered the possibility of a DPI porn filter which rejects traffic based on the proportion of flesh coloured packets to the total or some such nonsense. Second order problem - define flesh coloured.) Best Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] new relays
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/27/2013 05:12 PM, Tor Exit wrote: Why is it so bad if a Tor exit operator tries to match the use of their node with their own moral beliefs? Exercising one's moral beliefs can censor others. It would make it implicitly okay for exit node operators to decide to not relay traffic destined to sites about religion, LGBT issues, censorship, political beliefs, alternative social systems.. aren't these things that Tor is used to give people access to? - -- The Doctor [412/724/301/703] [ZS] Developer, Project Byzantium: http://project-byzantium.org/ PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ Jack the sound barrier. Bring the noise. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.20 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlIeGRsACgkQO9j/K4B7F8FUoQCcClfcuwIfDBPFCMhO/xNrb1N+ 65cAoOB80fB7/aaSvjv/8rmjqwcPtWlm =f4vK -END PGP SIGNATURE- ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] new relays
On Tue, Aug 27, 2013 at 11:12:01PM +0200, Tor Exit wrote: Why is it so bad if a Tor exit operator tries to match the use of their node with their own moral beliefs? I really would like to support this if I could. Specifically, I'd love a way for exit relay operators to only allow people to do things *via their exit relay* that they're comfortable with. The trouble is, I only want to do it if we can have a way for Tor clients to automatically learn what each exit will allow, so they can pick an exit that will allow their connection. We have that working with exit policies right now: each relay advertises what IP blocks and ports it will allow, and then clients learn all the exit policies and automatically choose an exit that will support their stream. See Andy's post for details: https://lists.torproject.org/pipermail/tor-relays/2013-August/002560.html The trouble with more fine-grained approaches, where you look at the content of the communication rather than the address of it, is that the Tor client doesn't know the entirety of the communication when it's selecting the path to use. This seems like an inherent contradiction, especially since the client will need to know, ahead of time, everything the *destination* (e.g. website) will send too. (Ok, that's just the technical trouble. There are also legal troubles with filtering some things you consider bad while not filtering everything that anybody could consider bad. See the EFF Tor legal faq.) --Roger ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] new relays
On Aug 22, 2013, at 11:56 AM, mick m...@rlogin.net wrote: The other thing that I am weighing is just a moral question regarding misuse of the Tor network for despicable things like child porn. I understand that of all the traffic it is a small percentage and that ISPs essentially face the same dilemma, but I wonder if more can be done to make Tor resistant to evil usage. Tor is neutral. You and I may agree that certain usage is unwelcome, even abhorrent, but we cannot dictate how others may use an anonymising service we agree to provide. If you have a problem with that, you probably should not be running a tor node. Then why have exit policies? Exit nodes regularly block unwelcome traffic like bittorrent, and there's only a slight functional difference between that and using a filter in front of the node to block things like porn (which, come to think of it, also tends to be a bandwidth hog like bittorrent--so it doesn't have to be just a moral question). If someone has a problem with exit nodes blocking things like porn (or bittorrent, or...), then they probably should not be using Tor. The very idea of Tor is based on moral convictions (e.g., that personal privacy is a good thing, that human rights violations and abuse of power are bad things, etc.). So Tor is most definitely not neutral, nor can it be--because, if it is to exist and flourish, those moral convictions must remain at its foundation. One cannot on the one hand claim that human rights violations are wrong while on the other hand claiming that pornography (especially child porn) is right. If one wants further proof that Tor has a moral component, one has only to visit http://www.torproject.org, click the About Tor link, and notice the discussion points. I doubt that anyone could convince the Tor team to add ...for unfettered access to pornography... as a bullet point under Why we need Tor. The Tor devs go to great lengths to try to keep evil governments from using Tor against itself. Why not devote some effort toward keeping evil traffic off of Tor? Given the fact that we need more relays is the common mantra, it seems to me that if the Tor community could come up with a technical answer to address at least some of the most egregious abuses of Tor--things like child porn, or even porn in general, that either have nothing to do with Tor's foundational mission, or (like child porn) are antithetical to it--the result would be greater public support for the technology, and a wider deployment base. It's worth discussion. Jon ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] new relays
