Re: [tor-relays] UbuntuCore relays

2018-12-02 Thread nusenu 
Chad MILLER:> I have assumed that 95% of users don't have public addresses or 
have port
> forwarding. It's a connectivity problem, I think.

Yes, understood. And >5k deployments without anyone(?) asking about why it does 
not work
is the crucial part that makes it odd (makes it look like bots).
 
> are these actual 6000 unique deployments? how are they counted?
>> are endpoints submitting a unique ID to the update endpoint for the
>> counter to work?
>> (or are these counters just based on counting unique source IPs hitting
>> the update endpoint? [within a day?])
>> do you have AS or country break downs for that number?
>>
> 
> I think it's a count of update checks within a normal update-check window.

do you have the possibility to find out? (via authoritative documentation?)
It would be great to have some affirmative data. 

any comment about this?
> maybe you could add a simple check for the existence of a file where the 
> operator needs to add the ContactInfo
> and if it is not there the snap exits + adding that new requirement 
> prominently 
> to the snap documentation.
> 
> Then we can observe how many 
> - disappear?
> - get a ContactInfo? 
> - get the same ContactInfo?
> - get a random ContactInfo?
> - get an actual working ContactInfo?



> I DO have country information. Attached. (I removed the countries with
> fewer than 3 in case that could be used to identify them.) 

thanks for providing this data, interesting to see that there are even 
instances in China trying to come online.

Do you have any other additional stats like hw architecture?
or even hw arch per country?



-- 
https://twitter.com/nusenu_
https://mastodon.social/@nusenu





signature.asc
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] UbuntuCore relays

2018-11-24 Thread Chad MILLER 
On Sat, Nov 24, 2018 at 5:10 PM nusenu  wrote:

> Chad MILLER:
> > Downloads are anonymous, but the dashboard I have says it should be about
> > 6000 nodes wishing to join
>
> these are scary high numbers and the fact that no operator appears to be
> asking why any of
> these >5600 failing installations do not come online is making this even
> more odd-looking to me.
>

I have assumed that 95% of users don't have public addresses or have port
forwarding. It's a connectivity problem, I think.

are these actual 6000 unique deployments? how are they counted?
> are endpoints submitting a unique ID to the update endpoint for the
> counter to work?
> (or are these counters just based on counting unique source IPs hitting
> the update endpoint? [within a day?])
> do you have AS or country break downs for that number?
>

I think it's a count of update checks within a normal update-check window.

I DO have country information. Attached. (I removed the countries with
fewer than 3 in case that could be used to identify them.) Countries
greater than 100 are
613 Germany
539 France
530 United States
455 Russian Federation
373 Brazil
332 Italy
315 India
288 Spain
217 Iran, Islamic Republic of
172 United Kingdom
140 Mexico
131 Ukraine
125 Poland
119 Canada


torrelay-snap-active-update-per-countryname
Description: Binary data
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] UbuntuCore relays

2018-11-24 Thread nusenu 
Chad MILLER:
> If someone is spoofing them, then I reckon they are doing a good job
> updating them to match the (ever-increasing) revision number, now at
> 249-252.

I don't think anyone is "spoofing" the nickname behavior
of your snap. I think these are actual running snap installations.


> Downloads are anonymous, but the dashboard I have says it should be about
> 6000 nodes wishing to join

these are scary high numbers and the fact that no operator appears to be asking 
why any of
these >5600 failing installations do not come online is making this even more 
odd-looking to me.

are these actual 6000 unique deployments? how are they counted?
are endpoints submitting a unique ID to the update endpoint for the counter to 
work? 
(or are these counters just based on counting unique source IPs hitting the 
update endpoint? [within a day?])
do you have AS or country break downs for that number?

> (though failed connectivity might remove some)
> and metrics.torproject.org says "at least 2000".

There are currently[1] 359 running relays with a nickname starting with 
"UbuntuCore" 
(that is more than 0.5% of the tor network's consensus weight fraction).
That would be the 10th biggest tor relay operator if it were a single 
operator.

> If someone has an idea for a veracity experiment, contact me.
What would you like to verify with an experiment?

We were in contact about this before, but maybe you could add a simple
check for the existence of a file where the operator needs to add the 
ContactInfo
and if it is not there the snap exits + adding that new requirement prominently 
to the snap documentation.

Then we can observe how many 
- disappear?
- get a ContactInfo? 
- get the same ContactInfo?
- get a random ContactInfo?
- get an actual working ContactInfo?


[1] onionoo data from 2018-11-24 23:00 UTC
[2] 
https://medium.com/@nusenu/is-this-a-ubuntu-based-botnet-deploying-tor-relays-and-bridges-b4ce1a612039
-- 
https://twitter.com/nusenu_
https://mastodon.social/@nusenu



signature.asc
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] UbuntuCore relays

2018-11-24 Thread Chad MILLER 
If someone is spoofing them, then I reckon they are doing a good job
updating them to match the (ever-increasing) revision number, now at
249-252.

