Re: [tor-relays] T-shirts and Confirming Relay Control
Being fairly new to the tor project I can see where he is getting at with the difficulty of helping out. I can deffinantly see having a single person to contact to try and find things to do would be important. While I agree that volunteers should not be babysat there should be someone that has a bunch of tasks to pass off to those who is interested. I would be more than willing to dedicate time to do something like this, I think it could be seriously useful to newer people in the community. In my mind a volunteer coordinator would not babysit but provide things that may be suited for a particular skill set. Then a little later down the line touch base with person to see if they encountered any issues. Side note: getting a little off track here. Would there be a better place for a discussion like this? Tim Original message From: Matthew Finkel Date:06/05/2015 02:14 (GMT+08:00) To: tor-relays@lists.torproject.org Subject: Re: [tor-relays] T-shirts and Confirming Relay Control On Tue, May 05, 2015 at 01:57:04PM +, Speak Freely wrote: > Matthew Finkel, > > It's kind of disingenuous to suggest "If you want to work on something, > then please come work on it, we really are overloaded." > I'm really sorry you interpretted it in that way. It actually was a genuine request for more help. > You have to let us work on it, for us to work on it. Do you understand > the problem? Sure, that is a problem, but what is the problem? It seems this dilemma is reoccurring and not getting solved. Someone says they are willing to help work on something, possibly someone else says "great! we need your help!" then nothing happens. Was it an empty offer or did the offer die because no one followed up with the person? Having a volunteer coordinator might help - I hope it would help - but what's the best way to organize that? Is it the responsibly of some people associated with The Tor Project to follow up on every offer they receive or is it the responsibility of the person who made the offer to follow up and get involved? Maybe both? > > To The Inner Circle (The Tor Project People), > > I am at the very least the third person to mention in this thread that > we have offered to help. No one responded to my offers. I'm pretty sure > at least some of their offers were ignored as well, though I can't be > bothered to double check. :( I don't know. Obviously, not receiving a response sucks. I completely understand that. Tor's work and day-to-day coordination is heavily based around IRC, so the mailing lists are not great places for offering help. This whole situation seems to be less about an inner circle existing, and more about a disconnection between the announcements and discussions on the mailing lists and what happens on IRC. I don't know of a good way to bridge this gap, though. > > I get that you're busy. However, Matthew's attitude to Seth is, in my > most humble of opinions, unwarranted. > We're all busy, it's difficult balancing everything. I'm sorry if my response was unwarranted, and maybe I shouldn't have responded because it was off-topic, in any case. It's frustrating trying to do something and improve a situation, and instead of receiving helpful feedback the thread receives complaints about how Tor is crappy with how it handles volunteers. Maybe this is partially due to miscommunication but I'm at a loss for what to do. > You've got several people who out of their own free will, decided to > offer our additional help, above and beyond what we already do. > > I wonder, how would you feel, if after offering free assistance to a > community that then goes completely, totally, and utterly UNANSWERED, > only to have those very people that we offered to assist, bitch that > they are busy and want our help. How would you feel? > Angry? A little schadenfreude? Or numb? > > I'm a husband, a father, and a business owner. I'm a busy guy, yet I > still offered to help. I can't express how pissed off I am about this, > without going into a obscenity-laced tirade about how your house isn't > in order. > > When I offer assistance to someone, or in Tor's case several people, I > damn well expect a response. "Yes" or "no", "thanks" or "fuck off", > "please" or "tomorrow", "join us!" or "maybe next time". > > Deafening silence is in no way a mechanism that encourages support from > the broader community, but from my perspective that's all you've given. > Thanks. Obviously you're correct, silence is not an answer and not what you deserve as a result of offering your assistance. I don't know why this happened or the conte
Re: [tor-relays] T-shirts and Confirming Relay Control
On Tue, May 05, 2015 at 01:57:04PM +, Speak Freely wrote: > Matthew Finkel, > > It's kind of disingenuous to suggest "If you want to work on something, > then please come work on it, we really are overloaded." > I'm really sorry you interpretted it in that way. It actually was a genuine request for more help. > You have to let us work on it, for us to work on it. Do you understand > the problem? Sure, that is a problem, but what is the problem? It seems this dilemma is reoccurring and not getting solved. Someone says they are willing to help work on something, possibly someone else says "great! we need your help!" then nothing happens. Was it an empty offer or did the offer die because no one followed up with the person? Having a volunteer coordinator might help - I hope it would help - but what's the best way to organize that? Is it the responsibly of some people associated with The Tor Project to follow up on every offer they receive or is it the responsibility of the person who made the offer to follow up and get involved? Maybe both? > > To The Inner Circle (The Tor Project People), > > I am at the very least the third person to mention in this thread that > we have offered to help. No one responded to my