Dear exit operators, Can you please share the abuse complaints you received while running an exit?
We are researchers from Univ. of California, Berkeley and Univ. of Massachusetts Amherst are interested in understanding what kind of abuse happens through Tor. Thanks to Moritz Bartl from Torservers.net http://torservers.net/ we analyzed over 1GB of complaints received over 6 years. Here is our preliminary analysis of the complaints: http://www1.icsi.berkeley.edu/~sadia/tor_abuse_complaints.pdf http://www1.icsi.berkeley.edu/~sadia/tor_abuse_complaints.pdf
We will appreciate if you can share the abuse complaints you received. It will be valuable for us to better understand the abuse of Tor and to find solutions to reduce abuse.
Best, Sadia
Dear exit operators, Can you please share the abuse complaints you received while running an exit?
We are researchers from Univ. of California, Berkeley and Univ. of Massachusetts Amherst are interested in understanding what kind of abuse happens through Tor. Thanks to Moritz Bartl from Torservers.net http://torservers.net/ we analyzed over 1GB of complaints received over 6 years. Here is our preliminary analysis of the complaints: http://www1.icsi.berkeley.edu/~sadia/tor_abuse_complaints.pdf http://www1.icsi.berkeley.edu/~sadia/tor_abuse_complaints.pdf
We will appreciate if you can share the abuse complaints you received. It will be valuable for us to better understand the abuse of Tor and to find solutions to reduce abuse.
Thank you for doing this.
In your number of complains over time graphs you do not seem to take traffic into account?
Would you care to add a number of complains over time per MBit/s of exit relay traffic?
In your number of complains over time graphs you do not seem to take traffic into account?
Would you care to add a number of complains over time per MBit/s of exit relay traffic?
Thanks for pointing that out! This is a preliminary report, so there are many questions this report doesn’t answer yet. We know that compared to the total exit relay traffic the number of complaints is probably pretty negligible and we will take that into account in final report.
The report is only on the complaints for ~20 exits. We are hoping to receive more abuse complaints to get a better sense of the kind of complaints exit operators receive.
Best, Sadia
A couple of people asked for my public key. Here it is:
Thanks for pointing that out! This is a preliminary report, so there are many questions this report doesn’t answer yet. We know that compared to the total exit relay traffic the number of complaints is probably pretty negligible and we will take that into account in final report.
From your answer I assume you think I was trying to say "but the abuse rate is quite low for that kind of bandwidth" - I was not trying to say that.
What I was actually trying to point at was: Since the number of abuse emails significantly increased over time an uneducated guess would be "oh tor abuse is increasing", but I rather think that torservers' ressources increased over time - which allowed them to: 1) push more traffic 2) get better hosting with allowed them to run a more open exit policies
If such things would be reflected in these graphs potential exit operators probably wouldn't assume that over time they will get more complains.
Such over time graphs should probably only be made for a static (non-changing) exit policy (so you would have to draw per-exit graphs with probably shorter time-spans).
I also assume that you will show the impact of exit policies on the amount of abuse emails received in your final report.
"reduced" exit policy graph: amount of complains over time vs. "open" (reject *:25) exit policy graph: amount of complains over time
(normalized per (100) MBit/s bw)
On 09/28/2016 09:12 PM, nusenu wrote:
In your number of complains over time graphs you do not seem to take traffic into account?
Would you care to add a number of complains over time per MBit/s of exit relay traffic?
I strongly urged them to do exactly this before they publish. The absolute numbers are quite pointless, and, worse, dangerous. All it takes is a journalist taking them the wrong way and we have a negative press fallout. This is the main reason why I was very reluctant to hand them over in the first place -- they really must be interpreted in context, ideally comparing them to a similar, normalized data set from VPN providers and Internet access providers.
I appreciate that they're trying to make sense out of the data, and it is definitely quite some work to weed through all of it. Maybe it's OK as a first initial analysis, and maybe we should rather be transparent and let the press mess it up than hiding it. The next step is cleaning it up further, and then going through the archives [1] to match it with bandwidth usage and changes in exit policies over time.
