On Sun, Jul 20, 2014 at 6:34 PM, Mike Hearn mike@plan99.net wrote:
Hello,
As we know, hidden services can be useful for all kinds of legitimate things (Pond's usage is particularly interesting), however they do also sometimes get used by botnets and other problematic things.
Tor provides exit policies to let exit relay operators restrict traffic they consider to be unwanted or abusive. In this way a kind of international group consensus emerges about what is and is not acceptable usage of Tor. For instance, SMTP out is widely restricted.
Has there been any discussion of implementing similar controls for hidden services, where relays would refuse to act as introduction points for hidden services that match certain criteria e.g. have a particular key, or whose key appears in a list downloaded occasionally via Tor itself. In this way relay operators could avoid their resources being used for establishing communication with botnet CnC servers.
Obviously such a scheme would require a protocol and client upgrade to avoid nodes building circuits to relays that then refuse to introduce.
The downside is additional complexity. The upside is potentially recruiting new relay operators.
HS's will just change their HS keys out from under your list. Then it becomes whack a mole. And you'll also be taking out shared services with the bathwater. Are you funding maintenance of that list? Ready to be called a censor when you exceed your noble intent as all have done before? And to be ignored by those operators who don't care to subscribe to your censor list thus nullifying your efforts (not least of why because it may be illegal for them to look at services on the list to verify it, or to look at and make decisions regarding content of traffic that transits them). And ignored by botnet ops who will surely run their own relays and internal pathing.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Mike Hearn,
Simple. If you start filtering anything at all, regardless of what it is (yes, even if you filter child porn or fraud sites) then I will block any connection of your relays to mine (which are exits and guards totally 4Gbps). There are uses for preventing some connections like if you are legally required to then I guess the tradeoff of some inconvenience for a handful of relays, but still providing high-speed access to Tor for most people and sites is worth it. When you begin to do it as a proactive censorship event is when I will be firmly against you.
The moment people censor things because it is illegal, immoral or "terrorist" is the moment that person accepts responsibility for the traffic that passes through their nodes and is an active attempt by them to filter what people can access. Freedom isn't free unless it is totally free and a selective reading policy through Tor is not just a bad idea as stated below, I find it outright insulting to me and everyone else who cares about the free and open internet. The fact somebody has the audacity to come to a project like Tor and propose blacklisting mechanisms is jaw-dropping.
In addition, botnets using Tor actually improve the security of the network. Generally the more traffic there is, the harder it is to conduct statistical attacks against the users. Now of course it is not the most politic thing to say or the most popular, but it's the truth. We don't need to stop x y or z using Tor, we need to get more people using Tor regardless of their purpose. Botnets are the result of design/security flaws and not something within the scope of Tor Project to address.
You did mention the development of a workaround to avoid people who do block whatever resource they are trying to access, but what is the point? Once it is easy to start blocking hidden services like that, it's only a very small step to blacklists floating around, then like Spamhaus that list maintainer acts like a mafia to coerce other operators into using it. Even in the wording of what you admitted yourself, additional complexity, Tor should be spending time improving it's systems and fixing bugs rather than making censorship easier for the masses. This is one of the concerns I voiced in the Paris Tor developer meeting only a few weeks ago too.
As I recall, you are also the person who raised the idea of coin tinting or a similar concept in the bitcoin community to identify "suspect" coins and that backfired spectacularly on you. Don't try to bring such ideas to Tor because they are not the same and I doubt you would try to propose blacklisting bitcoin addresses on the bitcoin network? Then again, after reading that message, I honestly don't know so while you are reading this, let me know if you run any relays so I can avoid them. I could go on for a lot longer, but I'll leave it at this for now or I will not be getting to sleep tonight. Just know I'd rather go to prison than act as an assistant of censorship.
- -T
On 21/07/2014 00:38, grarpamp wrote:
On Sun, Jul 20, 2014 at 6:34 PM, Mike Hearn mike@plan99.net wrote:
Hello,
As we know, hidden services can be useful for all kinds of legitimate things (Pond's usage is particularly interesting), however they do also sometimes get used by botnets and other problematic things.