offers. I'm pretty sure > at least some of their offers were ignored as well, though I can't be > bothered to double check. :( I don't know. Obviously, not receiving a response sucks. I completely understand that. Tor's work and day-to-day coordination is heavily based around IRC, so the mailing lists are not great places for offering help. This whole situation seems to be less about an inner circle existing, and more about a disconnection between the announcements and discussions on the mailing lists and what happens on IRC. I don't know of a good way to bridge this gap, though. > > I get that you're busy. However, Matthew's attitude to Seth is, in my > most humble of opinions, unwarranted. > We're all busy, it's difficult balancing everything. I'm sorry if my response was unwarranted, and maybe I shouldn't have responded because it was off-topic, in any case. It's frustrating trying to do something and improve a situation, and instead of receiving helpful feedback the thread receives complaints about how Tor is crappy with how it handles volunteers. Maybe this is partially due to miscommunication but I'm at a loss for what to do. > You've got several people who out of their own free will, decided to > offer our additional help, above and beyond what we already do. > > I wonder, how would you feel, if after offering free assistance to a > community that then goes completely, totally, and utterly UNANSWERED, > only to have those very people that we offered to assist, bitch that > they are busy and want our help. How would you feel? > Angry? A little schadenfreude? Or numb? > > I'm a husband, a father, and a business owner. I'm a busy guy, yet I > still offered to help. I can't express how pissed off I am about this, > without going into a obscenity-laced tirade about how your house isn't > in order. > > When I offer assistance to someone, or in Tor's case several people, I > damn well expect a response. "Yes" or "no", "thanks" or "fuck off", > "please" or "tomorrow", "join us!" or "maybe next time". > > Deafening silence is in no way a mechanism that encourages support from > the broader community, but from my perspective that's all you've given. > Thanks. Obviously you're correct, silence is not an answer and not what you deserve as a result of offering your assistance. I don't know why this happened or the context of the offer but, to be blunt, Tor doesn't babysit volunteers. If you want to work on something, then, you must actually follow through and work on it. I learned this personally. A volunteer coordinator would be a great person for helping volunteers become more integrated into the community and work on projects but it is ultimately the person volunteering who decides how, when, and if they help. Tor wants your help, but becoming an active volunteer is your decision. > > Here's a suggestion to The Inner Circle > - Have a volunteer coordinator that actually responds to people. > > This way, when the next person offers to help, they might actually get a > good g*d d@mn f@cking response! > Yes, this sounds like a good idea. Who wants to volunteer to be the volunteer coordinator? Again, that is a genuine question. No one has stepped up to do it. If we had one, at least they would respond to most offers. > > Seeing as how I'm a nobody and my offers aren't worth acknowledging, > please continue to do whatever you'd like, with *all* the success it > brings. Don't forget to smile. > Being a nobody or being a somebody is irrelevant. I'm a nobody too, but I'm trying to do something. I sincerely hope you and the rest of the community will help me and Tor, as a whole, create a better community/network/world. Let's continue this discussion in a new thread. Thanks, M
Re: [tor-relays] T-shirts and Confirming Relay Control
Matthew Finkel, It's kind of disingenuous to suggest "If you want to work on something, then please come work on it, we really are overloaded." You have to let us work on it, for us to work on it. Do you understand the problem? To The Inner Circle (The Tor Project People), I am at the very least the third person to mention in this thread that we have offered to help. No one responded to my offers. I'm pretty sure at least some of their offers were ignored as well, though I can't be bothered to double check. I get that you're busy. However, Matthew's attitude to Seth is, in my most humble of opinions, unwarranted. You've got several people who out of their own free will, decided to offer our additional help, above and beyond what we already do. I wonder, how would you feel, if after offering free assistance to a community that then goes completely, totally, and utterly UNANSWERED, only to have those very people that we offered to assist, bitch that they are busy and want our help. How would you feel? Angry? A little schadenfreude? Or numb? I'm a husband, a father, and a business owner. I'm a busy guy, yet I still offered to help. I can't express how pissed off I am about this, without going into a obscenity-laced tirade about how your house isn't in order. When I offer assistance to someone, or in Tor's case several people, I damn well expect a response. "Yes" or "no", "thanks" or "fuck off", "please" or "tomorrow", "join us!" or "maybe next time". Deafening silence is in no way a mechanism that encourages support from the broader community, but from my perspective that's all you've given. Here's a suggestion to The Inner Circle - Have a volunteer coordinator that actually responds to people. This way, when the next person offers to help, they might actually get a good g*d d@mn f@cking response! Seeing as how I'm a nobody and my offers aren't worth acknowledging, please continue to do whatever you'd like, with *all* the success it brings. Don't forget to smile. Matt Speak Freely ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] T-shirts and Confirming Relay Control
