Individual Operator Exit Probability Threshold
All, I have brought this question up in meetings in Seattle and other places so some of you may have already heard me ask this question. So, at risk of repeating the question for some... here goes. I am about to fire up more Exit Relays and if I do so I will jump from my roughly 3% of Exit Probability to what technically could easily reach 6-8%. I would like to know everyone’s opinion on having an individual operator have that much exit share. In my case, all the traffic would be coming from the same AS as well, but distributed over four different cities with different upstream carriers. Please chime in, if I get the a green light from the discussion it will happen within a month. Sincerely, John L. Ricketts, PhD Quintex Alliance Consulting
On 22 Sep 2017, at 23:04, John Ricketts <john@quintex.com> wrote:
All,
I have brought this question up in meetings in Seattle and other places so some of you may have already heard me ask this question. So, at risk of repeating the question for some... here goes.
I am about to fire up more Exit Relays and if I do so I will jump from my roughly 3% of Exit Probability to what technically could easily reach 6-8%.
I would like to know everyone’s opinion on having an individual operator have that much exit share. In my case, all the traffic would be coming from the same AS as well, but distributed over four different cities with different upstream carriers.
Please chime in, if I get the a green light from the discussion it will happen within a month.
Thank you for supporting Tor! And thank you for asking in advance. More exit relays are good, and we should encourage people who want to help the network. This is a reminder that we need more exit operators, running more large exits. If we think your exit share is a problem, the best way to make that problem go away is to add other exits. We're also working on better geographic diversity in bandwidth authorities, and this may cause relay weights to shift a bit. So that's another way we could end up resolving this issue :-) T -- Tim Wilson-Brown (teor) teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------
Thanks Tim, this is the general idea of "If you build it they will come." I simply don't want to be a risk. John On Sep 22, 2017, at 08:19, teor <teor2345@gmail.com<mailto:teor2345@gmail.com>> wrote: On 22 Sep 2017, at 23:04, John Ricketts <john@quintex.com<mailto:john@quintex.com>> wrote: All, I have brought this question up in meetings in Seattle and other places so some of you may have already heard me ask this question. So, at risk of repeating the question for some... here goes. I am about to fire up more Exit Relays and if I do so I will jump from my roughly 3% of Exit Probability to what technically could easily reach 6-8%. I would like to know everyone's opinion on having an individual operator have that much exit share. In my case, all the traffic would be coming from the same AS as well, but distributed over four different cities with different upstream carriers. Please chime in, if I get the a green light from the discussion it will happen within a month. Thank you for supporting Tor! And thank you for asking in advance. More exit relays are good, and we should encourage people who want to help the network. This is a reminder that we need more exit operators, running more large exits. If we think your exit share is a problem, the best way to make that problem go away is to add other exits. We're also working on better geographic diversity in bandwidth authorities, and this may cause relay weights to shift a bit. So that's another way we could end up resolving this issue :-) T -- Tim Wilson-Brown (teor) teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------ _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org<mailto:tor-relays@lists.torproject.org> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Definitely be careful, though, especially if they’re from the same hosting provider account. It will increase the chance of receiving an abuse report: and if someone is using Tor to attack and your exits are all picked then that chance just unfortunately increased. It would be a shame to get your nodes instant terminated in that event. Be careful ;)
On Sep 22, 2017, at 2:55 PM, John Ricketts <john@quintex.com> wrote:
Thanks Tim, this is the general idea of “If you build it they will come.”
I simply don’t want to be a risk.
John
On Sep 22, 2017, at 08:19, teor <teor2345@gmail.com <mailto:teor2345@gmail.com>> wrote:
On 22 Sep 2017, at 23:04, John Ricketts <john@quintex.com <mailto:john@quintex.com>> wrote:
All,
I have brought this question up in meetings in Seattle and other places so some of you may have already heard me ask this question. So, at risk of repeating the question for some... here goes.
I am about to fire up more Exit Relays and if I do so I will jump from my roughly 3% of Exit Probability to what technically could easily reach 6-8%.
I would like to know everyone’s opinion on having an individual operator have that much exit share. In my case, all the traffic would be coming from the same AS as well, but distributed over four different cities with different upstream carriers.
Please chime in, if I get the a green light from the discussion it will happen within a month.
Thank you for supporting Tor! And thank you for asking in advance.
More exit relays are good, and we should encourage people who want to help the network.
This is a reminder that we need more exit operators, running more large exits. If we think your exit share is a problem, the best way to make that problem go away is to add other exits.
