Re: [tor-relays] US Investigators seem to learn
On Sun, Feb 17, 2013 at 9:45 PM, Moritz Bartl wrote: > Hi, > > I thought I would let you know: Our US hoster is regularly contacted by > law enforcement about our exits there. Some agents ask if the traffic > pattern is balanced, ie. if the same amount of traffic enters and leaves > the box. > What about directory mirrors? --Aaron > I always argue that this is a good indicator for Tor traffic, and that > it is bad to mix Tor traffic with other traffic for that exact reason. > > -- > Moritz Bartl > https://www.torservers.net/ > ___ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] US Investigators seem to learn
On 2/17/13 11:05 PM, Aaron wrote: > On Sun, Feb 17, 2013 at 9:45 PM, Moritz Bartl wrote: >> Hi, >> >> I thought I would let you know: Our US hoster is regularly contacted by >> law enforcement about our exits there. Some agents ask if the traffic >> pattern is balanced, ie. if the same amount of traffic enters and leaves >> the box. >> > > What about directory mirrors? Probably doesn't make that much of a difference: https://metrics.torproject.org/network.html#bandwidth https://metrics.torproject.org/network.html#dirbytes Best, Karsten ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] US Investigators seem to learn
> I thought I would let you know: Our US hoster is regularly contacted by > law enforcement about our exits there. Some agents ask if the traffic > pattern is balanced, ie. if the same amount of traffic enters and leaves > the box. > > I always argue that this is a good indicator for Tor traffic, and that > it is bad to mix Tor traffic with other traffic for that exact reason. Due to encryption and compression it might only be balanced to within some typical ratio. I'm sure you have a handle on that number. But that any non 1:1 ratio could make it appear to be serving (or receiving) continual amounts of data. Which in the eye of agents could raise question. Another question is whether these US hosts are just volunteering this data to whoever comes asking, with or without your instruction, or complying with formal legal orders? On the plus side, hopefully everyone is coming away with the fact that it's just an uninteresting, agnostic, relay service and time is better spent elsewhere. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] US Investigators seem to learn
On Mon, Feb 18, 2013 at 04:59:09AM -0500, grarpamp wrote: > > I thought I would let you know: Our US hoster is regularly contacted by > > law enforcement about our exits there. Some agents ask if the traffic > > pattern is balanced, ie. if the same amount of traffic enters and leaves > > the box. > > > > I always argue that this is a good indicator for Tor traffic, and that > > it is bad to mix Tor traffic with other traffic for that exact reason. > > Due to encryption and compression it might only be balanced to > within some typical ratio. I'm sure you have a handle on that number. > But that any non 1:1 ratio could make it appear to be serving (or > receiving) continual amounts of data. Which in the eye of agents > could raise question. Another question is whether these US hosts > are just volunteering this data to whoever comes asking, with or > without your instruction, or complying with formal legal orders? > > On the plus side, hopefully everyone is coming away with the > fact that it's just an uninteresting, agnostic, relay service and > time is better spent elsewhere. Interesting; I'm pretty sure we do not use TLS compression. Nick M., that's true, yeah? On the other hand, it could also be unbalanced because of: * Using that Tor process as a client * Running a hidden service on that Tor process * Running a directory mirror -- Andrea Shepard PGP fingerprint: 3611 95A4 0740 ED1B 7EA5 DF7E 4191 13D9 D0CF BDA5 pgpJrYT9Z5Dsr.pgp Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] US Investigators seem to learn
On Mon, 18 Feb 2013 02:05:40 -0800 Andrea Shepard allegedly wrote: > On Mon, Feb 18, 2013 at 04:59:09AM -0500, grarpamp wrote: > > > I thought I would let you know: Our US hoster is regularly > > > contacted by law enforcement about our exits there. Some agents > > > ask if the traffic pattern is balanced, ie. if the same amount of > > > traffic enters and leaves the box. > > > > > > I always argue that this is a good indicator for Tor traffic, and > > > that it is bad to mix Tor traffic with other traffic for that > > > exact reason. > > > > Due to encryption and compression it might only be balanced to > > within some typical ratio. I'm sure you have a handle on that > > number. But that any non 1:1 ratio could make it appear to be > > serving (or receiving) continual amounts of data. Which in the eye > > of agents could raise question. Another