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 AVee, Would it not be possible for me to specify the ExitNode in my torrc and then do the wget to prove my "ownership"? I haven't tried to specify a single node before so I'm not sure if it'd work. Thanks, Tim -BEGIN PGP SIGNATURE- Version: Mailvelope v0.13.1 Comment: https://www.mailvelope.com wsFcBAEBCAAQBQJVSKElCRC8Tq5FO2jmKgAA4hMP/3nPoz/ygyRrtpzWxYQT S6+EN5A3DlPHX/fWgSHVdtaZKatb/OBfH4db6anvf1T1t7yhA8u1YxTKSLxA TOB0Bk3n5BC6H0dCBusAMLcGBb/r/navz5ficu2N8/mP7Yvee2zMuTMPmWML awWw1pgh90cHQbMYvs0k5/DsByxzdfRPzkSL5i1jrKNyiEaDNZTDMo0dm2cf dkyiW/Qr1HueO8qkVTzzeGthCVN+saUmhfWIKnQfs1nMG64Hrh+8S7oMEmoK efHJT6bAPn0fWr9STiqV19xKmAPuYAOSSHMOdRiI8CAS/bfPMZQvOjHwmKBm Tp0AqKrVequEQDiKeuQOinEksdMVMPi8C1ifCL70GM4T5QOyK2CzbSuWmi8e fr2D/mN5fSKVcITgud29FxQKYjP8rmxYcCBBTF9m4/W/XdN9eXrOjHko0HEK 4dGMmzdf6/Wx9+kgS3n9pcOabSd742FUwb2ZqIRXsxpcg0S8mJc3vU5OVTsC VurtbRQVycIbfOvDtqogbUpPGLe3D/Z0nkqjHuoP746SKFnNeB6rVu9b4Zdh HDclgMy9L2q2nuOS1KvOfDgoEYa0A/tfRDG4qahaovrn/ayonAvwtnUgtgkK HMdyh83msC72l3apxAMqCh6sZfijuxjIOTUQBicbHemrLyf1KVrK7RJ/6U4h phH0 =ZXd3 -END PGP SIGNATURE- On 5 May 2015 at 17:58, AVee wrote: > On 2015-05-03 19:44, Matthew Finkel wrote: > >> Hi Ops, >> > [...] > >> For this case, we need an authentication mechanism which >> proves control of the relay but is something relay operators won't mind >> running. >> >> My currently plan is to ask relay operators to sign the fingerprint file >> which tor creates. The major disadvantage of this method is that it must >> be run as root (or a user with access to tor's data directory). >> > > If you are willing to lower the bar for 'proof' a bit I'd ask them to > fetch a confirmation url send to them from the connection their node runs > on. Spoofing an IP address for a TCP connection isn't trivial and seems > rather a lot of effort for just a t-shirt. So it at least proofs access to > the connection the node is running on. That could be a simple unprivileged > wget one-liner. > > It leaves room for some abuse, but does raise the bar quite a bit. > > If you do want to use the tor key couldn't you use it as a key for ssl > client authentication? That would allow for further automation and you > could be build into tor in the future. > > AVee > > ___ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] T-shirts and Confirming Relay Control
On 2015-05-03 19:44, Matthew Finkel wrote: Hi Ops, [...] For this case, we need an authentication mechanism which proves control of the relay but is something relay operators won't mind running. My currently plan is to ask relay operators to sign the fingerprint file which tor creates. The major disadvantage of this method is that it must be run as root (or a user with access to tor's data directory). If you are willing to lower the bar for 'proof' a bit I'd ask them to fetch a confirmation url send to them from the connection their node runs on. Spoofing an IP address for a TCP connection isn't trivial and seems rather a lot of effort for just a t-shirt. So it at least proofs access to the connection the node is running on. That could be a simple unprivileged wget one-liner. It leaves room for some abuse, but does raise the bar quite a bit. If you do want to use the tor key couldn't you use it as a key for ssl client authentication? That would allow for further automation and you could be build into tor in the future. AVee ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] T-shirts and Confirming Relay Control
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 04.05.2015 um 13:35 schrieb teor: > Your post office or shipping company might have software like this already Quite possible, but using it just because they have it doesn't neccessarily make handling easier. Just like handling and shipping by the shirt manufacturer might be more complicated than doing this at home. Not every commercial service offered makes sense in every case. Markus -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJVR2QNAAoJEKuzOwuAbzo+1rkIAJfMH0mmGsQ/h00u6ydFeS35 YZSmJb8s/jUME1oFGQr056DV0Occhgi9XFMRTSrx3tPJo+JufTHhJnxPXd058q5B jGZ+ZoQbfKO6rgWCVfll/kXNvXLaPQu+8QAezS6DIrFGnFJ8m3OocsWuXSWk6P1f 5k+CD7s1eOwXyr9/kH5U7BLfmWdbrDOMlDOyaGcyzHFyIVBAKIOXzit5E0G6FCMQ iFFV4Hguxfo34od8YI2wR4kp+MI5IQRj3niOmR7SWDKaXYkoI1FDdMOAkTmj9+ca lGa1YnmQ8rMdJHZLOgckop95FkL+spl2kdvqlpnGbIsbW0aoJT3Igb7u9cRgFlU= =xO77 -END PGP SIGNATURE- ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] T-shirts and Confirming Relay Control
> Date: Mon, 04 May 2015 13:06:51 +0200 > From: Markus Hitter … > > The more demanding part of this is to collect the addresses, especially the > software to do so. An application which formats them ready for printing, > calculates the stamp required, perhaps also prints some customs stickers > depending on destination. Here volunteers can easily help and there's no need > to hide such discussions, because such software doesn't require the real > data, can be written/tested with dummy data instead. All the trusted person > (you) has to do is to run this software on the real data and hit the "print" > button. Your post office or shipping company might have software like this already - and if it's done using their software, getting the stamps and stickers right is their responsibility, not yours. Of course, this software might not be free, in either sense of the word. teor teor2345 at gmail dot com pgp 0xABFED1AC https://gist.github.com/teor2345/d033b8ce0a99adbc89c5 teor at blah dot im OTR D5BE4EC2 255D7585 F3874930 DB130265 7C9EBBC7 signature.asc Description: Message signed with OpenPGP using GPGMail ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] T-shirts and Confirming Relay Control