Tor provides exit policies to let exit relay operators restrict traffic they consider to be unwanted or abusive. In this way a kind of international group consensus emerges about what is and is not acceptable usage of Tor. For instance, SMTP out is widely restricted.
Has there been any discussion of implementing similar controls for hidden services, where relays would refuse to act as introduction points for hidden services that match certain criteria e.g. have a particular key, or whose key appears in a list downloaded occasionally via Tor itself. In this way relay operators could avoid their resources being used for establishing communication with botnet CnC servers.
Obviously such a scheme would require a protocol and client upgrade to avoid nodes building circuits to relays that then refuse to introduce.
The downside is additional complexity. The upside is potentially recruiting new relay operators.
HS's will just change their HS keys out from under your list. Then it becomes whack a mole. And you'll also be taking out shared services with the bathwater. Are you funding maintenance of that list? Ready to be called a censor when you exceed your noble intent as all have done before? And to be ignored by those operators who don't care to subscribe to your censor list thus nullifying your efforts (not least of why because it may be illegal for them to look at services on the list to verify it, or to look at and make decisions regarding content of traffic that transits them). And ignored by botnet ops who will surely run their own relays and internal pathing. _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On Sun, Jul 20, 2014 at 9:57 PM, Thomas White thomaswhite@riseup.net wrote:
Mike Hearn, Simple. If you start filtering anything at all, regardless of what it is ... then I will block any connection of your relays to mine ... Freedom isn't free unless it is totally free and a selective reading policy through Tor is not just a bad idea as stated below, I find it outright insulting to me and everyone else who cares about the free and open internet. The fact somebody has the audacity to come to a project like Tor and propose blacklisting mechanisms is jaw-dropping. ... As I recall, you are also the person who raised the idea of coin tinting or a similar concept in the bitcoin community to identify "suspect" coins and that backfired spectacularly on you.
Yes, that is the person. Though the term is known as 'taint'. One of many discussions from that suggestion is here: https://bitcointalk.org/index.php?topic=333824.0
so while you are reading this, let me know if you run any relays so I can avoid them.
router riker 207.12.89.16 9001 0 0 fingerprint 8657 6CF6 AA84 496F 62C0 5AFE 9F26 8962 A5F0 B2BD contact Mike Hearn mike@plan99.net accept *:8333 reject *:*
Normally I would thank exits for passing BTC traffic, but now I'm unsure of this one (and a few others), especially given that's the only exit policy of the above node. To identify anon (Tor) coins for marking and tracking?
Thomas White thomaswhite@riseup.net wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Mike Hearn,
Simple. If you start filtering anything at all, regardless of what it is (yes, even if you filter child porn or fraud sites) then I will block any connection of your relays to mine (which are exits and guards totally 4Gbps). There are uses for preventing some connections
Sorry, wrong answer. If you block connections from other relays, you break the tor network. I don't recall offhand whether that sort of breakage might earn your relay either an Invalid flag or being simply dropped from the consensus.
like if you are legally required to then I guess the tradeoff of some inconvenience for a handful of relays, but still providing high-speed access to Tor for most people and sites is worth it. When you begin to do it as a proactive censorship event is when I will be firmly against you.
The moment people censor things because it is illegal, immoral or "terrorist" is the moment that person accepts responsibility for the traffic that passes through their nodes and is an active attempt by them to filter what people can access. Freedom isn't free unless it is totally free and a selective reading policy through Tor is not just a bad idea as stated below, I find it outright insulting to me and everyone else who cares about the free and open internet. The fact somebody has the audacity to come to a project like Tor and propose blacklisting mechanisms is jaw-dropping.
In addition, botnets using Tor actually improve the security of the network. Generally the more traffic there is, the harder it is to conduct statistical attacks against the users. Now of course it is not the most politic thing to say or the most popular, but it's the truth.