On Tue, 27 Aug 2013 11:08:34 +, Jon Gardner wrote: ... Then why have exit policies? To keep spammers at bay (or getting your exit blacklisted); to keep traffic at bay (bittorrent), to keep law harrassment at bay (again bittorrent, others as well). Exit nodes regularly block unwelcome traffic like bittorrent, and there's only a slight functional difference between that and using a filter in front of the node to block things like porn THe point is that the exit policy is a decision of the exit operator in question, not of the network as a whole. If you want to access something you just need to find some exit that allows it. Who should even decide what 'porn' means, or do you expect each exit operator to maintain his own blacklist? The very idea of Tor is based on moral convictions (e.g., that personal privacy is a good thing, that human rights violations and abuse of power are bad things, etc.). So Tor is most definitely not neutral, nor can it be--because, if it is to exist and flourish, those moral convictions must remain at its foundation. No. The underlying conviction of tor is that communication shall be free, not censored. Besides there is pretty little whose transport via a network should reasonably be illegal. One cannot on the one hand claim that human rights violations are wrong while on the other hand claiming that pornography (especially child porn) is right. If one wants further proof that Tor has a moral component, one has only to visit http://www.torproject.org, click the About Tor link, and notice the discussion points. I doubt that anyone could convince the Tor team to add ...for unfettered access to pornography... as a bullet point under Why we need Tor. No. But if you want to ensure unfettered access to X, that necessarily implies unfettered access ot Y, for any values of X and Y. Any mean to disable access to Y implies that the tor network can be forced as well to disable access to X. The Tor devs go to great lengths to try to keep evil governments from using Tor against itself. Why not devote some effort toward keeping evil traffic off of Tor? Given the fact that we need more relays is the common mantra, it seems to me that if the Tor community could come up with a technical answer to address at least some of the most egregious abuses of Tor--things like child porn, or even porn in general, that either have nothing to do with Tor's foundational mission, or (like child porn) are antithetical to it--the result would be greater public support for the technology, and a wider deployment base. What do you think how long it takes, when we block X, we start getting requests (or worse, think NSL) to block Y. The moment tor gets a global block list I will pull the plug on my relays. Besides: You didn't mention any idea how to actually find and enumerate the things you apparently want to block. Or how not to overblock. There isn't even a government entity that has this problem solved. Andreas -- Totally trivial. Famous last words. From: Linus Torvalds torvalds@*.org Date: Fri, 22 Jan 2010 07:29:21 -0800 ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] new relays
On 08/28/2013 12:08 AM, Jon Gardner wrote: Then why have exit policies? Exit nodes regularly block unwelcome traffic like bittorrent, and there's only a slight functional difference between that and using a filter in front of the node to block things like porn (which, come to think of it, also tends to be a bandwidth hog like bittorrent--so it doesn't have to be just a moral question). I do not wish to comment on the morality or desirability of traffic filters, but on the implementation: It is much easier to block the majority of BitTorrent traffic than it is to block specific content served through HTTP. Torrent traffic can be blocked by the reduced exit policy https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy, which is a static whitelist of ports to allow. To do the same thing for content over HTTP, one would have to maintain a dynamic blacklist of IPs (or IP/port combinations) to block, which is much more challenging. An even more challenging alternative would be to implement deep packet inspection https://en.wikipedia.org/wiki/Deep_packet_inspection at the exit nodes---I think this is completely unpalatable to most Tor developers and exit node operators (and maybe illegal under US wiretapping laws). Vincent smime.p7s Description: S/MIME Cryptographic Signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] new relays
On Tue, 27 Aug 2013 11:08:34 -0500 Jon Gardner j...@brazoslink.net allegedly wrote: On Aug 22, 2013, at 11:56 AM, mick m...