Am 04.05.2015 um 04:33 schrieb Matthew Finkel: > Our current solution using Printfection > is neither ideal nor cheap, but it is convenient. Tor pays Printfection > a bunch of money and Printfection creates the t-shirts, gives us > one-time links, and takes care of the shipping and handling. If we crowd > sourced creating bags with stickers in them we would need someone who > can organize all the volunteers, ship the bags and stickers around the > world, pay the return shipping for the filled bags, and then ship them > again to the relay operators. This sounds rather complicated. I run a small business which involves shipping stuff to customers and that's what I do: - Get the goods (t-shirts), envelopes/bags and a set of postage stamps in batches large enough for a few months. Larger numbers allow lower prices. - Stuff these goods into these bags. - Put address and postage stamp onto the envelope. - Throw the result into the post box of our postal services. Works fine for everywhere from the neighborhood to Russia, China, India. Now, if you could get the t-shirt provider into stuffing the t-shirts into bags already (1 shirt per bag), you'd just have to put the address stickers on. You'd get a box with 100 or 1000 enveloped shirts and once a week you'd print the accumulated addresses onto stickers, place them onto these envelopes and forward this to the postal services. "Handling shipping" isn't much in such a simple case. The more demanding part of this is to collect the addresses, especially the software to do so. An application which formats them ready for printing, calculates the stamp required, perhaps also prints some customs stickers depending on destination. Here volunteers can easily help and there's no need to hide such discussions, because such software doesn't require the real data, can be written/tested with dummy data instead. All the trusted person (you) has to do is to run this software on the real data and hit the "print" button. Markus ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] T-shirts and Confirming Relay Control
On Sun, May 03, 2015 at 03:31:01PM -0700, Tom van der Woerdt wrote: > Matthew Finkel schreef op 03/05/15 om 14:47: > >On Sun, May 03, 2015 at 08:20:54PM +, Matthew Finkel wrote: > >>On Sun, May 03, 2015 at 12:05:49PM -0700, Aaron Hopkins wrote: > >>>On Sun, 3 May 2015, Matthew Finkel wrote: > >>> > Assuming the path to their data dir is /var/lib/tor, we ask them to run: > >>> > >>>Please don't get in the habit of asking relay operators through e-mail to > >>>run complex bash command lines as root. As a security practice, this is > >>>terrible. (How do you know the suggested command wasn't altered before it > >>>reached its recipient?) > >> > >>Yes, this is terrible, and I really hate the idea of asking it. I signed > >>all my emails for the t-shirt requests, but now we're relying on > >>everyone fetching my key and verifying the mail - so, that's also a bad > >>assumption. I don't have a good solution. This is why I'm asking. > >> > > > >What if we add the commands to the t-shirt[0] website? Again, this isn't > >a great solution, but we already have documentation which requires > >running commands with elevated privileges on there, and it's slightly > >better than sending it in an email. These commands are still more > >complex than I'd like, but if beside providing an executable or > >verifiable shell script, I'm running low on solutions. > > > >[0] https://www.torproject.org/getinvolved/tshirt > > > >Thanks, > >Matt > > Hi Matt, > > How about : > > * Primarily using ContactInfo for the verification > * If you cannot match the ContactInfo, ask people to set it on their relays Sounds good. > * If they are unwilling/unable to do so, ask them to sign their mail > address using their secret Tor key How? For the short-term, do you think asking the operator to run the proposed command is not a crazy idea? > * Implement a --sign option for Tor 0.2.7 > * Starting a year from now, just ask everyone to sign the request We'd need more than a year for this, likely four years, at the earliest because Jessie only has 0.2.6. > > Proving ownership of a Tor relay can be relevant for more applications than > just Weather, so a simple --sign option can be good to have. That doesn't > address the immediate concerns though, it's more of a long-term solution. I think this may be a good idea, especially if CAs being issuing certs for onion sites. Implementing it will not be too difficult, unfortunately its usability may be a little tricky. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] T-shirts and Confirming Relay Control
On Sun, May 03, 2015 at 06:17:20PM -0400, JovianMallard wrote: > Matt, > > Inspired by the options to confirm domain ownership with Google, > Could you ask the relay operator to include a randomly generated (by > you) token in their contact field? It may take a while to propagate and > it requires action on the operator's part, but it's not difficult and I > expect it provides the assurance you need. > Thanks for the suggestion! I did consider this and other similar methods. The major disadvantage I see with this one is that there will be a historical record of when the operator requested a t-shirt. Maybe this doesn't matter, though. It's probably a better option than some of the others. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] T-shirts and Confirming Relay Control
Matt, How many shirts are sent in a year? What would taking it on entail? Robert > Absolutely, but what's the cost? Our current solution using Printfection > is neither ideal nor cheap, but it is convenient. Tor pays Printfection > a bunch of money and Printfection creates the t-shirts, gives us > one-time links, and takes care of the shipping and handling. If we crowd > sourced creating bags with stickers in them we would need someone who > can organize all the volunteers, ship the bags and stickers around the > world, pay the return shipping for the filled bags, and then ship them > again to the relay operators. That seems like it will become expensive. > I would love to find a better solution than Printfection, so if anyone > has suggestions we'd love to hear about it. > > - Matt ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] T-shirts and Confirming Relay Control
