<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 18/02/13 10:05, Andrea Shepard
wrote:<br>
</div>
<blockquote
cite="mid:20130218100540.GH2496@shoggoths.persephoneslair.org"
type="cite">
<pre wrap="">On Mon, Feb 18, 2013 at 04:59:09AM -0500, grarpamp wrote:
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">I thought I would let you know: Our US hoster is regularly contacted by
law enforcement about our exits there. Some agents ask if the traffic
pattern is balanced, ie. if the same amount of traffic enters and leaves
the box.
I always argue that this is a good indicator for Tor traffic, and that
it is bad to mix Tor traffic with other traffic for that exact reason.
</pre>
</blockquote>
<pre wrap="">
Due to encryption and compression it might only be balanced to
within some typical ratio. I'm sure you have a handle on that number.
But that any non 1:1 ratio could make it appear to be serving (or
receiving) continual amounts of data. Which in the eye of agents
could raise question. Another question is whether these US hosts
are just volunteering this data to whoever comes asking, with or
without your instruction, or complying with formal legal orders?
On the plus side, hopefully everyone is coming away with the
fact that it's just an uninteresting, agnostic, relay service and
time is better spent elsewhere.
</pre>
</blockquote>
<pre wrap="">
Interesting; I'm pretty sure we do not use TLS compression. Nick M., that's
true, yeah?
On the other hand, it could also be unbalanced because of:
* Using that Tor process as a client
* Running a hidden service on that Tor process
* Running a directory mirror
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
tor-relays mailing list
<a class="moz-txt-link-abbreviated" href="mailto:tor-relays@lists.torproject.org">tor-relays@lists.torproject.org</a>
<a class="moz-txt-link-freetext" href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays">https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays</a>
</pre>
</blockquote>
I would guess also that being an exit is going to lead to a bit of
an imbalance also as on the one side it is dealing with the
plaintext unwrapped data on the other side cyphertext wrapped in
onion protocol all in fixed sized cells which I would suspect means
sometimes adding padding where the data to be sent to a specific
nexthop destination is not an exact multiple of the cell payload
size. I'm not sure how much of a difference this would all add up
to or if some of those effects might cancel part of it out but it
would seem to me that it could have a statistically noticeable
effect on the balance and one that would be variable between relays
and even with the same relay depending on the balance of exit versus
relay traffic which at least with the two exits I am running that
seems to be the case.<br>
<br>
Of course the easiest way to deal with those problems from the
perspective of someone trying to identify potential suspicious
activity (And to produce provide probable cause for the same) would
be to statistically compare the balance of node x with the set of
nodes of the same class that could even be why they keep requesting
data, samples for comparison to look for evidence of statistical
anomalies. Also I wonder what level of detail they are really
requesting and or receiving such data at, they could have other
interests too like performing network analysis on the flows between
nodes if they had data on the volume per peer ip address.<br>
<br>
I suspect in this case though that whatever their purposes are they
are approaching the service provider and seeking their co-operation
doesn't sound like they have anything specific let alone a warrant
here as it seems to me more often than not when a warrant is issued
in the US requesting information on a user from a service provider
it usually tends to come with an attached court order forbidding the
service provider from disclosing the details to their subscriber.
It would surprise me if they would stop at merely asking about
traffic balances if they had enough to seek a warrant also, would
make more sense to at the least put an ethernet tap on it if not
attempt to access the plaintext through installing something onto
the host or the hypervisor if it's a VPS.<br>
<br>
Either way it sounds to me like they are probably fishing in this
instance.<br>
</body>
</html>