Are you suggesting that the mobbing attacks on HSDIR relays are the actions of botnets? If so, then you are suggesting that the problem of mobbing of HSDIR relays is probably insoluble because it would not be the symptom of a bug in tor. :-(
We don't need to stop x y or z using Tor, we need to get more people using Tor regardless of their purpose. Botnets are the result of design/security flaws and not something within the scope of Tor Project to address.
Wrong again. See multitudinous previous threads regarding bittorrent over tor. Let me give you an example of appropriate filtering. My system logs frequent attacks/probes that I consider illegitimate. I enter the source addresses of those probes into a pf table of addresses from which SYN packets for any protocol or port get dropped with no response. However, there is a cron job that runs every 30 minutes that takes all the relay IP addresses in the most recently downloaded consensus and puts them into another pf table. This latter table is used by pf rules to bypass the check described above, but only for relays attempting to connect to my relay's ORPort or DirPort. This prevents the sort of breakage you threaten to cause because currently active relays will still be able to relay through my relay, although if they are also in the table described first, then they will have no *other* type of access to my system.
Scott Bennett, Comm. ASMELG, CFIAG ********************************************************************** * Internet: bennett at sdf.org *or* bennett at freeshell.org * *--------------------------------------------------------------------* * "A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army." * * -- Gov. John Hancock, New York Journal, 28 January 1790 * **********************************************************************
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Sorry, wrong answer. If you block connections from other relays, you break the tor network. I don't recall offhand whether that sort of breakage might earn your relay either an Invalid flag or being simply dropped from the consensus.
For a single relay to my knowledge, it shouldn't do. There are many reasons some relays can't connect to each other so it doesn't "break" Tor as an alternative route is simply found.
Are you suggesting that the mobbing attacks on HSDIR relays are the actions of botnets? If so, then you are suggesting that the problem of mobbing of HSDIR relays is probably insoluble because it would not be the symptom of a bug in tor. :-(
The question is botnet CnC's, the proposal has nothing to do with solving the botnet CnC problem and I am also stating Tor is not the one who needs to tackle them right at this moment, the budget and resources are just not there. However creating a system where operators start blacklisting hidden services is extremely bad for anonymity both for the hidden service and the user.
To answer the rest of your question, I am not a developer. I am somebody who cares about anonymity and that is why I run the 2nd largest server cluster on the Tor network from my own pocket. Filtering or proposing to blacklist anything is not acceptable in my view. Whatever solutions individuals care to launch to protect their relay is their own responsibility, but actively developing something by the core developers to blacklist hidden service is a completely despicable idea. To elaborate only on the legal side of things, if I can easily block hidden services passing through my relays or if I am the RV point for one the government can then serve me a notice ordering me to block it, this I have already run through my solicitor and there no escaping that fact unfortunately.
Also note, botnets in this sense are not the topic. The proposal is an easy mechanism to censor hidden services and let it not be portrayed as anything other than that. I can see why 90% of people opposed his "coin taint" idea and 75% wanted him to leave the bitcoin foundation. If Tor did introduce such measures, I would be swiftly leaving Tor's ranks and withdrawing all support (both all 25 relays/exits/guards, and financial) from it.
So to state clearly:
Should Tor Project develop a system to filter hidden services?
I'll let people decide that for themselves. But my opinion, is that doing so defies the point of a hidden service and people who push for it should be ashamed of themselves.
- -T
On 21/07/2014 12:22, Scott Bennett wrote:
Thomas White thomaswhite@riseup.net wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Mike Hearn,
Simple. If you start filtering anything at all, regardless of what it is (yes, even if you filter child porn or fraud sites) then I will block any connection of your relays to mine (which are exits and guards totally 4Gbps). There are uses for preventing some connections
Sorry, wrong answer. If you block connections from other relays, you break the tor network. I don't recall offhand whether that sort of breakage might earn your relay either an Invalid flag or being simply dropped from the consensus.
like if you are legally required to then I guess the tradeoff of some inconvenience for a handful of relays, but still providing high-speed access to Tor for most people and sites is worth it. When you begin to do it as a proactive censorship event is when I will be firmly against you.