On Mon, May 04, 2015 at 12:46:01AM +0200, Markus Hitter wrote: > Am 03.05.2015 um 22:49 schrieb Matthew Finkel: > > This requires that > > operators trust us, so letting anyone help take care of these requests > > is not wise. > > Maybe I'm unique with this opinion, but usually I trust groups open to > helping hands more than those who consider them selfs to be wiser than the > average. > I don't think what I said contradicts this. You are certainly not alone with that opinion and we, the thousands of people in the Tor community, make Tor what it is. There is a smaller subset of the community which handles some personal information, and, as it turns out, most people prefer only revealing their information to a few people instead of thousands. Hopefully we will move toward an automated system for these t-shirts, so that the only people in the trusted-set are those who pay for the t-shirts, in this case. But, in general, when dealing with finances and PII, there's certain information that should remain private. That being said, we want more people to help us. Please, come work on some of Tor's projects. We want more review, more input, more feedback. I was not saying we were wise because we aren't 100% public and transparent with what we do. I was saying revealing the personal information about operators to random, unvetted volunteers was not wise - I hope this makes sense. > > We're a group of security and privacy conscious individuals who want > > a world where everyone has secure and private communications, this isn't > > exactly a good combination which leads to publically discussioning > > everything. > > Sounds almost like the advertising from companies which try to sell their > closed source software as the most secure thing since the invention of sliced > bread. Heh. Good thing that wasn't an advertisement and Tor is not a company selling closed-source software :) > > Of course it's not a good idea to publish the addresses of the t-shirt > receivers, neither to email them randomly around the globe, but printing a > hundred stickers and placing them on as many bags also isn't something which > keeps a group of people busy for months. Absolutely, but what's the cost? Our current solution using Printfection is neither ideal nor cheap, but it is convenient. Tor pays Printfection a bunch of money and Printfection creates the t-shirts, gives us one-time links, and takes care of the shipping and handling. If we crowd sourced creating bags with stickers in them we would need someone who can organize all the volunteers, ship the bags and stickers around the world, pay the return shipping for the filled bags, and then ship them again to the relay operators. That seems like it will become expensive. I would love to find a better solution than Printfection, so if anyone has suggestions we'd love to hear about it. - Matt ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] T-shirts and Confirming Relay Control
> Date: Sun, 3 May 2015 17:44:39 + > From: Matthew Finkel > … > > Another disadvantage of this is PSS wasn't implemented in openssl's > apps until 1.0.1. I wonder how many relays are running on servers which > are still using openssl 0.9.8 (and 1.0.0?). For these servers we can > fallback on pkcs#1 v1.5 signatures. OS X still ships with OpenSSL 0.9.8 by default. But Darwin is such a small fraction of the network, and it's less likely that a Darwin server would push enough data to get a t-shirt unless it had an OpenSSL version with aes-ni. teor teor2345 at gmail dot com pgp 0xABFED1AC https://gist.github.com/teor2345/d033b8ce0a99adbc89c5 teor at blah dot im OTR D5BE4EC2 255D7585 F3874930 DB130265 7C9EBBC7 signature.asc Description: Message signed with OpenPGP using GPGMail ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] T-shirts and Confirming Relay Control
Everyone, Could the relay log have something copied (such as the key) from it and emailed with the claim as only the operator can see the relay? Robert ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] T-shirts and Confirming Relay Control
Am 03.05.2015 um 22:49 schrieb Matthew Finkel: > This requires that > operators trust us, so letting anyone help take care of these requests > is not wise. Maybe I'm unique with this opinion, but usually I trust groups open to helping hands more than those who consider them selfs to be wiser than the average. > We're a group of security and privacy conscious individuals who want > a world where everyone has secure and private communications, this isn't > exactly a good combination which leads to publically discussioning > everything. Sounds almost like the advertising from companies which try to sell their closed source software as the most secure thing since the invention of sliced bread. Of course it's not a good idea to publish the addresses of the t-shirt receivers, neither to email them randomly around the globe, but printing a hundred stickers and placing them on as many bags also isn't something which keeps a group of people busy for months. my $0.02 Markus -- - - - - - - - - - - - - - - - - - - - Dipl. Ing. (FH) Markus Hitter http://www.jump-ing.de/ ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] T-shirts and Confirming Relay Control