We're also working on better geographic diversity in bandwidth authorities, and this may cause relay weights to shift a bit. So that's another way we could end up resolving this issue :-)
T
-- Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org <mailto:tor-relays@lists.torproject.org> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Dylan, I totally agree. In this case I am the ISP (AS 62744) and I will be sure to write myself AUP violation notices early and often. :-) *humor* In a not so humorous note, I get about sixty (60) abuse notifications a day and on average eight (8) subpoenas a month. John On Sep 22, 2017, at 14:20, Dylan Issa <dylan@fdylan.co.uk<mailto:dylan@fdylan.co.uk>> wrote: Definitely be careful, though, especially if they're from the same hosting provider account. It will increase the chance of receiving an abuse report: and if someone is using Tor to attack and your exits are all picked then that chance just unfortunately increased. It would be a shame to get your nodes instant terminated in that event. Be careful ;) On Sep 22, 2017, at 2:55 PM, John Ricketts <john@quintex.com<mailto:john@quintex.com>> wrote: Thanks Tim, this is the general idea of "If you build it they will come." I simply don't want to be a risk. John On Sep 22, 2017, at 08:19, teor <teor2345@gmail.com<mailto:teor2345@gmail.com>> wrote: On 22 Sep 2017, at 23:04, John Ricketts <john@quintex.com<mailto:john@quintex.com>> wrote: All, I have brought this question up in meetings in Seattle and other places so some of you may have already heard me ask this question. So, at risk of repeating the question for some... here goes. I am about to fire up more Exit Relays and if I do so I will jump from my roughly 3% of Exit Probability to what technically could easily reach 6-8%. I would like to know everyone's opinion on having an individual operator have that much exit share. In my case, all the traffic would be coming from the same AS as well, but distributed over four different cities with different upstream carriers. Please chime in, if I get the a green light from the discussion it will happen within a month. Thank you for supporting Tor! And thank you for asking in advance. More exit relays are good, and we should encourage people who want to help the network. This is a reminder that we need more exit operators, running more large exits. If we think your exit share is a problem, the best way to make that problem go away is to add other exits. We're also working on better geographic diversity in bandwidth authorities, and this may cause relay weights to shift a bit. So that's another way we could end up resolving this issue :-) T -- Tim Wilson-Brown (teor) teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------ _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org<mailto:tor-relays@lists.torproject.org> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org<mailto:tor-relays@lists.torproject.org> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org<mailto:tor-relays@lists.torproject.org> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
I respond to them by the method required of the subpoena. Generally they are delivered by E-Mail so I respond to them in kind, explain that I am running a legal Tor Exit Node, explain what Tor is, and point to exonerator.torproject.org<http://exonerator.torproject.org> showing that that IP address was indeed a registered exit node at the time of the complaint. On Sep 22, 2017, at 15:40, tor <tor@anondroid.com<mailto:tor@anondroid.com>> wrote:
I get about sixty (60) abuse notifications a day and on average eight (8) subpoenas a month.
How do you handle the subpoenas? _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org<mailto:tor-relays@lists.torproject.org> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
To the initial question for a honest operator who's open about their ownership and enters proper family membership data I can't see how more exit volume is a problem. TOR needs to be resilient against malicious operators who don't disclose, nto sure what the current value of "global" is but I should hope it's well above 5%... On Fri, Sep 22, 2017 at 04:49:11PM -0400, tor wrote: :> I get about sixty (60) abuse notifications a day and on average eight (8) subpoenas a month. : :How do you handle the subpoenas? That seems high ... currently I'm 0.5% of exits though (long ago) I was over 1% but a smaller absolute number at the time. in IDK 15 years I've gotten one request to "preserve evidence" which expired with no furhter action and one call from law enforcement who was simply disappoitned when he learned it was a TOR exit & knew there was nothing I could have of use to him. Currently I do see 1-3 standard abuse/dmca complaints per day which we have canned response in our ticketing system to deal with and I can't remeber any one askign for more after geting it: """ Hello, The source address 128.52.128.105 is a Tor exit node, and is not the origin point for the traffic in question. See http://tor-exit.csail.mit.edu (which is the host in your logs) for details. Any action taken on this node would simply result in the problem traffic using a different exit. For further information please read http://tor-exit.csail.mit.edu/ the bottom of this page includes information on how to block all Tor exits should you wish to do so (including links to get a list of all current Tor exits). Sincerely, The Infrastructure Group MIT Computer Science and Artificial Intelligence Laboratory """ (the content of the referenced link is from somewhere on the torproject site...) Now my institutional reputation probably helps a bit with people believing that's the case and perhaps not excalating to more formal legal demands, but I'd expect to be normal number of initial notifications. -Jon
Hi Jonathan, Jonathan Proulx:
To the initial question for a honest operator who's open about their ownership and enters proper family membership data I can't see how more exit volume is a problem. TOR needs to be resilient against malicious operators who don't disclose, nto sure what the current value of "global" is but I should hope it's well above 5%...