The moment people censor things because it is illegal, immoral or "terrorist" is the moment that person accepts responsibility for the traffic that passes through their nodes and is an active attempt by them to filter what people can access. Freedom isn't free unless it is totally free and a selective reading policy through Tor is not just a bad idea as stated below, I find it outright insulting to me and everyone else who cares about the free and open internet. The fact somebody has the audacity to come to a project like Tor and propose blacklisting mechanisms is jaw-dropping.
In addition, botnets using Tor actually improve the security of the network. Generally the more traffic there is, the harder it is to conduct statistical attacks against the users. Now of course it is not the most politic thing to say or the most popular, but it's the truth.
Are you suggesting that the mobbing attacks on HSDIR relays are the actions of botnets? If so, then you are suggesting that the problem of mobbing of HSDIR relays is probably insoluble because it would not be the symptom of a bug in tor. :-(
We don't need to stop x y or z using Tor, we need to get more people using Tor regardless of their purpose. Botnets are the result of design/security flaws and not something within the scope of Tor Project to address.
Wrong again. See multitudinous previous threads regarding bittorrent over tor. Let me give you an example of appropriate filtering. My system logs frequent attacks/probes that I consider illegitimate. I enter the source addresses of those probes into a pf table of addresses from which SYN packets for any protocol or port get dropped with no response. However, there is a cron job that runs every 30 minutes that takes all the relay IP addresses in the most recently downloaded consensus and puts them into another pf table. This latter table is used by pf rules to bypass the check described above, but only for relays attempting to connect to my relay's ORPort or DirPort. This prevents the sort of breakage you threaten to cause because currently active relays will still be able to relay through my relay, although if they are also in the table described first, then they will have no *other* type of access to my system.
Scott Bennett, Comm. ASMELG, CFIAG
* Internet: bennett at sdf.org *or* bennett at freeshell.org *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good *
- objection to the introduction of that bane of all free
governments * * -- a standing army."
- -- Gov. John Hancock, New York Journal, 28 January 1790
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On 21/07/2014 6:21 AM, Thomas White wrote:
Also note, botnets in this sense are not the topic. The proposal is an easy mechanism to censor hidden services and let it not be portrayed as anything other than that. ...
So to state clearly:
Should Tor Project develop a system to filter hidden services?
The simple fact of the matter is this: However good and pure our intentions may be ("We'll only block malware and child porn!"), a system would have to be developed to allow us to block arbitrary services.
Something I have noticed which trips up most people is their inability to see beyond themselves. YOU may have only the best intentions. YOU may never countenance blocking inconvenient truths on Twitter / Slashdot / news-feed-of-the-day. But once a system is created that can block arbitrary services, it's only a matter of time before somebody with intentions less pure than your own decide to start blocking other things. Maybe somebody with an upright moral standing decides it would be better to block everything PG-13 and up. Maybe somebody decides their government is taking too much flack on an issue, and tries to "help out" by filtering some news sites they feel are particularly biased. Maybe I decide that tabloid magazines are total trash, and nobody should be allowed to give them business so they'll just die off in the end.
Why would we want to replace a system of government censorship with censorship-by-the-masses? I thought we wanted to decide for ourselves--what we read, to whom we listen, what we do, and with whom we associate.
(Never mind the legal fact that, if we CAN filter / exert legitimate control over the traffic flowing over the network, somebody will figure out a way to MAKE us do so--and it may not be what we personally agree should be blocked.)
Insofar as botnets create an infrastructure problem with Tor (ie. the HSDir mobbing issue), that's something that we can work on addressing. Maybe a more load-tolerant design or what-have-you. Filtering things is not the answer.
(I should add as a final note: filtering ports is not the same as filtering sites or traffic. I don't care what traffic passes over port 80, nor should I. But traffic on port 25 gets me marked as a spammer and shuts down my exit nodes, so I can't have that. Anybody who wants to change that traffic to tunnel over port 80 or 22 or whatever is free to do so, and I do not and should not know about it. If I can find a provider within my budget range who allows full exits and lets me handle all the abuse issues myself, I dare say I'll allow all ports through that exit.)