question is whether these > > US hosts are just volunteering this data to whoever comes asking, > > with or without your instruction, or complying with formal legal > > orders? > > > > On the plus side, hopefully everyone is coming away with the > > fact that it's just an uninteresting, agnostic, relay service and > > time is better spent elsewhere. > > Interesting; I'm pretty sure we do not use TLS compression. Nick M., > that's true, yeah? > > On the other hand, it could also be unbalanced because of: > > * Using that Tor process as a client > * Running a hidden service on that Tor process > * Running a directory mirror > For anyone who is interested I have posted the vnstat stats for my newest relay (0xbaddad) at http://rlogin.net/tor/bin-vnstats.txt Whilst not quite a 1:1 ratio, it is close enough I think to show that this is simply an agnostic relay. However, would not an exit node show unbalanced traffic? Most net activity these days is web browsing which is decidedly asymmetric - small outbound requests result in much larger inbound responses. Won't an exit relay reflect that as it is the last hop before the actual target site? Mick - blog: baldric.net gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] US Investigators seem to learn
On Mon, Feb 18, 2013 at 1:26 PM, mick wrote: > On Mon, 18 Feb 2013 02:05:40 -0800 > Andrea Shepard allegedly wrote: > >> On Mon, Feb 18, 2013 at 04:59:09AM -0500, grarpamp wrote: >> > > I thought I would let you know: Our US hoster is regularly >> > > contacted by law enforcement about our exits there. Some agents >> > > ask if the traffic pattern is balanced, ie. if the same amount of >> > > traffic enters and leaves the box. >> > > >> > > I always argue that this is a good indicator for Tor traffic, and >> > > that it is bad to mix Tor traffic with other traffic for that >> > > exact reason. >> > >> > Due to encryption and compression it might only be balanced to >> > within some typical ratio. I'm sure you have a handle on that >> > number. But that any non 1:1 ratio could make it appear to be >> > serving (or receiving) continual amounts of data. Which in the eye >> > of agents could raise question. Another question is whether these >> > US hosts are just volunteering this data to whoever comes asking, >> > with or without your instruction, or complying with formal legal >> > orders? >> > >> > On the plus side, hopefully everyone is coming away with the >> > fact that it's just an uninteresting, agnostic, relay service and >> > time is better spent elsewhere. >> >> Interesting; I'm pretty sure we do not use TLS compression. Nick M., >> that's true, yeah? >> >> On the other hand, it could also be unbalanced because of: >> >> * Using that Tor process as a client >> * Running a hidden service on that Tor process >> * Running a directory mirror >> > > For anyone who is interested I have posted the vnstat stats for my > newest relay (0xbaddad) at http://rlogin.net/tor/bin-vnstats.txt > > Whilst not quite a 1:1 ratio, it is close enough I think to show > that this is simply an agnostic relay. However, would not an exit node > show unbalanced traffic? Most net activity these days is web browsing > which is decidedly asymmetric - small outbound requests result in much > larger inbound responses. Won't an exit relay reflect that as it is the > last hop before the actual target site? > > Mick Well, every byte fetched from the target site will get relayed back to the original client, so the traffic ratio should be 1:1 (unless, as Andrea alluded to, the amount of bytes transported is significantly less due to compression). --Aaron > > > - > > blog: baldric.net > gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 > > - > > > ___ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] US Investigators seem to learn
On Mon, Feb 18, 2013 at 01:26:26PM +, mick wrote: > Whilst not quite a 1:1 ratio, it is close enough I think to show > that this is simply an agnostic relay. However, would not an exit node > show unbalanced traffic? Most net activity these days is web browsing > which is decidedly asymmetric - small outbound requests result in much > larger inbound responses. Won't an exit relay reflect that as it is the > last hop before the actual target site? It'd be balanced by the encrypted traffic to the middle node. There would actually be a bit more volume there because of the cell padding and SSL protocol overhead, but as long as that's a constant proportion for both directions it'd stay balanced. That may not be quite exactly true, since the upstream side of normal web browsing is probably more likely than the downstream side to generate short cells that have to be padded, but I'd be surprised if that was that significant a difference. -- Andrea Shepard PGP fingerprint: 3611 95A4 0740 ED1B 7EA5 DF7E 4191 13D9 D0CF BDA5 pgp09yLvzHsB7.pgp Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] US Investigators seem to learn