Matthew Finkel schreef op 03/05/15 om 14:47: On Sun, May 03, 2015 at 08:20:54PM +, Matthew Finkel wrote: On Sun, May 03, 2015 at 12:05:49PM -0700, Aaron Hopkins wrote: On Sun, 3 May 2015, Matthew Finkel wrote: Assuming the path to their data dir is /var/lib/tor, we ask them to run: Please don't get in the habit of asking relay operators through e-mail to run complex bash command lines as root. As a security practice, this is terrible. (How do you know the suggested command wasn't altered before it reached its recipient?) Yes, this is terrible, and I really hate the idea of asking it. I signed all my emails for the t-shirt requests, but now we're relying on everyone fetching my key and verifying the mail - so, that's also a bad assumption. I don't have a good solution. This is why I'm asking. What if we add the commands to the t-shirt[0] website? Again, this isn't a great solution, but we already have documentation which requires running commands with elevated privileges on there, and it's slightly better than sending it in an email. These commands are still more complex than I'd like, but if beside providing an executable or verifiable shell script, I'm running low on solutions. [0] https://www.torproject.org/getinvolved/tshirt Thanks, Matt Hi Matt, How about : * Primarily using ContactInfo for the verification * If you cannot match the ContactInfo, ask people to set it on their relays * If they are unwilling/unable to do so, ask them to sign their mail address using their secret Tor key * Implement a --sign option for Tor 0.2.7 * Starting a year from now, just ask everyone to sign the request Proving ownership of a Tor relay can be relevant for more applications than just Weather, so a simple --sign option can be good to have. That doesn't address the immediate concerns though, it's more of a long-term solution. Tom smime.p7s Description: S/MIME-cryptografische ondertekening ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] T-shirts and Confirming Relay Control
Matt, Inspired by the options to confirm domain ownership with Google, Could you ask the relay operator to include a randomly generated (by you) token in their contact field? It may take a while to propagate and it requires action on the operator's part, but it's not difficult and I expect it provides the assurance you need. > On 05/03/2015 04:20 PM, Matthew Finkel wrote: >> On Sun, May 03, 2015 at 12:05:49PM -0700, Aaron Hopkins wrote: >>> On Sun, 3 May 2015, Matthew Finkel wrote: > >>> Or as Robert suggests, just send verification mail to the listed contact >>> address of the relay. If they don't list one on their config, find an >>> alternate verification mechanism like e-mailing whois contacts for the IP or >>> domain name, or refuse the request. >> >> I'd prefer not denying them a t-shirt because they don't want to publish >> an email address publically, but using whois seems like a stretch and >> usually ends at the hosting provider instead of the operator. > signature.asc Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] T-shirts and Confirming Relay Control
On Sun, May 03, 2015 at 08:20:54PM +, Matthew Finkel wrote: > On Sun, May 03, 2015 at 12:05:49PM -0700, Aaron Hopkins wrote: > > On Sun, 3 May 2015, Matthew Finkel wrote: > > > > >Assuming the path to their data dir is /var/lib/tor, we ask them to run: > > > > Please don't get in the habit of asking relay operators through e-mail to > > run complex bash command lines as root. As a security practice, this is > > terrible. (How do you know the suggested command wasn't altered before it > > reached its recipient?) > > Yes, this is terrible, and I really hate the idea of asking it. I signed > all my emails for the t-shirt requests, but now we're relying on > everyone fetching my key and verifying the mail - so, that's also a bad > assumption. I don't have a good solution. This is why I'm asking. > What if we add the commands to the t-shirt[0] website? Again, this isn't a great solution, but we already have documentation which requires running commands with elevated privileges on there, and it's slightly better than sending it in an email. These commands are still more complex than I'd like, but if beside providing an executable or verifiable shell script, I'm running low on solutions. [0] https://www.torproject.org/getinvolved/tshirt Thanks, Matt ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] T-shirts and Confirming Relay Control
On Sun, May 03, 2015 at 09:18:30PM +0200, Sebastian Urbach wrote: > On May 3, 2015 7:45:39 PM Matthew Finkel wrote: > > Hi Matthew, > > >Hi Ops, > > > >We recently began responding to t-shirt requests again. Sorry for the > >long silence. There's been a lot happening around here but not enough > 0> time or people to do everything, so the t-shirt requests simply remained > >untouched. But, despite the overload, t-shirts are important because > >they are a small token of our thanks and appreciation for making the > >network what it is today. > > > >We responded to around 70 t-shirt requests from relay operators in > >April, which comprised all requests for which we could verify (within > >reason) the request came from the person who controlled the qualifying > >relay. We still have another 20 requests where the requestor is not > >obviously the owner of the relay. Currently the content of a relay's > >Contact field is used, but this does not always provide enough (or any) > >information. For this case, we need an authentication mechanism which > >proves control of the relay but is something relay operators won't mind > >running. > > I'm really not amused. As i recall a bunch of people including myself > offered to help. Amused? This really has nothing to do with amusement. If you want to work on something, then please come work on it, we really are overloaded. That being said, correctly handling t-shirt requests and other similar communications is important and delicate. The Tor Project is in a difficult situation where it wants to support the Tor network but not run it. This means, to some extent, we become a trusted third-party with some information. T-shirt requests are a perfect example of this, where we receive requests from people who choose not to publically publish their contact details yet they would like a reward for their work - which they absolutely deserve. This requires that operators trust us, so letting anyone help take care of these requests is not wise. > I get the distinct impression that you keep everything > within a small circle of people, no matter what. Even if that means that > services are suffering. > We're a group of security and privacy conscious individuals who want a world where everyone has secure and private communications, this isn't exactly a good combination which leads to publically discussioning everything. I certainly admit sometimes I default to discussing topics privately rather than sending it to tor-talk or tor-relays - I nearly did that with this thread. It's a bad habit, but it's not as common as I think you think it is. - Matt ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] T-shirts and Confirming Relay Control