-Lance
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Seemed a little targeted at me and I am the one agreeing with you xD
Anyway yes this is what I stated originally before the pro-censorship people come out of their caves. Once the tools are developed to censor, it is very easy to start blocking arbitrarily. Imagine the day our ISP's say "now block x and y hidden services because we don't like them or we'll close your account". I can see the reasons some people block ports, which comes back to my "greater good" argument that keeping their relays online albeit have some ports blocked is better than no relay, because users in that situation can route around it if required.
So I think we're agreed. No tool for censoring, not even a step near that direction because it rapidly goes downhill from there. Again I reiterate, the fact that Mike Hearn has come to Tor Project (with his own relay only allowing bitcoin traffic is particularly peeving me off) and tried to tell us to develop tools of censorship, has particularly annoyed me. So to address this, I'll be sending a copy of his proposal to some friends of mine on the bitcoin scene.
Furthermore, I'm going to see what the authority directories think about his relay because that is just playing silly bugger only allowing bitcoin related traffic.
- -T
On 21/07/2014 15:25, Lance Hathaway wrote:
On 21/07/2014 6:21 AM, Thomas White wrote:
Also note, botnets in this sense are not the topic. The proposal is an easy mechanism to censor hidden services and let it not be portrayed as anything other than that. ...
So to state clearly:
Should Tor Project develop a system to filter hidden services?
The simple fact of the matter is this: However good and pure our intentions may be ("We'll only block malware and child porn!"), a system would have to be developed to allow us to block arbitrary services.
Something I have noticed which trips up most people is their inability to see beyond themselves. YOU may have only the best intentions. YOU may never countenance blocking inconvenient truths on Twitter / Slashdot / news-feed-of-the-day. But once a system is created that can block arbitrary services, it's only a matter of time before somebody with intentions less pure than your own decide to start blocking other things. Maybe somebody with an upright moral standing decides it would be better to block everything PG-13 and up. Maybe somebody decides their government is taking too much flack on an issue, and tries to "help out" by filtering some news sites they feel are particularly biased. Maybe I decide that tabloid magazines are total trash, and nobody should be allowed to give them business so they'll just die off in the end.
Why would we want to replace a system of government censorship with censorship-by-the-masses? I thought we wanted to decide for ourselves--what we read, to whom we listen, what we do, and with whom we associate.
(Never mind the legal fact that, if we CAN filter / exert legitimate control over the traffic flowing over the network, somebody will figure out a way to MAKE us do so--and it may not be what we personally agree should be blocked.)
Insofar as botnets create an infrastructure problem with Tor (ie. the HSDir mobbing issue), that's something that we can work on addressing. Maybe a more load-tolerant design or what-have-you. Filtering things is not the answer.
(I should add as a final note: filtering ports is not the same as filtering sites or traffic. I don't care what traffic passes over port 80, nor should I. But traffic on port 25 gets me marked as a spammer and shuts down my exit nodes, so I can't have that. Anybody who wants to change that traffic to tunnel over port 80 or 22 or whatever is free to do so, and I do not and should not know about it. If I can find a provider within my budget range who allows full exits and lets me handle all the abuse issues myself, I dare say I'll allow all ports through that exit.)
-Lance _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On 21/07/2014 7:34 AM, Thomas White wrote:
Seemed a little targeted at me and I am the one agreeing with you xD
Wasn't so much targeted at you, as I was chiming in to agree with what you had said. :) Just in my own words.
Furthermore, I'm going to see what the authority directories think about his relay because that is just playing silly bugger only allowing bitcoin related traffic.
I don't see an issue with his relay only choosing to allow bitcoin traffic. Again, that comes down to allowing each relay operator to allow or reject whatever ports they are comfortable with through their relays. Just as we can't go around censoring services however we please, we can't go around telling relay operators that they need to allow arbitrary traffic on our say-so.