Downloads are anonymous, but the dashboard I have says it should be about
6000 nodes wishing to join (though failed connectivity might remove some)
and metrics.torproject.org says "at least 2000".

If someone has an idea for a veracity experiment, contact me.


On Sat, Nov 24, 2018 at 3:32 PM nusenu  wrote:

> Roger Dingledine wrote:
> > Btw, all of these UbuntuCore relays are from snap packages run by Tor
> > enthusiasts
>
> Do you indeed mean "all"? Since there have also been other hypothesis about
> at least some of these "UbuntuCore" relays in the past (see bad-relays ML
> archive from 2017-11-13),
> it would be great if you could elaborate on how you came to that
> conclusion.
>
> thanks,
> nusenu
>
>
> --
> https://twitter.com/nusenu_
> https://mastodon.social/@nusenu
>
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>


-- 
Chad Millerchad.orggpg:a806deac30420066
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] UbuntuCore relays

2018-11-24 Thread Roger Dingledine 
On Sat, Nov 24, 2018 at 11:32:00PM +, nusenu wrote:
> Roger Dingledine wrote:
> > Btw, all of these UbuntuCore relays are from snap packages run by Tor
> > enthusiasts 
> 
> Do you indeed mean "all"? Since there have also been other hypothesis about
> at least some of these "UbuntuCore" relays in the past (see bad-relays ML 
> archive from 2017-11-13),
> it would be great if you could elaborate on how you came to that conclusion.

All I've got is Chad's original mail:
https://lists.torproject.org/pipermail/tor-relays/2016-August/010046.html
where he describes his snap.

--Roger

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] UbuntuCore stats update

2017-12-11 Thread nusenu 


teor:
>> Chad MILLER:
>>> Torix, that's still true. Snaps restrict syscalls so tightly that switching
>>> users is not possible.
>>
>> Is it possible to start tor with a non-root user directly (without using
>> tor's user parameter to drop privileges)?
> 
> Yes, but you must pre-configure tor's directories with the correct user
> and permissions. Tor has strict requirements for private key security.

Generally speaking tor supports it (FreeBSD does it) but my question was
more towards Chad's tor snap package. Was your answer also for the snap?

thanks,
nusenu

-- 
https://mastodon.social/@nusenu
twitter: @nusenu_



signature.asc
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] UbuntuCore stats update

2017-12-10 Thread teor 

> On 11 Dec 2017, at 09:50, nusenu  wrote:
> 
> Chad MILLER:
>> Torix, that's still true. Snaps restrict syscalls so tightly that switching
>> users is not possible.
> 
> Is it possible to start tor with a non-root user directly (without using
> tor's user parameter to drop privileges)?

Yes, but you must pre-configure tor's directories with the correct user
and permissions. Tor has strict requirements for private key security.

If this doesn't work, let us know: there have been bugs in this code
in the past.

--
Tim / teor

PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
ricochet:ekmygaiu4rzgsk6n




signature.asc
Description: Message signed with OpenPGP
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] UbuntuCore stats update

2017-12-10 Thread nusenu 


Chad MILLER:
> Torix, that's still true. Snaps restrict syscalls so tightly that switching
> users is not possible.

Is it possible to start tor with a non-root user directly (without using
tor's user parameter to drop privileges)?

-- 
https://mastodon.social/@nusenu
twitter: @nusenu_



signature.asc
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] UbuntuCore stats update

2017-12-10 Thread Chad MILLER 
Torix, that's still true. Snaps restrict syscalls so tightly that switching
users is not possible.

- chad



On Tue, Dec 5, 2017 at 8:35 AM, Torix  wrote:

> Dear Chad,
> The last I read from nusenu a few months ago was that you have tor is
> running as root, which sort of wiped it off my radar.  Is that still true?
> I do like your idea of democratizing tor relays so normal people can run
> them.
>
> TIA,
>
> --torix
>
>
> Sent with ProtonMail  Secure Email.
>
>  Original Message 
> Subject: [tor-relays] UbuntuCore stats update
> Local Time: December 4, 2017 10:18 PM
> UTC Time: December 5, 2017 3:18 AM
> From: c...@cornsilk.net
> To: tor-relays@lists.torproject.org
>
> Hi all. I generate* the packages that make up those UbuntuCore relays and
> bridges you hear about some time in here.
> I intended it to be a low-friction way normal joes can help Tor. There
> have been a good number of volunteers.
>
> The automatic-update system of Snap means the security update of a few
> days ago gives some population info through download stats.
>
> About 2200+ machines updated to last week's release. Almost all are amd64,
> though a few percent are i386 or armhf. I don't know of any arm64 yet.
> They're mostly desktops and servers. I see several new downloads every day.
>
> Judging from the new Atlas, about 800 are have checked in to try to join
> the consensus, and a little more than 100 are active at any time.
>
> Some working details: The package has a kill-switch so that it no longer
> starts after a few months of staleness (if I'm ever hit by a bus). At first
> launch, Tor creates a key and the last two bits of the key determines the
> role of the instance, with a 1/4 chance of becoming a obfs4 bridge. The
> default bandwidth limit is a modest 4 megabits per second. Also by default,
> it tries to punch holes in NAT to make itself available for incoming
> connections, but I don't have a lot of confidence that is often successful.
>
> I remain on this list and am always happy to answer questions or
> suggestions.
>
> * http://bazaar.launchpad.net/~privacy-squad/+junk/tor-
> middle-relay-snap/files
>
> --
> Chad Millerchad.orggpg:a806deac30420066
>
>
>
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
>