Firstly, it's Tor not "TOR"! :) I'm curious about what you mean by "global" here, and how it relates to [potentially] malicious operators (suspicious relays of which are frequently thrown off the Tor network). Best, Duncan
On Sat, Sep 23, 2017 at 02:36:00PM +0000, Duncan wrote: :Hi Jonathan, : :Jonathan Proulx: :> :> To the initial question for a honest operator who's open about their :> ownership and enters proper family membership data I can't see how :> more exit volume is a problem. TOR needs to be resilient against :> malicious operators who don't disclose, nto sure what the current :> value of "global" is but I should hope it's well above 5%... :> : :Firstly, it's Tor not "TOR"! :) Tru but I type bad. :) :I'm curious about what you mean by "global" here, and how it relates to :[potentially] malicious operators (suspicious relays of which are :frequently thrown off the Tor network). "global" as in a global passive adversary, though I suppose running nodes is an active adversary. main point, for well behaved servers that are labled and abviously part of the same administrative domain clients won't use two of them for any circuit, so where's the harm? Not rehtorical there it woudl be at soem fraction of the network (as I say hopefully well abouve 5%), if there is have could someone smarter than me say where it is? -Jon
Hi Jonathan, Jonathan D. Proulx:
On Sat, Sep 23, 2017 at 02:36:00PM +0000, Duncan wrote: :Hi Jonathan, : :Jonathan Proulx: :> :> To the initial question for a honest operator who's open about their :> ownership and enters proper family membership data I can't see how :> more exit volume is a problem. TOR needs to be resilient against :> malicious operators who don't disclose, nto sure what the current :> value of "global" is but I should hope it's well above 5%... :> : :Firstly, it's Tor not "TOR"! :)
Tru but I type bad. :)
:I'm curious about what you mean by "global" here, and how it relates to :[potentially] malicious operators (suspicious relays of which are :frequently thrown off the Tor network).
"global" as in a global passive adversary, though I suppose running nodes is an active adversary.
If that's what you mean, can you clarify what you meant by "I should hope it's well above 5%"? If an adversary is a global passive adversary, surely that would mean that they are for all intents and purposes seeing pretty much all of the traffic? I think it is worth remembering that there isn't evidence there is a global passive adversary at the moment, even if certain agencies and organizations clearly aspire to be one.
main point, for well behaved servers that are labled and abviously part of the same administrative domain clients won't use two of them for any circuit, so where's the harm? Not rehtorical there it woudl be at soem fraction of the network (as I say hopefully well abouve 5%), if there is have could someone smarter than me say where it is?
-Jon
Best, Duncan
I think it is worth remembering that there isn't evidence there is a global passive adversary at the moment, even if certain agencies and organizations clearly aspire to be one.
Quite so. It is well established that these so called agencies do not aspire to be passive. Or perhaps you simply typed the word "passive" by shear force of habit and instead meant to convey "suffiently global adversary". :)
dawuud <dawuud@riseup.net> wrote:
I think it is worth remembering that there isn't evidence there is a global passive adversary at the moment, even if certain agencies and organizations clearly aspire to be one.
Quite so. It is well established that these so called agencies do not aspire to be passive. Or perhaps you simply typed the word "passive" by shear force of habit and instead meant to convey "suffiently global adversary". :)
Curiouser and curiouser! So, dawuud, you imply that habit has a velocity vector(!) and that it changes over distance(!!) in one or more dimensions, and thus exerts a shear force on...what? A typist's fingers and hand placed within the volume where shear is present? Strong enough, perhaps, to roll them up and maybe even break a wrist? Well, I guess one lives and learns! (Hint: you misplaced a homonym.:) Scott Bennett, Comm. ASMELG, CFIAG ********************************************************************** * Internet: bennett at sdf.org *xor* bennett at freeshell.org * *--------------------------------------------------------------------* * "A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army." * * -- Gov. John Hancock, New York Journal, 28 January 1790 * **********************************************************************
dawuud:
I think it is worth remembering that there isn't evidence there is a global passive adversary at the moment, even if certain agencies and organizations clearly aspire to be one.