If he only allows a single port, he won't get the Exit flag (as long as the policy on that flag is that any two of [HTTP, HTTPS, IRC] must be exited). As far as the rest goes, As long as he's using the Tor-readable method of limiting ports (ExitPolicy, rather than some silly buggered firewall that Tor can't understand), my opinion would be to leave him be.
-Lance
Thomas White thomaswhite@riseup.net wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Sorry, wrong answer. If you block connections from other relays, you break the tor network. I don't recall offhand whether that sort of breakage might earn your relay either an Invalid flag or being simply dropped from the consensus.
For a single relay to my knowledge, it shouldn't do. There are many reasons some relays can't connect to each other so it doesn't "break" Tor as an alternative route is simply found.
Yes, tor, like many other Internet operations, has some ability to route around breakage in its network. However, each time it is necessary to find a way around it, a cost to the network is incurred in the form of wasted processing time over many pieces of equipment, wasted traffic, and likely wasted end-user time.
Are you suggesting that the mobbing attacks on HSDIR relays are the actions of botnets? If so, then you are suggesting that the problem of mobbing of HSDIR relays is probably insoluble because it would not be the symptom of a bug in tor. :-(
The question is botnet CnC's, the proposal has nothing to do with solving the botnet CnC problem and I am also stating Tor is not the one who needs to tackle them right at this moment, the budget and
Agreed.
resources are just not there. However creating a system where operators start blacklisting hidden services is extremely bad for anonymity both for the hidden service and the user.
Also agreed. I was referring to the as yet unsolved problem of HSDIR mobbing, which I have long thought was due to a bug somewhere in tor, just as there used to be a problem with DirPort mobbing. The DirPort mobbing bug was eventually found and fixed a long time ago, but the HSDIR mobbing still hasn't been. But now you have given me the idea that perhaps HSDIR mobbing is actually due to other software applying a malicious attack upon tor relays that have the HSDIR flag. IOW, I wasn't arguing with you, just commenting about this other problem in light of what you had written.
To answer the rest of your question, I am not a developer. I am somebody who cares about anonymity and that is why I run the 2nd largest server cluster on the Tor network from my own pocket. Filtering or proposing to blacklist anything is not acceptable in my view. Whatever solutions individuals care to launch to protect their relay is their own responsibility, but actively developing something by the core developers to blacklist hidden service is a completely despicable idea. To elaborate only on the legal side of things, if I can easily block hidden services passing through my relays or if I am the RV point for one the government can then serve me a notice
AFAICT, the introduction point and the rendez-vous point are about the only places you might be able to block them, though by doing so, you would again be introducing a form of breakage. If your relay were at any other points in the hidden service protocol, you wouldn't have any way of distinguishing it from any other middle node along a tor circuit. But I would need to reread the protocol specification in detail again see whether you could actually deny service even at the invitation and rendez-vous points.
ordering me to block it, this I have already run through my solicitor and there no escaping that fact unfortunately.
Also note, botnets in this sense are not the topic. The proposal is an easy mechanism to censor hidden services and let it not be portrayed as anything other than that. I can see why 90% of people opposed his "coin taint" idea and 75% wanted him to leave the bitcoin foundation. If Tor did introduce such measures, I would be swiftly leaving Tor's ranks and withdrawing all support (both all 25 relays/exits/guards, and financial) from it.
So to state clearly:
Should Tor Project develop a system to filter hidden services?
I'll let people decide that for themselves. But my opinion, is that doing so defies the point of a hidden service and people who push for it should be ashamed of themselves.
Also fully agreed. To develop such a system would require weakening or breaking the current level of protection offered to users, as well as being a special gift to the NSA and its peers in other countries.
Scott Bennett, Comm. ASMELG, CFIAG ********************************************************************** * Internet: bennett at sdf.org *or* bennett at freeshell.org * *--------------------------------------------------------------------* * "A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army." * * -- Gov. John Hancock, New York Journal, 28 January 1790 * **********************************************************************
tor-relays@lists.torproject.org
-
grarpamp -
Lance Hathaway -
Scott Bennett -
Thomas White