@rlogin.net wrote: Tor is neutral. You and I may agree that certain usage is unwelcome, even abhorrent, but we cannot dictate how others may use an anonymising service we agree to provide. If you have a problem with that, you probably should not be running a tor node. Then why have exit policies? Exit nodes regularly block unwelcome traffic like bittorrent, and there's only a slight functional difference between that and using a filter in front of the node to block things like porn (which, come to think of it, also tends to be a bandwidth hog like bittorrent--so it doesn't have to be just a moral question). If someone has a problem with exit nodes blocking things like porn (or bittorrent, or...), then they probably should not be using Tor. The very idea of Tor is based on moral convictions (e.g., that personal privacy is a good thing, that human rights violations and abuse of power are bad things, etc.). Nope. Not in my view. Tor's USP is anonymity of access to any and all network resources. I say again, tor is neutral. It cares not about what those resources are - it just shovels bits. And as a relay operator I cannot say that bits of type A are OK to retrieve but not bits of type B. I do not even know what type of bits are transferred. As someone else here said censorship implies surveillance. The Tor devs go to great lengths to try to keep evil governments from using Tor against itself. Why not devote some effort toward keeping evil traffic off of Tor? Define evil (or its converse good). I'd bet that given any random selection of people in a room you'd get a broad spectrum of views. The only way you can safely meet /all/ those views is not to take a position at all and remain neutral. I repeat tor is neutral. It's worth discussion. I agree. Best Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] new relays
The Tor devs go to great lengths to try to keep evil governments from using Tor against itself. Why not devote some effort toward keeping evil traffic off of Tor? I agree. Why not block the most obvious abuse? All professional Apache webservers install a module named 'mod_secure' that will filter out trivial hacking attempts such as: GET /index.php?id=123 OR 1=1 GET /index.php?file=../../../../../../../etc/passwd Why not employ similar techniques on a Tor exit? We can be 100% sure about the malicious intent. The examples above are not a matter of taste/moral conviction/opinion, so why not implement a 'mod_security'-like filter in Tor? Define evil (or its converse good). I'd bet that given any random selection of people in a room you'd get a broad spectrum of views. The only way you can safely meet /all/ those views is not to take a position at all and remain neutral. Yes, this is a gray area. Moreover, there is not a solid technical solution to reliably label or classify content. However, suppose that in ten years technology has advanced and we can reliably classify websites as gay porn, controversial political views, child porn, weapons, etc. Then I see no harm in a tor exit operator to choose an exit policy that matches his own moral beliefs. Don't forget Tor exits are operated by volunteers that donate time and money to provide anonymity and provide access to content they think is important to the world and should be freely accessible at all cost. Others may regard this as censorship, but they are free to operate a Tor exit node themselves to provide access to more grim content. Everybody has their own reasons to join the torproject. Be it providing access to information for those living under an oppressing regime, or because they don't want their health care insurance to know what diseases they search on Google, or because they have a sexual orientation that is unacceptable in the community they live in. Why is it so bad if a Tor exit operator tries to match the use of their node with their own moral beliefs? ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] new relays
On 13-08-27 05:12 PM, Tor Exit wrote: The Tor devs go to great lengths to try to keep evil governments from using Tor against itself. Why not devote some effort toward keeping evil traffic off of Tor? I agree. Why not block the most obvious abuse? All professional Apache webservers install a module named 'mod_secure' that will filter out trivial hacking attempts such as: GET /index.php?id=123 OR 1=1 GET /index.php?file=../../../../../../../etc/passwd Why not employ similar techniques on a Tor exit? We can be 100% sure about the malicious intent. The examples above are not a matter of taste/moral conviction/opinion, so why not implement a 'mod_security'-like filter in Tor? Define evil (or its converse good). I'd bet that given any random selection of people in a room you'd get a broad spectrum of views. The only way you can safely meet /all/ those views is not to take a position at all and remain neutral. Yes, this is a gray area. Moreover, there is not a solid technical solution to reliably label or classify content. However, suppose that in ten years technology has advanced and we can reliably classify websites as gay porn, controversial political views, child porn, weapons, etc. Then I see no harm in a tor exit operator to choose an exit policy that matches his own moral beliefs. Don't forget Tor exits are operated by volunteers that donate time and money to provide anonymity and provide access to content they think is important to the world and should be freely accessible at all cost. Others may regard this as censorship, but they are free to operate a Tor exit node themselves to provide access to more grim content. Everybody has their own reasons to join the torproject. Be it providing access to information for those living under an oppressing regime, or because they don't want their health care insurance to know what diseases they search on Google, or because they have a sexual orientation that is unacceptable in the community they live in. Why is it so bad if a Tor exit operator tries to match the use of their node with their own moral beliefs? You can do that if you choose, but consequences may include: - getting listed as a BadExit: https://trac.torproject.org/projects/tor/wiki/doc/badRelays - becoming liable for not stopping illegal activity passing through your node, or get charged with illegal wiretapping. See the Snoop question in: https://www.torproject.org/eff/tor-legal-faq.html.en - creating uncertainty about whether exit node operators snoop on traffic or retain data, which puts all of them at risk of being seized during police investigations; - impeding police investigations of the evil sites: https://www.torproject.org/about/torusers.html.en#lawenforcement ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] new relays