Due to the method used, nforce and voxility show up with large counts as "origin" of complaints, even though they send zero abuse complaints -- they are just two of our largest and very friendly ISPs, and they show up because all of that are complaints they forward to us.
[1] https://collector.torproject.org/
Moritz, We did not publish the report anywhere. I put it up on my site just for the ease of sharing it in the mailing list. I can take the report down if you are not comfortable with it being public.
On Sep 28, 2016, at 9:55 PM, Moritz Bartl moritz@torservers.net wrote:
On 09/28/2016 09:12 PM, nusenu wrote:
In your number of complains over time graphs you do not seem to take traffic into account?
Would you care to add a number of complains over time per MBit/s of exit relay traffic?
I strongly urged them to do exactly this before they publish. The absolute numbers are quite pointless, and, worse, dangerous. All it takes is a journalist taking them the wrong way and we have a negative press fallout. This is the main reason why I was very reluctant to hand them over in the first place -- they really must be interpreted in context, ideally comparing them to a similar, normalized data set from VPN providers and Internet access providers.
I appreciate that they're trying to make sense out of the data, and it is definitely quite some work to weed through all of it. Maybe it's OK as a first initial analysis, and maybe we should rather be transparent and let the press mess it up than hiding it. The next step is cleaning it up further, and then going through the archives [1] to match it with bandwidth usage and changes in exit policies over time.
Due to the method used, nforce and voxility show up with large counts as "origin" of complaints, even though they send zero abuse complaints -- they are just two of our largest and very friendly ISPs, and they show up because all of that are complaints they forward to us.
[1] https://collector.torproject.org/
-- Moritz Bartl https://www.torservers.net/ _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Best, Sadia
On Wed, 28 Sep 2016 22:05:33 -0700 Sadia Afroz sadia@icsi.berkeley.edu allegedly wrote:
We did not publish the report anywhere. I put it up on my site just for the ease of sharing it in the mailing list.
Sadia
With respect, those two statements are mutually contradictory. Placing the report on-line /anywhere/ constitutes publication. And since the report is widely reachable it will by now have been cached by search engines.
Best
Mick
--------------------------------------------------------------------- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net
---------------------------------------------------------------------
2016-09-29 14:53 GMT+02:00 mick mbm@rlogin.net:
On Wed, 28 Sep 2016 22:05:33 -0700 Sadia Afroz sadia@icsi.berkeley.edu allegedly wrote:
We did not publish the report anywhere. I put it up on my site just for the ease of sharing it in the mailing list.
Sadia
With respect, those two statements are mutually contradictory. Placing the report on-line /anywhere/ constitutes publication. And since the report is widely reachable it will by now have been cached by search engines.
mick,
You are correct in a sense. On the another hand in academia until a work is published in a peer-reviewed conference or journal it does not really count (you make like this or not, but this is another issue) and/or it would be evident that it is a work in progress.
Moritz mentioned a possible problem with the press misinterpreting the results of this report: I would expect that a _bona fide_ journalist that is able to find such a report on the website of a research would also know that these are preliminary results. I would also expect such a journalist to reach out to the authors for comments. If not, let's say that against ignorance or malice you can not do much (even with a completed work) and I would not blame the authors for the deficiencies of others.
That said, I do not see any other way to make this work reachable so that the authors can talk about their preliminary results with as many people as possible - and the "tor community" at large. The alternative would be to select a closed group of people with whom to share the report.
Being a fan of "release early, release often" I prefer the current alternative.
Cristian
On 09/29/2016 04:29 PM, Cristian Consonni wrote:
You are correct in a sense. On the another hand in academia until a work is published in a peer-reviewed conference or journal it does not really count (you make like this or not, but this is another issue) and/or it would be evident that it is a work in progress.
