Hi Ops,
We recently began responding to t-shirt requests again. Sorry for the long silence. There's been a lot happening around here but not enough time or people to do everything, so the t-shirt requests simply remained untouched. But, despite the overload, t-shirts are important because they are a small token of our thanks and appreciation for making the network what it is today.
We responded to around 70 t-shirt requests from relay operators in April, which comprised all requests for which we could verify (within reason) the request came from the person who controlled the qualifying relay. We still have another 20 requests where the requestor is not obviously the owner of the relay. Currently the content of a relay's Contact field is used, but this does not always provide enough (or any) information. For this case, we need an authentication mechanism which proves control of the relay but is something relay operators won't mind running.
My currently plan is to ask relay operators to sign the fingerprint file which tor creates. The major disadvantage of this method is that it must be run as root (or a user with access to tor's data directory).
The following process is the current plan, but does anyone have a better idea? Does it seem logical?
------------------------------------------------------------ When we receive a t-shirt request from someone who isn't obviously in control of the relay, we ask them to sign their fingerprint file with a unique salt.
Assuming the path to their data dir is /var/lib/tor, we ask them to run:
$ (echo -n "salt "; cat /var/lib/tor/fingerprint) | openssl sha256 \ -binary | openssl pkeyutl -inkey /var/lib/tor/keys/secret_id_key \ -sign -pkeyopt digest:sha256 -pkeyopt rsa_padding_mode:pss \ -pkeyopt rsa_pss_saltlen:32 | openssl base64 > signed_fingerprint
They send us both /var/lib/tor/fingerprint and signed_fingerprint.
When we receive them, we confirm the fingerprint in the fingerprint file matches the qualifying relay. Then we retrieve the relay's public key from its descriptor and convert it into pkcs#8 format using:
$ openssl rsa -pubin -in pubkey_pkcs1 -RSAPublicKey_in -out pubkey
and then we verify the sig using following commands:
$ (echo -n "salt "; cat fingerprint) | openssl sha256 -binary | \ openssl pkeyutl -pubin -verify -inkey pubkey -sigfile \ $(OUT=/tmp/signed_fingerprint_bin; base64 -d signed_fingerprint > \ ${OUT}; echo ${OUT}) -pkeyopt digest:sha256 -pkeyopt \ rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:32; rm \ /tmp/signed_fingerprint_bin;
This should yield "Signature Verified Successfully". ------------------------------------------------------------
Another disadvantage of this is PSS wasn't implemented in openssl's apps until 1.0.1. I wonder how many relays are running on servers which are still using openssl 0.9.8 (and 1.0.0?). For these servers we can fallback on pkcs#1 v1.5 signatures.
------------------------------------------------------------ The signature can be created using a command similar to the one above:
$ (echo -n "salt "; cat /var/lib/tor/fingerprint) | openssl dgst \ -sha256 | openssl rsautl -inkey /var/lib/tor/keys/secret_id_key \ -sign | openssl base64 > signed_fingerprint
Again, they provide /var/lib/tor/fingerprint and signed_fingerprint, and we verify using:
$ test "$(openssl base64 -d -in signed_fingerprint | openssl rsautl \ -pubin -verify -inkey pubkey)" = "$((echo -n "salt "; cat \ fingerprint) | openssl dgst -sha256)"; echo $?
In addition, again, we confirm the fingerprint in the fingerprint file matches the fingerprint of the qualifying relay. ------------------------------------------------------------
Originally I used a few bashisms which made these simpler, but for this I suspect portability is important.
Sorry this is a bit long.
Thanks, Matt
Matt,
Thanks for handling the backlog of t-shirts as they are important as an acknowledgement of valuable contributions.
Isn't the value of the t-shirt disproportionate to the trouble you're going to to give them out? If the weather message offering the t-shirt is answered by the same address isn't that proof enough?
As I haven't received a message yet and my details are plain and simple I wonder what could have gone wrong.
Robert
On Sun, May 03, 2015 at 10:26:52AM -0800, I wrote:
Matt,
Thanks for handling the backlog of t-shirts as they are important as an acknowledgement of valuable contributions.