On Tue, Aug 27, 2013 at 11:08:34AM -0500, Jon Gardner wrote: Then why have exit policies? Exit nodes regularly block unwelcome traffic like bittorrent, and there's only a slight functional difference between that and using a filter in front of the node to block things like porn The exit policy is a public statement to the Tor network by the exit node about what traffic it is willing to transport. Users who wish to use a particular TCP port can consult the consensus and find an exit node which meets their needs. By contrast, a porn blacklist would presumably prevent particular HTTP requests from being satisfied, based on analysis of the contents of the requests. In other words, the pornfiltering-exit-node offered to transport port 80, but then reneged on the offer when it looked inside the box and didn't like what it found. If only there were a separate TCP port for HTTP-with-Porn and all the pornographers used it, then an exit policy for HTTP-without-porn would be possible. But alas, we don't even have vague agreement on what constitutes porn, much less a social contract requiring all pornographers to segregate their traffic for our convenience. RFC6969, Pornographic HTTP. #ideasforapril1 Consider http://www.ietf.org/rfc/rfc3514.txt -- Firewalls, packet filters, intrusion detection systems, and the like often have difficulty distinguishing between packets that have malicious intent and those that are merely unusual. The problem is that making such determinations is hard. To solve this problem, we define a security flag, known as the evil bit, in the IPv4 header. Benign packets have this bit set to 0; those that are used for an attack will have the bit set to 1. -andy ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] new relays
On Tue, 27 Aug 2013 23:12:01 +, Tor Exit wrote: GET /index.php?file=../../../../../../../etc/passwd Why not employ similar techniques on a Tor exit? We can be 100% sure about the malicious intent. No, you can't be sure. That request could quite well be totally legitimate; you are not in a position to judge for the site owner. (I'm just fighting against a 'transparent proxy' that thinks POST with more than 1000 bytes are evil. Please don't add more points of failure to an already fragile web.) Andreas -- Totally trivial. Famous last words. From: Linus Torvalds torvalds@*.org Date: Fri, 22 Jan 2010 07:29:21 -0800 ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] new relays
You cannot make Tor resistant to evil usage. Evil usage is defined by your personal morals on one level, and by governments via the laws the enact and prosecute on the other level. Tor's raison d'etre is to allow people to use the internet freely when their personal morals and their government's collide. You could put a censoring proxy in front of your exit node. But that would defeat the purpose of Tor entirely... Other people will have to comment on the possible problems you face operating a tor node in the Netherlands via a US company being in the US. That should be a common enough scenario to find a few people who have done that. Best, Luke 2013/8/22 a432511 a432...@mail49.org: Hello all, I just spun up 2 relays (1 exit, 1 non-exit) in Amsterdam using DigitalOcean as the VPS provider. It's been up for about 8 hours now. Here was the message I sent to them regarding the servers: /* Quote Hello, I just spun up a couple servers in Amsterdam to act as relays in the Tor network (see https://www.torproject.org/about/overview.html.en). I just wanted to file this ticket so that you were aware of those servers' purpose. One is simply a non-exit relay meaning that all traffic is encrypted and ultimately routed to another tor server before it connects to the destination IP (no risk there). The other is an exit relay that establishes the final connection for the client. This box has a bit more risk because it's IP will be used for the connection. Now, according to law, the exit relay cannot be held responsible for the traffic because it is merely a pass-through server with no knowledge of the traffic - much like any ISP - but there hasn't been a firm legal precedent set yet to my knowledge. The purpose of the Tor server is to facilitate internet traffic for those that might be subject to laws that censor legitimate content (China, North Korea, Iran, etc...). It also acts as a safety net for the press so that they cannot be easily tracked when working on dangerous assignments. I read a couple other forum posts regarding your TOC and saw that you pass the liability on to the customer because you don't have control over what each droplet is used for. This is in essence the exact same case with a Tor relay. I have configured my exit relay to block a large number of ports that are typically used for torrents to reduce the possibility of any complaints. Please let me know if you