Moritz mentioned a possible problem with the press misinterpreting the results of this report: I would expect that a _bona fide_ journalist that is able to find such a report on the website of a research would also know that these are preliminary results. I would also expect such a journalist to reach out to the authors for comments. If not, let's say that against ignorance or malice you can not do much (even with a completed work) and I would not blame the authors for the deficiencies of others.
That said, I do not see any other way to make this work reachable so that the authors can talk about their preliminary results with as many people as possible - and the "tor community" at large. The alternative would be to select a closed group of people with whom to share the report.
Being a fan of "release early, release often" I prefer the current alternative.
Totally agreed. Just for the record, Sadia reached out to me to ask before she posted here what they have so far.
Hi,
2016-09-28 13:31 GMT+02:00 Sadia Afroz sadia@icsi.berkeley.edu:
Can you please share the abuse complaints you received while running an exit?
[...]
We will appreciate if you can share the abuse complaints you received. It will be valuable for us to better understand the abuse of Tor and to find solutions to reduce abuse.
I am interested in doing this.
I have only accumulated a handful of complaints after almost one year of running an exit node, but this may still be useful as per the discussion on the number of complaints per Mbit (as per the other thread).
What should I do to share the with you?
Cristian
Sadia Afroz:
We are researchers from Univ. of California, Berkeley and Univ. of Massachusetts Amherst are interested in understanding what kind of abuse happens through Tor. Thanks to Moritz Bartl from Torservers.net http://torservers.net/ we analyzed over 1GB of complaints received over 6 years. Here is our preliminary analysis of the complaints: http://www1.icsi.berkeley.edu/~sadia/tor_abuse_complaints.pdf http://www1.icsi.berkeley.edu/~sadia/tor_abuse_complaints.pdf
Quote from paper:
99% are DMCA complaints regarding the use of bittorrent.
Why do these complaints go to the exit node operators? Isn't the complainer able to figure out the real IP of Bittorrent clients?
Why I am asking this: torrent uses UDP, Tor only routes TCP traffic. Isn't it impossible to hide bittorrent traffic via Tor.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
This is because they scrape tracker's for peers and use this evidence to send complaints to the ips of the peers.
trackers are in most cases reachable via http so they go over tor
and then we exit operators are getting harassed :s
On 09/29/2016 02:05 PM, janulrich wrote:
Sadia Afroz:
We are researchers from Univ. of California, Berkeley and Univ. of Massachusetts Amherst are interested in understanding what kind of abuse happens through Tor. Thanks to Moritz Bartl from Torservers.net http://torservers.net/ we analyzed over 1GB of complaints received over 6 years. Here is our preliminary analysis of the complaints: http://www1.icsi.berkeley.edu/~sadia/tor_abuse_complaints.pdf http://www1.icsi.berkeley.edu/~sadia/tor_abuse_complaints.pdf
Quote from paper:
99% are DMCA complaints regarding the use of bittorrent.
Why do these complaints go to the exit node operators? Isn't the complainer able to figure out the real IP of Bittorrent clients?
Why I am asking this: torrent uses UDP, Tor only routes TCP traffic. Isn't it impossible to hide bittorrent traffic via Tor. _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
I've tested many torrent clients with Tor's proxy. Vuze is the only one that strictly follows the settings, every other client ignores the proxy if it fails.
In Vuze, most trackers failed to connect, but with DHT (not sure if DHT goes through the proxy) the actual torrent still goes through Tor.
Honestly I'm not sure how torrent clients would grab Tor IPs since Wireshark shows it bypassing the proxy, but the check my torrent IP website will show your proxy IP.
My guess is that whoever sends the DMCA just doesn't take the time to find the real IP. For my part, BitTorrent ports are blocked on my exit, and I never use torrents over Tor.
On Sep 29, 2016 7:09 AM, "Corné Oppelaar" hello@eaterofco.de wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
This is because they scrape tracker's for peers and use this evidence to send complaints to the ips of the peers.
trackers are in most cases reachable via http so they go over tor
and then we exit operators are getting harassed :s
On 09/29/2016 02:05 PM, janulrich wrote:
Sadia Afroz:
We are researchers from Univ. of California, Berkeley and Univ. of Massachusetts Amherst are interested in understanding what kind of abuse happens through Tor. Thanks to Moritz Bartl from Torservers.net http://torservers.net/ we analyzed over 1GB of complaints received over 6 years. Here is our preliminary analysis of the complaints: http://www1.icsi.berkeley.edu/~sadia/tor_abuse_complaints.pdf http://www1.icsi.berkeley.edu/~sadia/tor_abuse_complaints.pdf
Quote from paper:
99% are DMCA complaints regarding the use of bittorrent.
Why do these complaints go to the exit node operators? Isn't the complainer able to figure out the real IP of Bittorrent clients?
Why I am asking this: torrent uses UDP, Tor only routes TCP traffic. Isn't it impossible to hide bittorrent traffic via Tor. _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-----BEGIN PGP SIGNATURE-----
iQEcBAEBCAAGBQJX7QRGAAoJEE6fMe4ysJ7Mx8sIAIQSXt0XPqA5t4G0piqzaUWy ugtECy4tnRIL7zdJE3gjY0aWjsh3p+XsRZZXwh2+krV0LCvGjlEHs6g9AimRzCmX fv3maW9uoUx/SAzZasz3GI5QjnNsMbvgJN8Fvo0Oi8A3vEFYwZ0ypt/PFKP2Yr7v RvMt8d3WwFPHSFNaE6A9iLCyWvTbRmusdMhuMngUmg/+LLCTL9UFbvYNgUGZRg2u nVWW/6M0d/Tyg2jHGKgL1lbzOMmCAWgs4AaB5sQai4EbUxSMNp/EYz3uypsTASKF ZK3S54qbdBWDYnxJoJDyPJz5ZxBWkdn0E6gOCMWuQ3UoyH0zyTURSm8kjez3838= =6Kte -----END PGP SIGNATURE----- _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 09/29/2016 04:30 PM, Tristan wrote:
if it fails
so if it doesn't fail it does go through the proxy right?
Honestly I'm not sure. Some trackers go through the proxy, others ignore it and connect directly. Peer connections also looked like they were bypassing the proxy except for the Vuze client.
All I know is most torrent clients leak information outside the proxy, and if the proxy is unreachable, they bypass it no problem. I'm not a professional, and I didn't spend that much time to figure out the details once I saw the proxy being bypassed.
A quick Google search shows that it seems to be proxies in general, not just Tor.
On Sep 29, 2016 9:47 AM, "Corné Oppelaar" hello@eaterofco.de wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 09/29/2016 04:30 PM, Tristan wrote:
if it fails
so if it doesn't fail it does go through the proxy right? -----BEGIN PGP SIGNATURE-----
iQEcBAEBCAAGBQJX7SmAAAoJEE6fMe4ysJ7M6lEH/iWQE8Xi+ywBcGFmYT5OuabK 2h0o19dksgWStMz7C4LoYHF3W3KldWQ8hltDlmNB1tQNl39YJox1khKy05eeISGk JdXNhO/CL2p+Jz1EZcJzEZH6gsXBHACVKuCaimQLlD5Y0njfJYklh9pmduj6AOiZ JRyn+2bMdAvR3Hugre+1cp+uS3FKMrbswX7KCGrYMG9Cg0OogxRRx/92i4HfWsoe yIaEoBb19S5GA4BZkAZWJbl5RhuVjHdZ7HmlHdFOOeVFy1g1uu4MSeB14/gvJ8AZ w0Jj4m9Cm+vT91y3xn47CWAl/gAwTh36lg60KThLX4IrPtz3zh66bABXoHJiACc= =gggI -----END PGP SIGNATURE----- _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays@lists.torproject.org
-
Corné Oppelaar -
Cristian Consonni -
I -
janulrich -
mick -
Moritz Bartl -
nusenu -
Sadia Afroz -
Tristan