On Sun, May 03, 2015 at 12:05:49PM -0700, Aaron Hopkins wrote: > On Sun, 3 May 2015, Matthew Finkel wrote: > > >Assuming the path to their data dir is /var/lib/tor, we ask them to run: > > Please don't get in the habit of asking relay operators through e-mail to > run complex bash command lines as root. As a security practice, this is > terrible. (How do you know the suggested command wasn't altered before it > reached its recipient?) Yes, this is terrible, and I really hate the idea of asking it. I signed all my emails for the t-shirt requests, but now we're relying on everyone fetching my key and verifying the mail - so, that's also a bad assumption. I don't have a good solution. This is why I'm asking. > > If you want to build a utility for this into the tor distribution, and make > it obvious what it does, I think that's fine. If the site asked people to > run "tor-request-tshirt" or more generically "tor-verify-ownership" and it > asked for whatever required information, I'd think that'd be more obviously > safe. Unfortunately, for something like that to work seamlessly, it would need to be setuid or setgid. This may be a better way forward, but I wonder what we can do now. > > Or as Robert suggests, just send verification mail to the listed contact > address of the relay. If they don't list one on their config, find an > alternate verification mechanism like e-mailing whois contacts for the IP or > domain name, or refuse the request. I'd prefer not denying them a t-shirt because they don't want to publish an email address publically, but using whois seems like a stretch and usually ends at the hosting provider instead of the operator. Thanks for the idea. - Matt ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] T-shirts and Confirming Relay Control
Matt: Thanks for leading us forward on the tshirt topic! I still, alas, have a pile of tshirt requests from Jan-Mar that I should collate and forward to you. On Sun, May 03, 2015 at 10:26:52AM -0800, I wrote: > Isn't the value of the t-shirt disproportionate to the trouble you're >going to to give them out? > If the weather message offering the t-shirt is answered by the same >address isn't that proof enough? I think I agree with this: if somebody has a copy of a Tor weather mail, then they -- oh. You can sign up to watch somebody else's relay, and then you get their tshirt notification? I guess the obvious fix is to only have weather send tshirt notifications when it has auto-parsed the contact info itself, rather than when a human signs up to watch a given relay. But the obvious fix involves changing Tor Weather. It's my understanding that we have a rewrite already done by a GSoC student, but nobody has attempted to deploy the rewrite because nobody wants to mess with the current weather instance (and because Karsten, the original mentor, is overloaded). Tor Weather should really be a community thing, not a service that Tor maintains, given how we're stretched thin as it is. I met a nice fellow in Valencia who lives in Berlin and offered to pick it up. But I haven't heard anything further from that conversation. Really, Weather is messy because it tries to serve many too many purposes at once -- two of the extremes are letting people sign up to get email when their relay goes offline, and also tracking historical relay uptime data in order to tell us (and the operator) when a given relay has passed a given milestone. Of course, making it a community thing could easily mean even more inconsistency over time. "Hm" indeed. --Roger ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] T-shirts and Confirming Relay Control
On May 3, 2015 7:45:39 PM Matthew Finkel wrote:
Hi Matthew,
Hi Ops,
We recently began responding to t-shirt requests again. Sorry for the
long silence. There's been a lot happening around here but not enough
0> time or people to do everything, so the t-shirt requests simply remained
untouched. But, despite the overload, t-shirts are important because
they are a small token of our thanks and appreciation for making the
network what it is today.
We responded to around 70 t-shirt requests from relay operators in
April, which comprised all requests for which we could verify (within
reason) the request came from the person who controlled the qualifying
relay. We still have another 20 requests where the requestor is not
obviously the owner of the relay. Currently the content of a relay's
Contact field is used, but this does not always provide enough (or any)
information. For this case, we need an authentication mechanism which
proves control of the relay but is something relay operators won't mind
running.
I'm really not amused. As i recall a bunch of people including myself
offered to help. I get the distinct impression that you keep everything
within a small circle of people, no matter what. Even if that means that
services are suffering.
My currently plan is to ask relay operators to sign the fingerprint file
which tor creates. The major disadvantage of this method is that it must
be run as root (or a user with access to tor's data directory).
The following process is the current plan, but does anyone have a better
idea? Does it seem logical?