have any questions. Thanks, Adam End Quote */ And here is there response: /* Quote Hello, While TOR exit-nodes are allowed under our TOS we strong discourage them because of the abuse complaints they generate. As you mentioned, you are responsible for any traffic generated by your droplets. While in the future there may be a precedent that grants safe-harbor status to TOR exit nodes, there is no such precedent under US Law at this time and the responsibility remains with you. You will be responsible to resolve any abuse complaints lodged against you related to this droplet. If we can be of any further assistance please let us know. Thanks Ryan Posted on 08/22/13 at 13:49 Gravatar Ryan Quinn End Quote */ I am based out of the US. Is there anything I should be careful with hosting an offshore Tor exit node? I already used the limited tor port list that was in the wiki. The other thing that I am weighing is just a moral question regarding misuse of the Tor network for despicable things like child porn. I understand that of all the traffic it is a small percentage and that ISPs essentially face the same dilemma, but I wonder if more can be done to make Tor resistant to evil usage. Thanks. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] new relays
Am 2013-08-22 17:28, schrieb Lukas Erlacher: You could put a censoring proxy in front of your exit node. But that would defeat the purpose of Tor entirely... ... and will eventually lead to your relay being flagged as a bad exit node. Tampering with exit traffic is strongly discouraged [1]. Paul [1] https://trac.torproject.org/projects/tor/wiki/doc/badRelays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] new relays
On Thu, 22 Aug 2013 08:45:33 -0500 a432511 a432...@mail49.org allegedly wrote: I just spun up 2 relays (1 exit, 1 non-exit) in Amsterdam using DigitalOcean as the VPS provider. It's been up for about 8 hours now. Here was the message I sent to them regarding the servers: I have three DigitalOcean VMs. One in Amsterdam is a (non-exit) relay (https://baldric.net/2013/01/13/what-a-difference-a-gig-makes/), the other two, in SanFrancisco and NYC, are tails mirrors. /Before/ starting the tor relay I specifically asked DO if they had any problems with tor. They told me much what they have apparently told you. Certainly I gained the impression that they would not be happy if their IP addresses appeared in abuse complaints. (https://www.digitalocean.com/community/questions/tor) I followed up that conversation in a support ticket and they have been fine with me running a relay ever since. The other thing that I am weighing is just a moral question regarding misuse of the Tor network for despicable things like child porn. I understand that of all the traffic it is a small percentage and that ISPs essentially face the same dilemma, but I wonder if more can be done to make Tor resistant to evil usage. Tor is neutral. You and I may agree that certain usage is unwelcome, even abhorrent, but we cannot dictate how others may use an anonymising service we agree to provide. If you have a problem with that, you probably should not be running a tor node. Best Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] new relays
On 22.08.2013 15:45, a432511 wrote: I just spun up 2 relays (1 exit, 1 non-exit) in Amsterdam using DigitalOcean as the VPS provider. It's been up for about 8 hours now. Thank you and good luck! While in the future there may be a precedent that grants safe-harbor status to TOR exit nodes, there is no such precedent under US Law at this time and the responsibility remains with you. You might want to point them to https://www.torproject.org/eff/tor-dmca-response.html.en , which was written by EFF lawyers specifically about US law. [...] Therefore, you should continue to be protected under the DMCA 512(a) safe harbor without taking any further action. -- Moritz Bartl https://www.torservers.net/ ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] new relays
I currently have 4 non-exit's with DigitalOcean providing approximately 160mb/s of bandwidth. They've been up for about a month now and I've not run into any issues with DigitalOcean staff. With that in mind - I also had an exit up for about a month and I never heard anything from them either (just comply with DMCA/etc.) and provide the url that Moritz has given; they haven't ever questioned it. I'm excited to be an operator! Thanks, Stracci Systems Admin www.mcbans.com - Original Message - From: Moritz Bartl mor...@torservers.net To: tor-relays@lists.torproject.org Sent: Thursday, August 22, 2013 1:02:12 PM Subject: Re: [tor-relays] new relays On 22.08.2013 15:45, a432511 wrote: I just spun up 2 relays (1 exit, 1 non-exit) in Amsterdam using DigitalOcean as the VPS provider. It's been up for about 8 hours now. Thank you and good luck! While in the future there may be a precedent that grants safe-harbor status to TOR exit nodes, there is no such precedent under US Law at this time and the responsibility remains with you. You might want to point them to https://www.torproject.org/eff/tor-dmca-response.html.en , which was written by EFF lawyers specifically about US law. [...] Therefore, you should continue to be protected under the DMCA 512(a) safe harbor without taking any further action. -- Moritz Bartl https://www.torservers.net/ ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays