Hello everyone,
We are hosting multiple relays under our AS 210558 and received an email from a local police station in Germany requesting user data, nothing unusual.
The weird thing is, that the relay in question is only a relay and not an exit node since its creation (185.241.208.179) (https://nusenu.github.io/OrNetStats/w/relay/B67C7039B04487854129A66B16F5EE3C...) - anyone has an idea how this happens? Best regards
Hi,
I've heard once of a non-exit relay getting seized because it was used as guard by a ransomware. We can't tell for sure, but maybe it's something alike: some kind of virus connecting to its control server over tor and choosing this relay as its guard, causing your ip to be flagged by some IDS. This is very much a guess, but I fail to see a better explanation.
Best regards,
On Tue, 11 Apr 2023 at 18:33, Finn finn@grimpe-holding.de wrote:
Hello everyone,
We are hosting multiple relays under our AS 210558 and received an email from a local police station in Germany requesting user data, nothing unusual.
The weird thing is, that the relay in question is only a relay and not an exit node since its creation (185.241.208.179) (https://nusenu.github.io/OrNetStats/w/relay/B67C7039B04487854129A66B16F5EE3C...) - anyone has an idea how this happens?
Best regards_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On Tue, Apr 11, 2023 at 12:09:15PM +0000, Finn wrote:
Hello everyone,
We are hosting multiple relays under our AS 210558 and received an email from a local police station in Germany requesting user data, nothing unusual.
The weird thing is, that the relay in question is only a relay and not an exit node since its creation (185.241.208.179) (https://nusenu.github.io/OrNetStats/w/relay/B67C7039B04487854129A66B16F5EE3C...) - anyone has an idea how this happens?
Thanks for running relays!
Do you know what kind of user data they wanted?
It looks like your relay has been a Guard relay (i.e. has had the Guard flag) for most of the past year. One possibility is that they have somehow decided that a user they are trying to track uses your relay as one of their Guards. That is, in this scenario they decided that the user connects to your relay consistently over time, so they are asking you to help them learn more about that user.
Of course, your Tor relay in its default settings doesn't have any useful data for them, and you should keep it configured that way.
It is unclear how much people might be trying to do "guard discovery" attacks in practice, and also unclear how well they might work -- there is a lot of research on this class of attacks in theory but not much is known about whether it matters in practice.
And who knows, it could be something else: maybe they are just fishing for general information, or maybe they are intentionally creating useless work and stress for you and your hosting provider to discourage you from wanting to help Tor users.
More reading on the 'guard discovery attack' topic:
* PETS paper, From "Onion Not Found" to Guard Discovery: https://petsymposium.org/2022/files/papers/issue1/popets-2022-0026.pdf
* The Vanguards idea: https://blog.torproject.org/announcing-vanguards-add-onion-services/
Part of the vanguards idea is implemented by default in Tor 0.4.7: https://gitweb.torproject.org/torspec.git/tree/proposals/333-vanguards-lite.... https://gitlab.torproject.org/tpo/core/tor/-/issues/40363
Hope this helps, --Roger
On Dienstag, 11. April 2023 14:09:15 CEST Finn wrote:
Hello everyone,
We are hosting multiple relays under our AS 210558 and received an email from a local police station in Germany requesting user data, nothing unusual.
Nothing unusual? I had a house search because of exits but never a user data request because of entry nodes.
As a German organization, you must fully comply with Telekommunikation- Telemedien-Datenschutz-Gesetz §9 (the German telemedia data protection law), which prohibits to log any personally identifiable data or usage data unless required for billing purposes. As you do not charge for using your services, you will never be able to keep any connection data. ¯_(ツ)_/¯
Tor routers owned by German media services are protected by Telemediengesetz §8
https://www.gesetze-im-internet.de/ttdsg/__9.html https://www.gesetze-im-internet.de/tmg/__8.html
Updated german exit page https://github.com/chgans/tor-exit-notice
Finn finn@grimpe-holding.de wrote:
The weird thing is, that the relay in question is only a relay and not an exit node since its creation (185.241.208.179) (https://nusenu.github.io/OrNetStats/w/relay/B67C7039B04487854129A66B16F5EE3C...)
- anyone has an idea how this happens? Best regards
We receive this mostly from France and Germany. We figured out that they downloaded the Tor Browser then looked at the Tor Circuit widget and just collected the addresses they could see there.
This is the same as when Police, Attention Seekers, Cyber White Knights, Censors and other scoundrels contact every ISP they see in a traceroute.
On Mittwoch, 12. April 2023 18:28:09 CEST tor-operator@urdn.com.ua wrote:
Finn finn@grimpe-holding.de wrote:
The weird thing is, that the relay in question is only a relay and not an exit node since its creation (185.241.208.179) (https://nusenu.github.io/OrNetStats/w/relay/B67C7039B04487854129A66B16F5E E3CFFCBB491.html) - anyone has an idea how this happens? Best regards
We receive this mostly from France and Germany. We figured out that they downloaded the Tor Browser then looked at the Tor Circuit widget and just collected the addresses they could see there.
This is the same as when Police, Attention Seekers, Cyber White Knights, Censors and other scoundrels contact every ISP they see in a traceroute.
Without a court order, the cops have no right to request data at all.
Generally also for commercial providers: The European Court of Justice ruled that German data retention (Vorratsdatenspeicherung) is incompatible with EU law and therefore inapplicable.
https://digitalcourage.de/blog/2023/vorratsdatenspeicherung-medienberichte (only in German)
tor-relays@lists.torproject.org
-
Finn -
lists@for-privacy.net -
Roger Dingledine -
tor-operator@urdn.com.ua -
trinity pointard