Quite so. It is well established that these so called agencies do not aspire to be passive. Or perhaps you simply typed the word "passive" by shear force of habit and instead meant to convey "suffiently global adversary". :)
I was mostly commenting on the use of the word "passive", but I agree with you that "sufficiently global adversary" is perhaps a better word. Doesn't a lot of it depend on context anyway? How can we quantify something like this?
:> what the current value of "global" is but I should hope it's well above 5%...
:I'm curious about what you mean by "global" here, and how it relates to :[potentially] malicious operators (suspicious relays of which are :frequently thrown off the Tor network).
"global" as in a global passive adversary
Global is relative, it can mean at a scale having wide enough coverage physical or logical, to achieve your goals, against from 1 to all users, in sufficient time. It probably doesn't mean 1 node or tap, or quite 10, but up towards 100 / 500 / 1000 becomes interesting to think about. Similarly probably not for $5000, yet $50000 to $10M becomes a project. Physical may mean literally distributed about the Earth. Logical may mean piled in one datacenter taking part in the random functions of a target network, such as DHT abuse.
though I suppose running nodes is an active adversary.
Depends on what's being done with those Sybil nodes. Listening, traffic analysis, recording, decryption... that's passive. Modification, inject / drop, perturb, exploit... that's active. There are successful attacks in both modes of operation.
If an adversary is a global passive adversary, surely that would mean that they are for all intents and purposes seeing pretty much all of the traffic?
I think it is worth remembering that there isn't evidence there is a global passive adversary at the moment, even if certain agencies and organizations clearly aspire to be one.
If anyone seriously thinks that GPA / GAA scale adversaries do not exist, or are not actively in effect and growing with intent, they need to get their head out of their ass and digest the news dating back to at least Snowden. Even simple University level research groups have published effective production low cost small scale Sybil attacks on tor. (Sybil may also include infiltration of global code repositories.) Learn about how internet backbones work, lack of per link level encryption and fill traffic, Tier-1 vantage points, dozens of suspect hops in a traceroute, etc. How entities and people bend over backwards to give data away under the legal or $dollar table with wink and nod. Read up what NSA, GCHQ, FVEY, DEA, et al are doing with $Billions, PATRIOT partnerships, manganese nodules, etc. In a sense, "global" may sometimes distill down to meaning the same "global amounts of money" spread at a problem via various vectors to achieve similar results. Threats involving large scale deployment of $money, nodes, and actors against tor and other networks are real and secretive. Secrecy requires gauging their effectiveness by analysis of leaks, court cases, parallel construction, whispers and canaries, whitepapers, human resources, code and deltas, and news media. The fun part beyond that is in figuring out how to defeat them and then doing exactly that :)
Hey John! In Seattle, as you know, Emerald Onion is now online. We're at about 1.5% right now. We're grant writing, too, and hopefully within the next year we will be able to support 5-10%. Have you published any Warrant Canaries? We're working with Calyx on a generic template for relay operators and hope to start publishing one every month, soon. Also, we've been working closely with HardenedBSD. Are you able to increase either software or hardware (not Intel) capacity? If you have time, Emerald Onion is working on material to help others become their own ISP like Quintex and Emerald Onion have. We'll be focusing on sustainable nonprofit ISPs. One of our drivers is finding people near IXPs in the USA to help get started: https://emeraldonion.org/internet-exchange-points-in-the-united-states/ Like Teor mentioned, it's important for operators to increase capacity and stability, while still meaningfully supporting diversity. Emerald Onion is not going to surpass 10% of exit capacity without first helping ~10 other groups set up and manage their own 1%+ relays. As more and more high-capacity groups come online, I think orgs like Quintex and Emerald Onion can slowly increase capacity but stick around the 10% line. I applaud you for your work! Cheers, yawnbox On Fri, Sep 22, 2017 at 6:26 AM, teor <teor2345@gmail.com> wrote:
On 22 Sep 2017, at 23:04, John Ricketts <john@quintex.com> wrote:
All,
I have brought this question up in meetings in Seattle and other places so some of you may have already heard me ask this question. So, at risk of repeating the question for some... here goes.
I am about to fire up more Exit Relays and if I do so I will jump from my roughly 3% of Exit Probability to what technically could easily reach 6-8%.
I would like to know everyone’s opinion on having an individual operator have that much exit share. In my case, all the traffic would be coming from the same AS as well, but distributed over four different cities with different upstream carriers.
Please chime in, if I get the a green light from the discussion it will happen within a month.
Thank you for supporting Tor! And thank you for asking in advance.