When we receive a t-shirt request from someone who isn't obviously in
control of the relay, we ask them to sign their fingerprint file with
a unique salt.
Assuming the path to their data dir is /var/lib/tor, we ask them to run:
$ (echo -n "salt "; cat /var/lib/tor/fingerprint) | openssl sha256 \
-binary | openssl pkeyutl -inkey /var/lib/tor/keys/secret_id_key \
-sign -pkeyopt digest:sha256 -pkeyopt rsa_padding_mode:pss \
-pkeyopt rsa_pss_saltlen:32 | openssl base64 > signed_fingerprint
They send us both /var/lib/tor/fingerprint and signed_fingerprint.
When we receive them, we confirm the fingerprint in the fingerprint file
matches the qualifying relay. Then we retrieve the relay's public key
from its descriptor and convert it into pkcs#8 format using:
$ openssl rsa -pubin -in pubkey_pkcs1 -RSAPublicKey_in -out pubkey
and then we verify the sig using following commands:
$ (echo -n "salt "; cat fingerprint) | openssl sha256 -binary | \
openssl pkeyutl -pubin -verify -inkey pubkey -sigfile \
$(OUT=/tmp/signed_fingerprint_bin; base64 -d signed_fingerprint > \
${OUT}; echo ${OUT}) -pkeyopt digest:sha256 -pkeyopt \
rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:32; rm \
/tmp/signed_fingerprint_bin;
This should yield "Signature Verified Successfully".
Another disadvantage of this is PSS wasn't implemented in openssl's
apps until 1.0.1. I wonder how many relays are running on servers which
are still using openssl 0.9.8 (and 1.0.0?). For these servers we can
fallback on pkcs#1 v1.5 signatures.
The signature can be created using a command similar to the one above:
$ (echo -n "salt "; cat /var/lib/tor/fingerprint) | openssl dgst \
-sha256 | openssl rsautl -inkey /var/lib/tor/keys/secret_id_key \
-sign | openssl base64 > signed_fingerprint
Again, they provide /var/lib/tor/fingerprint and signed_fingerprint,
and we verify using:
$ test "$(openssl base64 -d -in signed_fingerprint | openssl rsautl \
-pubin -verify -inkey pubkey)" = "$((echo -n "salt "; cat \
fingerprint) | openssl dgst -sha256)"; echo $?
In addition, again, we confirm the fingerprint in the fingerprint file
matches the fingerprint of the qualifying relay.
Originally I used a few bashisms which made these simpler, but for
this I suspect portability is important.
Sorry this is a bit long.
Thanks,
Matt
--
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
--
Sincerely yours / Sincères salutations / M.f.G.
Sebastian Urbach
-
Religion is fundamentally opposed to
everything I hold in veneration - courage,
clear thinking, honesty, fairness, and,
above all, love of the truth.
-
Henry Louis Mencken (1880 - 1956),
American journalist, essayist, magazine
editor, satirist and critic.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] T-shirts and Confirming Relay Control
On Sun, 3 May 2015, Matthew Finkel wrote: Assuming the path to their data dir is /var/lib/tor, we ask them to run: Please don't get in the habit of asking relay operators through e-mail to run complex bash command lines as root. As a security practice, this is terrible. (How do you know the suggested command wasn't altered before it reached its recipient?) If you want to build a utility for this into the tor distribution, and make it obvious what it does, I think that's fine. If the site asked people to run "tor-request-tshirt" or more generically "tor-verify-ownership" and it asked for whatever required information, I'd think that'd be more obviously safe. Or as Robert suggests, just send verification mail to the listed contact address of the relay. If they don't list one on their config, find an alternate verification mechanism like e-mailing whois contacts for the IP or domain name, or refuse the request. -- Aaron ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] T-shirts and Confirming Relay Control
On Sun, May 03, 2015 at 10:26:52AM -0800, I wrote: > Matt, > > Thanks for handling the backlog of t-shirts as they are important as an > acknowledgement of valuable contributions. > > Isn't the value of the t-shirt disproportionate to the trouble you're going > to to give them out? > If the weather message offering the t-shirt is answered by the same address > isn't that proof enough? > > As I haven't received a message yet and my details are plain and simple I > wonder what could have gone wrong. Hi Robert, I replied privately about your situation but it's possible this plan is more complicated than it needs to be. In general, I'd prefer we receive t-shirt requests from the same email address as is specified in the Contact field. Obviously, if they are different, we can always send the response and t-shirt link to the address in the Contact field, but that asymmetry seems weird to me, but I'm not against doing this. For the situations where there is no email address in the contact field, I'm not certain how else we can confirm we're sending the t-shirt to the person who deserves it. Thanks for your input! - Matt ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] T-shirts and Confirming Relay Control
Matt, Thanks for handling the backlog of t-shirts as they are important as an acknowledgement of valuable contributions. Isn't the value of the t-shirt disproportionate to the trouble you're going to to give them out? If the weather message offering the t-shirt is answered by the same address isn't that proof enough? As I haven't received a message yet and my details are plain and simple I wonder what could have gone wrong. Robert ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