On Mon, 18 Feb 2013 06:32:55 -0800 Andrea Shepard allegedly wrote: > On Mon, Feb 18, 2013 at 01:26:26PM +, mick wrote: > > Whilst not quite a 1:1 ratio, it is close enough I think to show > > that this is simply an agnostic relay. However, would not an exit > > node show unbalanced traffic? Most net activity these days is web > > browsing which is decidedly asymmetric - small outbound requests > > result in much larger inbound responses. Won't an exit relay > > reflect that as it is the last hop before the actual target site? > > It'd be balanced by the encrypted traffic to the middle node. Ah yes, of course! Thanks Mick - blog: baldric.net gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] US Investigators seem to learn
On 18/02/13 10:05, Andrea Shepard wrote: > On Mon, Feb 18, 2013 at 04:59:09AM -0500, grarpamp wrote: >>> I thought I would let you know: Our US hoster is regularly contacted by >>> law enforcement about our exits there. Some agents ask if the traffic >>> pattern is balanced, ie. if the same amount of traffic enters and leaves >>> the box. >>> >>> I always argue that this is a good indicator for Tor traffic, and that >>> it is bad to mix Tor traffic with other traffic for that exact reason. >> Due to encryption and compression it might only be balanced to >> within some typical ratio. I'm sure you have a handle on that number. >> But that any non 1:1 ratio could make it appear to be serving (or >> receiving) continual amounts of data. Which in the eye of agents >> could raise question. Another question is whether these US hosts >> are just volunteering this data to whoever comes asking, with or >> without your instruction, or complying with formal legal orders? >> >> On the plus side, hopefully everyone is coming away with the >> fact that it's just an uninteresting, agnostic, relay service and >> time is better spent elsewhere. > Interesting; I'm pretty sure we do not use TLS compression. Nick M., that's > true, yeah? > > On the other hand, it could also be unbalanced because of: > > * Using that Tor process as a client > * Running a hidden service on that Tor process > * Running a directory mirror > > > > ___ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays I would guess also that being an exit is going to lead to a bit of an imbalance also as on the one side it is dealing with the plaintext unwrapped data on the other side cyphertext wrapped in onion protocol all in fixed sized cells which I would suspect means sometimes adding padding where the data to be sent to a specific nexthop destination is not an exact multiple of the cell payload size. I'm not sure how much of a difference this would all add up to or if some of those effects might cancel part of it out but it would seem to me that it could have a statistically noticeable effect on the balance and one that would be variable between relays and even with the same relay depending on the balance of exit versus relay traffic which at least with the two exits I am running that seems to be the case. Of course the easiest way to deal with those problems from the perspective of someone trying to identify potential suspicious activity (And to produce provide probable cause for the same) would be to statistically compare the balance of node x with the set of nodes of the same class that could even be why they keep requesting data, samples for comparison to look for evidence of statistical anomalies. Also I wonder what level of detail they are really requesting and or receiving such data at, they could have other interests too like performing network analysis on the flows between nodes if they had data on the volume per peer ip address. I suspect in this case though that whatever their purposes are they are approaching the service provider and seeking their co-operation doesn't sound like they have anything specific let alone a warrant here as it seems to me more often than not when a warrant is issued in the US requesting information on a user from a service provider it usually tends to come with an attached court order forbidding the service provider from disclosing the details to their subscriber. It would surprise me if they would stop at merely asking about traffic balances if they had enough to seek a warrant also, would make more sense to at the least put an ethernet tap on it if not attempt to access the plaintext through installing something onto the host or the hypervisor if it's a VPS. Either way it sounds to me like they are probably fishing in this instance. signature.asc Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