More exit relays are good, and we should encourage people who want to help the network.
This is a reminder that we need more exit operators, running more large exits. If we think your exit share is a problem, the best way to make that problem go away is to add other exits.
We're also working on better geographic diversity in bandwidth authorities, and this may cause relay weights to shift a bit. So that's another way we could end up resolving this issue :-)
T
-- Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
John Ricketts:
I am about to fire up more Exit Relays and if I do so I will jump from my roughly 3% of Exit Probability to what technically could easily reach 6-8%.
I would like to know everyone’s opinion on having an individual operator have that much exit share. In my case, all the traffic would be coming from the same AS as well, but distributed over four different cities with different upstream carriers.
Please chime in, if I get the a green light from the discussion it will happen within a month.
First of all: Thank you for growing the tor network exit capacity and being open about your plans. Big operators should be aware that they are more likely to be a person/group of interest to certain non-friendly entities than others. Ideally they take this risk and responsibility seriously and operate their relays accordingly. With a growing size of a single operator stability, availability and recovery time becomes also more relevant. A single small operator going down is NOT an issue that many would notice, but an operator running 10% exit prob. will more likely cause some noticeable impact. The usual points apply but become more important with the increasing cw/exit fraction of an operator. These are not meant as questions, just food for thought: - timely reaction to new security updates - 24/7 operations? auto-updates? - configuration management - family management - geo diversity - time to recover from complete relay(s) compromise (without rekeying) (> Are relays operated in OfflineMasterKey mode?) - security monitoring and alerting? - management workstation exposed to Internet? browsing? email? attacks) (dedicated machine? Qubes OS?) - direct peering and connectivity for a short path to common targets (like emeraldonion does) - servers used for tor only? (no shared use cases) - abuse handling - legal risks? - upstream diversity - in-operator OS diversity -- https://mastodon.social/@nusenu https://twitter.com/nusenu_
On Fri, Sep 22, 2017 at 01:04:28PM +0000, John Ricketts wrote:
I am about to fire up more Exit Relays and if I do so I will jump from my roughly 3% of Exit Probability to what technically could easily reach 6-8%.
I would like to know everyone???s opinion on having an individual operator have that much exit share. In my case, all the traffic would be coming from the same AS as well, but distributed over four different cities with different upstream carriers.
Hi John, I think 5% exit share is fine, and 10% is probably a bit too high. That means as you grow past 5%, you should work with the other big exit relay operator groups -- torservers, Nos Oignons, DFRI, Frënn vun der Ãnn, Hart Voor Internetvrijheid, NoiseTor, and the many more out there -- to get them to pick up the pace on their side. :) --Roger
Roger, Thank you. Thats the concise answer I was looking for and I will hold at 5% and coordinate from there. I will be in Seattle mid-October, hoping I can connect with folks in Seattle area that do Tor and also visit the office to get some shirts and say hi! Any takers, Seattle Tor people? John On Sep 26, 2017, at 19:31, Roger Dingledine <arma@mit.edu<mailto:arma@mit.edu>> wrote: On Fri, Sep 22, 2017 at 01:04:28PM +0000, John Ricketts wrote: I am about to fire up more Exit Relays and if I do so I will jump from my roughly 3% of Exit Probability to what technically could easily reach 6-8%. I would like to know everyone???s opinion on having an individual operator have that much exit share. In my case, all the traffic would be coming from the same AS as well, but distributed over four different cities with different upstream carriers. Hi John, I think 5% exit share is fine, and 10% is probably a bit too high. That means as you grow past 5%, you should work with the other big exit relay operator groups -- torservers, Nos Oignons, DFRI, Fr?<nn vun der ?<nn, Hart Voor Internetvrijheid, NoiseTor, and the many more out there -- to get them to pick up the pace on their side. :) --Roger _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org<mailto:tor-relays@lists.torproject.org> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On 27 Sep 2017, at 10:35, John Ricketts <john@quintex.com> wrote:
I will be in Seattle mid-October, hoping I can connect with folks in Seattle area that do Tor and also visit the office to get some shirts and say hi!
Any takers, Seattle Tor people?
If you don't get many takers, it's because some of us will be in Montreal mid-October at the Tor meeting. T -- Tim Wilson-Brown (teor) teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n ------------------------------------------------------------------------
participants (13)
-
Christopher -
dawuud -
Duncan -
Dylan Issa -
grarpamp -
John Ricketts -
Jonathan D. Proulx -
Jonathan Proulx
-
nusenu -
Roger Dingledine -
Scott Bennett -
teor -
tor