Isn't the value of the t-shirt disproportionate to the trouble you're going to to give them out? If the weather message offering the t-shirt is answered by the same address isn't that proof enough?
As I haven't received a message yet and my details are plain and simple I wonder what could have gone wrong.
Hi Robert,
I replied privately about your situation but it's possible this plan is more complicated than it needs to be. In general, I'd prefer we receive t-shirt requests from the same email address as is specified in the Contact field. Obviously, if they are different, we can always send the response and t-shirt link to the address in the Contact field, but that asymmetry seems weird to me, but I'm not against doing this.
For the situations where there is no email address in the contact field, I'm not certain how else we can confirm we're sending the t-shirt to the person who deserves it.
Thanks for your input!
- Matt
Matt: Thanks for leading us forward on the tshirt topic! I still, alas, have a pile of tshirt requests from Jan-Mar that I should collate and forward to you.
On Sun, May 03, 2015 at 10:26:52AM -0800, I wrote:
Isn't the value of the t-shirt disproportionate to the trouble you're going to to give them out? If the weather message offering the t-shirt is answered by the same address isn't that proof enough?
I think I agree with this: if somebody has a copy of a Tor weather mail, then they -- oh. You can sign up to watch somebody else's relay, and then you get their tshirt notification?
I guess the obvious fix is to only have weather send tshirt notifications when it has auto-parsed the contact info itself, rather than when a human signs up to watch a given relay.
But the obvious fix involves changing Tor Weather. It's my understanding that we have a rewrite already done by a GSoC student, but nobody has attempted to deploy the rewrite because nobody wants to mess with the current weather instance (and because Karsten, the original mentor, is overloaded).
Tor Weather should really be a community thing, not a service that Tor maintains, given how we're stretched thin as it is.
I met a nice fellow in Valencia who lives in Berlin and offered to pick it up. But I haven't heard anything further from that conversation.
Really, Weather is messy because it tries to serve many too many purposes at once -- two of the extremes are letting people sign up to get email when their relay goes offline, and also tracking historical relay uptime data in order to tell us (and the operator) when a given relay has passed a given milestone.
Of course, making it a community thing could easily mean even more inconsistency over time. "Hm" indeed.
--Roger
On Sun, 3 May 2015, Matthew Finkel wrote:
Assuming the path to their data dir is /var/lib/tor, we ask them to run:
Please don't get in the habit of asking relay operators through e-mail to run complex bash command lines as root. As a security practice, this is terrible. (How do you know the suggested command wasn't altered before it reached its recipient?)
If you want to build a utility for this into the tor distribution, and make it obvious what it does, I think that's fine. If the site asked people to run "tor-request-tshirt" or more generically "tor-verify-ownership" and it asked for whatever required information, I'd think that'd be more obviously safe.
Or as Robert suggests, just send verification mail to the listed contact address of the relay. If they don't list one on their config, find an alternate verification mechanism like e-mailing whois contacts for the IP or domain name, or refuse the request.
-- Aaron
On Sun, May 03, 2015 at 12:05:49PM -0700, Aaron Hopkins wrote:
On Sun, 3 May 2015, Matthew Finkel wrote:
Assuming the path to their data dir is /var/lib/tor, we ask them to run:
Please don't get in the habit of asking relay operators through e-mail to run complex bash command lines as root. As a security practice, this is terrible. (How do you know the suggested command wasn't altered before it reached its recipient?)
Yes, this is terrible, and I really hate the idea of asking it. I signed all my emails for the t-shirt requests, but now we're relying on everyone fetching my key and verifying the mail - so, that's also a bad assumption. I don't have a good solution. This is why I'm asking.
If you want to build a utility for this into the tor distribution, and make it obvious what it does, I think that's fine. If the site asked people to run "tor-request-tshirt" or more generically "tor-verify-ownership" and it asked for whatever required information, I'd think that'd be more obviously safe.
Unfortunately, for something like that to work seamlessly, it would need to be setuid or setgid. This may be a better way forward, but I wonder what we can do now.
Or as Robert suggests, just send verification mail to the listed contact address of the relay. If they don't list one on their config, find an alternate verification mechanism like e-mailing whois contacts for the IP or domain name, or refuse the request.
I'd prefer not denying them a t-shirt because they don't want to publish an email address publically, but using whois seems like a stretch and usually ends at the hosting provider instead of the operator.
Thanks for the idea.
- Matt
On Sun, May 03, 2015 at 08:20:54PM +0000, Matthew Finkel wrote:
On Sun, May 03, 2015 at 12:05:49PM -0700, Aaron Hopkins wrote:
On Sun, 3 May 2015, Matthew Finkel wrote:
Assuming the path to their data dir is /var/lib/tor, we ask them to run:
Please don't get in the habit of asking relay operators through e-mail to run complex bash command lines as root. As a security practice, this is terrible. (How do you know the suggested command wasn't altered before it reached its recipient?)
Yes, this is terrible, and I really hate the idea of asking it. I signed all my emails for the t-shirt requests, but now we're relying on everyone fetching my key and verifying the mail - so, that's also a bad assumption. I don't have a good solution. This is why I'm asking.
What if we add the commands to the t-shirt[0] website? Again, this isn't a great solution, but we already have documentation which requires running commands with elevated privileges on there, and it's slightly better than sending it in an email. These commands are still more complex than I'd like, but if beside providing an executable or verifiable shell script, I'm running low on solutions.
[0] https://www.torproject.org/getinvolved/tshirt
Thanks, Matt
Matthew Finkel schreef op 03/05/15 om 14:47:
On Sun, May 03, 2015 at 08:20:54PM +0000, Matthew Finkel wrote:
On Sun, May 03, 2015 at 12:05:49PM -0700, Aaron Hopkins wrote:
On Sun, 3 May 2015, Matthew Finkel wrote:
Assuming the path to their data dir is /var/lib/tor, we ask them to run:
Please don't get in the habit of asking relay operators through e-mail to run complex bash command lines as root. As a security practice, this is terrible. (How do you know the suggested command wasn't altered before it reached its recipient?)
Yes, this is terrible, and I really hate the idea of asking it. I signed all my emails for the t-shirt requests, but now we're relying on everyone fetching my key and verifying the mail - so, that's also a bad assumption. I don't have a good solution. This is why I'm asking.
What if we add the commands to the t-shirt[0] website? Again, this isn't a great solution, but we already have documentation which requires running commands with elevated privileges on there, and it's slightly better than sending it in an email. These commands are still more complex than I'd like, but if beside providing an executable or verifiable shell script, I'm running low on solutions.
[0] https://www.torproject.org/getinvolved/tshirt
Thanks, Matt
Hi Matt,
How about :
* Primarily using ContactInfo for the verification * If you cannot match the ContactInfo, ask people to set it on their relays * If they are unwilling/unable to do so, ask them to sign their mail address using their secret Tor key * Implement a --sign option for Tor 0.2.7 * Starting a year from now, just ask everyone to sign the request
Proving ownership of a Tor relay can be relevant for more applications than just Weather, so a simple --sign option can be good to have. That doesn't address the immediate concerns though, it's more of a long-term solution.
Tom
On Sun, May 03, 2015 at 03:31:01PM -0700, Tom van der Woerdt wrote:
Matthew Finkel schreef op 03/05/15 om 14:47:
On Sun, May 03, 2015 at 08:20:54PM +0000, Matthew Finkel wrote:
On Sun, May 03, 2015 at 12:05:49PM -0700, Aaron Hopkins wrote:
On Sun, 3 May 2015, Matthew Finkel wrote:
Assuming the path to their data dir is /var/lib/tor, we ask them to run:
Please don't get in the habit of asking relay operators through e-mail to run complex bash command lines as root. As a security practice, this is terrible. (How do you know the suggested command wasn't altered before it reached its recipient?)
Yes, this is terrible, and I really hate the idea of asking it. I signed all my emails for the t-shirt requests, but now we're relying on everyone fetching my key and verifying the mail - so, that's also a bad assumption. I don't have a good solution. This is why I'm asking.
What if we add the commands to the t-shirt[0] website? Again, this isn't a great solution, but we already have documentation which requires running commands with elevated privileges on there, and it's slightly better than sending it in an email. These commands are still more complex than I'd like, but if beside providing an executable or verifiable shell script, I'm running low on solutions.
[0] https://www.torproject.org/getinvolved/tshirt
Thanks, Matt
Hi Matt,
How about :
- Primarily using ContactInfo for the verification
- If you cannot match the ContactInfo, ask people to set it on their relays
Sounds good.
- If they are unwilling/unable to do so, ask them to sign their mail
address using their secret Tor key
How? For the short-term, do you think asking the operator to run the proposed command is not a crazy idea?
- Implement a --sign option for Tor 0.2.7
- Starting a year from now, just ask everyone to sign the request
We'd need more than a year for this, likely four years, at the earliest because Jessie only has 0.2.6.
Proving ownership of a Tor relay can be relevant for more applications than just Weather, so a simple --sign option can be good to have. That doesn't address the immediate concerns though, it's more of a long-term solution.
I think this may be a good idea, especially if CAs being issuing certs for onion sites. Implementing it will not be too difficult, unfortunately its usability may be a little tricky.
On May 3, 2015 7:45:39 PM Matthew Finkel Matthew.Finkel@gmail.com wrote:
Hi Matthew,
Hi Ops,
We recently began responding to t-shirt requests again. Sorry for the long silence. There's been a lot happening around here but not enough
0> time or people to do everything, so the t-shirt requests simply remained
untouched. But, despite the overload, t-shirts are important because they are a small token of our thanks and appreciation for making the network what it is today.
We responded to around 70 t-shirt requests from relay operators in April, which comprised all requests for which we could verify (within reason) the request came from the person who controlled the qualifying relay. We still have another 20 requests where the requestor is not obviously the owner of the relay. Currently the content of a relay's Contact field is used, but this does not always provide enough (or any) information. For this case, we need an authentication mechanism which proves control of the relay but is something relay operators won't mind running.
I'm really not amused. As i recall a bunch of people including myself offered to help. I get the distinct impression that you keep everything within a small circle of people, no matter what. Even if that means that services are suffering.
My currently plan is to ask relay operators to sign the fingerprint file which tor creates. The major disadvantage of this method is that it must be run as root (or a user with access to tor's data directory).
The following process is the current plan, but does anyone have a better idea? Does it seem logical?
When we receive a t-shirt request from someone who isn't obviously in control of the relay, we ask them to sign their fingerprint file with a unique salt.
Assuming the path to their data dir is /var/lib/tor, we ask them to run:
$ (echo -n "salt "; cat /var/lib/tor/fingerprint) | openssl sha256 \ -binary | openssl pkeyutl -inkey /var/lib/tor/keys/secret_id_key \ -sign -pkeyopt digest:sha256 -pkeyopt rsa_padding_mode:pss \ -pkeyopt rsa_pss_saltlen:32 | openssl base64 > signed_fingerprint
They send us both /var/lib/tor/fingerprint and signed_fingerprint.
When we receive them, we confirm the fingerprint in the fingerprint file matches the qualifying relay. Then we retrieve the relay's public key from its descriptor and convert it into pkcs#8 format using:
$ openssl rsa -pubin -in pubkey_pkcs1 -RSAPublicKey_in -out pubkey
and then we verify the sig using following commands:
$ (echo -n "salt "; cat fingerprint) | openssl sha256 -binary | \ openssl pkeyutl -pubin -verify -inkey pubkey -sigfile \ $(OUT=/tmp/signed_fingerprint_bin; base64 -d signed_fingerprint > \ ${OUT}; echo ${OUT}) -pkeyopt digest:sha256 -pkeyopt \ rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:32; rm \ /tmp/signed_fingerprint_bin;
This should yield "Signature Verified Successfully".
Another disadvantage of this is PSS wasn't implemented in openssl's apps until 1.0.1. I wonder how many relays are running on servers which are still using openssl 0.9.8 (and 1.0.0?). For these servers we can fallback on pkcs#1 v1.5 signatures.
The signature can be created using a command similar to the one above:
$ (echo -n "salt "; cat /var/lib/tor/fingerprint) | openssl dgst \ -sha256 | openssl rsautl -inkey /var/lib/tor/keys/secret_id_key \ -sign | openssl base64 > signed_fingerprint
Again, they provide /var/lib/tor/fingerprint and signed_fingerprint, and we verify using:
$ test "$(openssl base64 -d -in signed_fingerprint | openssl rsautl \ -pubin -verify -inkey pubkey)" = "$((echo -n "salt "; cat \ fingerprint) | openssl dgst -sha256)"; echo $?
In addition, again, we confirm the fingerprint in the fingerprint file matches the fingerprint of the qualifying relay.
Originally I used a few bashisms which made these simpler, but for this I suspect portability is important.
Sorry this is a bit long.
Thanks, Matt
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On Sun, May 03, 2015 at 09:18:30PM +0200, Sebastian Urbach wrote:
On May 3, 2015 7:45:39 PM Matthew Finkel Matthew.Finkel@gmail.com wrote:
Hi Matthew,
Hi Ops,
We recently began responding to t-shirt requests again. Sorry for the long silence. There's been a lot happening around here but not enough
0> time or people to do everything, so the t-shirt requests simply remained
untouched. But, despite the overload, t-shirts are important because they are a small token of our thanks and appreciation for making the network what it is today.
We responded to around 70 t-shirt requests from relay operators in April, which comprised all requests for which we could verify (within reason) the request came from the person who controlled the qualifying relay. We still have another 20 requests where the requestor is not obviously the owner of the relay. Currently the content of a relay's Contact field is used, but this does not always provide enough (or any) information. For this case, we need an authentication mechanism which proves control of the relay but is something relay operators won't mind running.
I'm really not amused. As i recall a bunch of people including myself offered to help.
Amused? This really has nothing to do with amusement. If you want to work on something, then please come work on it, we really are overloaded. That being said, correctly handling t-shirt requests and other similar communications is important and delicate. The Tor Project is in a difficult situation where it wants to support the Tor network but not run it. This means, to some extent, we become a trusted third-party with some information. T-shirt requests are a perfect example of this, where we receive requests from people who choose not to publically publish their contact details yet they would like a reward for their work - which they absolutely deserve. This requires that operators trust us, so letting anyone help take care of these requests is not wise.
I get the distinct impression that you keep everything within a small circle of people, no matter what. Even if that means that services are suffering.
We're a group of security and privacy conscious individuals who want a world where everyone has secure and private communications, this isn't exactly a good combination which leads to publically discussioning everything. I certainly admit sometimes I default to discussing topics privately rather than sending it to tor-talk or tor-relays - I nearly did that with this thread. It's a bad habit, but it's not as common as I think you think it is.
- Matt
Am 03.05.2015 um 22:49 schrieb Matthew Finkel:
This requires that operators trust us, so letting anyone help take care of these requests is not wise.
Maybe I'm unique with this opinion, but usually I trust groups open to helping hands more than those who consider them selfs to be wiser than the average.
We're a group of security and privacy conscious individuals who want a world where everyone has secure and private communications, this isn't exactly a good combination which leads to publically discussioning everything.
Sounds almost like the advertising from companies which try to sell their closed source software as the most secure thing since the invention of sliced bread.
Of course it's not a good idea to publish the addresses of the t-shirt receivers, neither to email them randomly around the globe, but printing a hundred stickers and placing them on as many bags also isn't something which keeps a group of people busy for months.
my $0.02 Markus
Everyone,
Could the relay log have something copied (such as the key) from it and emailed with the claim as only the operator can see the relay?
Robert
On Mon, May 04, 2015 at 12:46:01AM +0200, Markus Hitter wrote:
Am 03.05.2015 um 22:49 schrieb Matthew Finkel:
This requires that operators trust us, so letting anyone help take care of these requests is not wise.
Maybe I'm unique with this opinion, but usually I trust groups open to helping hands more than those who consider them selfs to be wiser than the average.
I don't think what I said contradicts this. You are certainly not alone with that opinion and we, the thousands of people in the Tor community, make Tor what it is. There is a smaller subset of the community which handles some personal information, and, as it turns out, most people prefer only revealing their information to a few people instead of thousands. Hopefully we will move toward an automated system for these t-shirts, so that the only people in the trusted-set are those who pay for the t-shirts, in this case. But, in general, when dealing with finances and PII, there's certain information that should remain private. That being said, we want more people to help us. Please, come work on some of Tor's projects. We want more review, more input, more feedback. I was not saying we were wise because we aren't 100% public and transparent with what we do. I was saying revealing the personal information about operators to random, unvetted volunteers was not wise - I hope this makes sense.
We're a group of security and privacy conscious individuals who want a world where everyone has secure and private communications, this isn't exactly a good combination which leads to publically discussioning everything.
Sounds almost like the advertising from companies which try to sell their closed source software as the most secure thing since the invention of sliced bread.
Heh. Good thing that wasn't an advertisement and Tor is not a company selling closed-source software :)
Of course it's not a good idea to publish the addresses of the t-shirt receivers, neither to email them randomly around the globe, but printing a hundred stickers and placing them on as many bags also isn't something which keeps a group of people busy for months.
Absolutely, but what's the cost? Our current solution using Printfection is neither ideal nor cheap, but it is convenient. Tor pays Printfection a bunch of money and Printfection creates the t-shirts, gives us one-time links, and takes care of the shipping and handling. If we crowd sourced creating bags with stickers in them we would need someone who can organize all the volunteers, ship the bags and stickers around the world, pay the return shipping for the filled bags, and then ship them again to the relay operators. That seems like it will become expensive. I would love to find a better solution than Printfection, so if anyone has suggestions we'd love to hear about it.
- Matt
Matt,
How many shirts are sent in a year? What would taking it on entail?
Robert
Absolutely, but what's the cost? Our current solution using Printfection is neither ideal nor cheap, but it is convenient. Tor pays Printfection a bunch of money and Printfection creates the t-shirts, gives us one-time links, and takes care of the shipping and handling. If we crowd sourced creating bags with stickers in them we would need someone who can organize all the volunteers, ship the bags and stickers around the world, pay the return shipping for the filled bags, and then ship them again to the relay operators. That seems like it will become expensive. I would love to find a better solution than Printfection, so if anyone has suggestions we'd love to hear about it.
- Matt
Am 04.05.2015 um 04:33 schrieb Matthew Finkel:
Our current solution using Printfection is neither ideal nor cheap, but it is convenient. Tor pays Printfection a bunch of money and Printfection creates the t-shirts, gives us one-time links, and takes care of the shipping and handling. If we crowd sourced creating bags with stickers in them we would need someone who can organize all the volunteers, ship the bags and stickers around the world, pay the return shipping for the filled bags, and then ship them again to the relay operators.
This sounds rather complicated. I run a small business which involves shipping stuff to customers and that's what I do:
- Get the goods (t-shirts), envelopes/bags and a set of postage stamps in batches large enough for a few months. Larger numbers allow lower prices.
- Stuff these goods into these bags.
- Put address and postage stamp onto the envelope.
- Throw the result into the post box of our postal services.
Works fine for everywhere from the neighborhood to Russia, China, India.
Now, if you could get the t-shirt provider into stuffing the t-shirts into bags already (1 shirt per bag), you'd just have to put the address stickers on. You'd get a box with 100 or 1000 enveloped shirts and once a week you'd print the accumulated addresses onto stickers, place them onto these envelopes and forward this to the postal services. "Handling shipping" isn't much in such a simple case.
The more demanding part of this is to collect the addresses, especially the software to do so. An application which formats them ready for printing, calculates the stamp required, perhaps also prints some customs stickers depending on destination. Here volunteers can easily help and there's no need to hide such discussions, because such software doesn't require the real data, can be written/tested with dummy data instead. All the trusted person (you) has to do is to run this software on the real data and hit the "print" button.
Markus
On 2015-05-03 19:44, Matthew Finkel wrote:
Hi Ops,
[...]
For this case, we need an authentication mechanism which proves control of the relay but is something relay operators won't mind running.
My currently plan is to ask relay operators to sign the fingerprint file which tor creates. The major disadvantage of this method is that it must be run as root (or a user with access to tor's data directory).
If you are willing to lower the bar for 'proof' a bit I'd ask them to fetch a confirmation url send to them from the connection their node runs on. Spoofing an IP address for a TCP connection isn't trivial and seems rather a lot of effort for just a t-shirt. So it at least proofs access to the connection the node is running on. That could be a simple unprivileged wget one-liner.
It leaves room for some abuse, but does raise the bar quite a bit.
If you do want to use the tor key couldn't you use it as a key for ssl client authentication? That would allow for further automation and you could be build into tor in the future.
AVee
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
AVee,
Would it not be possible for me to specify the ExitNode in my torrc and then do the wget to prove my "ownership"? I haven't tried to specify a single node before so I'm not sure if it'd work.
Thanks, Tim
On 5 May 2015 at 17:58, AVee d6relay@d6.nl wrote:
On 2015-05-03 19:44, Matthew Finkel wrote:
Hi Ops,
[...]
For this case, we need an authentication mechanism which proves control of the relay but is something relay operators won't mind running.
My currently plan is to ask relay operators to sign the fingerprint file which tor creates. The major disadvantage of this method is that it must be run as root (or a user with access to tor's data directory).
If you are willing to lower the bar for 'proof' a bit I'd ask them to fetch a confirmation url send to them from the connection their node runs on. Spoofing an IP address for a TCP connection isn't trivial and seems rather a lot of effort for just a t-shirt. So it at least proofs access to the connection the node is running on. That could be a simple unprivileged wget one-liner.
It leaves room for some abuse, but does raise the bar quite a bit.
If you do want to use the tor key couldn't you use it as a key for ssl client authentication? That would allow for further automation and you could be build into tor in the future.
AVee
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Matthew Finkel,
It's kind of disingenuous to suggest "If you want to work on something, then please come work on it, we really are overloaded."
You have to let us work on it, for us to work on it. Do you understand the problem?
To The Inner Circle (The Tor Project People),
I am at the very least the third person to mention in this thread that we have offered to help. No one responded to my offers. I'm pretty sure at least some of their offers were ignored as well, though I can't be bothered to double check.
I get that you're busy. However, Matthew's attitude to Seth is, in my most humble of opinions, unwarranted.
You've got several people who out of their own free will, decided to offer our additional help, above and beyond what we already do.
I wonder, how would you feel, if after offering free assistance to a community that then goes completely, totally, and utterly UNANSWERED, only to have those very people that we offered to assist, bitch that they are busy and want our help. How would you feel? Angry? A little schadenfreude? Or numb?
I'm a husband, a father, and a business owner. I'm a busy guy, yet I still offered to help. I can't express how pissed off I am about this, without going into a obscenity-laced tirade about how your house isn't in order.
When I offer assistance to someone, or in Tor's case several people, I damn well expect a response. "Yes" or "no", "thanks" or "fuck off", "please" or "tomorrow", "join us!" or "maybe next time".
Deafening silence is in no way a mechanism that encourages support from the broader community, but from my perspective that's all you've given.
Here's a suggestion to The Inner Circle - Have a volunteer coordinator that actually responds to people.
This way, when the next person offers to help, they might actually get a good g*d d@mn f@cking response!
Seeing as how I'm a nobody and my offers aren't worth acknowledging, please continue to do whatever you'd like, with *all* the success it brings. Don't forget to smile.
Matt Speak Freely
On Tue, May 05, 2015 at 01:57:04PM +0000, Speak Freely wrote:
Matthew Finkel,
It's kind of disingenuous to suggest "If you want to work on something, then please come work on it, we really are overloaded."
I'm really sorry you interpretted it in that way. It actually was a genuine request for more help.
You have to let us work on it, for us to work on it. Do you understand the problem?
Sure, that is a problem, but what is the problem? It seems this dilemma is reoccurring and not getting solved. Someone says they are willing to help work on something, possibly someone else says "great! we need your help!" then nothing happens. Was it an empty offer or did the offer die because no one followed up with the person? Having a volunteer coordinator might help - I hope it would help - but what's the best way to organize that? Is it the responsibly of some people associated with The Tor Project to follow up on every offer they receive or is it the responsibility of the person who made the offer to follow up and get involved? Maybe both?
To The Inner Circle (The Tor Project People),
I am at the very least the third person to mention in this thread that we have offered to help. No one responded to my offers. I'm pretty sure at least some of their offers were ignored as well, though I can't be bothered to double check.
:( I don't know. Obviously, not receiving a response sucks. I completely understand that. Tor's work and day-to-day coordination is heavily based around IRC, so the mailing lists are not great places for offering help.
This whole situation seems to be less about an inner circle existing, and more about a disconnection between the announcements and discussions on the mailing lists and what happens on IRC. I don't know of a good way to bridge this gap, though.
I get that you're busy. However, Matthew's attitude to Seth is, in my most humble of opinions, unwarranted.
We're all busy, it's difficult balancing everything. I'm sorry if my response was unwarranted, and maybe I shouldn't have responded because it was off-topic, in any case. It's frustrating trying to do something and improve a situation, and instead of receiving helpful feedback the thread receives complaints about how Tor is crappy with how it handles volunteers. Maybe this is partially due to miscommunication but I'm at a loss for what to do.
You've got several people who out of their own free will, decided to offer our additional help, above and beyond what we already do.
I wonder, how would you feel, if after offering free assistance to a community that then goes completely, totally, and utterly UNANSWERED, only to have those very people that we offered to assist, bitch that they are busy and want our help. How would you feel? Angry? A little schadenfreude? Or numb?
I'm a husband, a father, and a business owner. I'm a busy guy, yet I still offered to help. I can't express how pissed off I am about this, without going into a obscenity-laced tirade about how your house isn't in order.
When I offer assistance to someone, or in Tor's case several people, I damn well expect a response. "Yes" or "no", "thanks" or "fuck off", "please" or "tomorrow", "join us!" or "maybe next time".
Deafening silence is in no way a mechanism that encourages support from the broader community, but from my perspective that's all you've given.
Thanks.
Obviously you're correct, silence is not an answer and not what you deserve as a result of offering your assistance. I don't know why this happened or the context of the offer but, to be blunt, Tor doesn't babysit volunteers. If you want to work on something, then, you must actually follow through and work on it. I learned this personally. A volunteer coordinator would be a great person for helping volunteers become more integrated into the community and work on projects but it is ultimately the person volunteering who decides how, when, and if they help.
Tor wants your help, but becoming an active volunteer is your decision.
Here's a suggestion to The Inner Circle
- Have a volunteer coordinator that actually responds to people.
This way, when the next person offers to help, they might actually get a good g*d d@mn f@cking response!
Yes, this sounds like a good idea. Who wants to volunteer to be the volunteer coordinator? Again, that is a genuine question. No one has stepped up to do it. If we had one, at least they would respond to most offers.
Seeing as how I'm a nobody and my offers aren't worth acknowledging, please continue to do whatever you'd like, with *all* the success it brings. Don't forget to smile.
Being a nobody or being a somebody is irrelevant. I'm a nobody too, but I'm trying to do something. I sincerely hope you and the rest of the community will help me and Tor, as a whole, create a better community/network/world.
Let's continue this discussion in a new thread.
Thanks, Matt
tor-relays@lists.torproject.org
-
Aaron Hopkins -
AVee -
Geo Rift -
I -
Markus Hitter -
Matthew Finkel -
Matthew Finkel
-
Roger Dingledine -
Sebastian Urbach -
Speak Freely -
Tom van der Woerdt