-- 
Chad Millerchad.orggpg:a806deac30420066
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] UbuntuCore stats update

2017-12-05 Thread Torix 
Dear Chad,
The last I read from nusenu a few months ago was that you have tor is running 
as root, which sort of wiped it off my radar.  Is that still true?  I do like 
your idea of democratizing tor relays so normal people can run them.

TIA,

--torix

Sent with [ProtonMail](https://protonmail.com) Secure Email.

>  Original Message 
> Subject: [tor-relays] UbuntuCore stats update
> Local Time: December 4, 2017 10:18 PM
> UTC Time: December 5, 2017 3:18 AM
> From: c...@cornsilk.net
> To: tor-relays@lists.torproject.org
>
> Hi all. I generate* the packages that make up those UbuntuCore relays and 
> bridges you hear about some time in here.
> I intended it to be a low-friction way normal joes can help Tor. There have 
> been a good number of volunteers.
>
> The automatic-update system of Snap means the security update of a few days 
> ago gives some population info through download stats.
>
> About 2200+ machines updated to last week's release. Almost all are amd64, 
> though a few percent are i386 or armhf. I don't know of any arm64 yet. 
> They're mostly desktops and servers. I see several new downloads every day.
>
> Judging from the new Atlas, about 800 are have checked in to try to join the 
> consensus, and a little more than 100 are active at any time.
>
> Some working details: The package has a kill-switch so that it no longer 
> starts after a few months of staleness (if I'm ever hit by a bus). At first 
> launch, Tor creates a key and the last two bits of the key determines the 
> role of the instance, with a 1/4 chance of becoming a obfs4 bridge. The 
> default bandwidth limit is a modest 4 megabits per second. Also by default, 
> it tries to punch holes in NAT to make itself available for incoming 
> connections, but I don't have a lot of confidence that is often successful.
>
> I remain on this list and am always happy to answer questions or suggestions.
>
> * http://bazaar.launchpad.net/~privacy-squad/+junk/tor-middle-relay-snap/files
>
> --
> Chad Millerchad.orggpg:a806deac30420066___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] UbuntuCore (botnet?)

2017-10-30 Thread Chad MILLER 
I am probably responsible for the existence of these UbuntuCore relays. I
package something with this name, but I do not have a lot of insight into
its users, who are anonymous.

I do have package download statistics, so I can tell you that on a new
release, there are about 1700 downloads of those packages, with about 50
downloads each day normally.  (They should start automatically and be
updated automatically.)

I'll push out v 0.3.1.8-1 today or tomorrow, so you should see the nickname
increment a bit (+4 or so).

-chad









On Mon, Oct 30, 2017 at 1:09 AM, nusenu  wrote:

>
>
> Paul Templeton:
> > These nodes are popping up everywhere - is this some sort of malware
> being deployed on systems around the globe?
>
> I wrote about them in April 2017:
> https://medium.com/@nusenu/is-this-a-ubuntu-based-botnet-
> deploying-tor-relays-and-bridges-b4ce1a612039
>
> I assume they are not setup by humans.
>
> Since back then the overall CW fraction of these relays increased about
> x4 (currently 92 concurrently running relays).
>
> That is about position #69 on the list of biggest operators by CW fraction
> https://nusenu.github.io/OrNetStats/maincwfamilies
>
> --
> https://mastodon.social/@nusenu
> twitter: @nusenu_
>
>
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
>


-- 
Chad Millerchad.orggpg:a806deac30420066
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] UbuntuCore

2017-10-29 Thread Roger Dingledine 
On Mon, Oct 30, 2017 at 03:23:07AM +, Paul Templeton wrote:
> These nodes are popping up everywhere - is this some sort of malware being 
> deployed on systems around the globe?

It is an Ubuntu snap package. See this thread:
https://lists.torproject.org/pipermail/tor-relays/2016-August/010046.html

--Roger

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] UbuntuCore

2017-10-29 Thread tor 
> These nodes are popping up everywhere - is this some sort of malware being
> deployed on systems around the globe?

Interesting. It does look like malware to me.

- all running Tor 0.3.1.7 on Linux
- diverse AS / IP allocation, mostly looks like ISP end-subscriber
- same exit policy (reject *:*)___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays