doc/HARDENING Draft
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 I thought I'd share an initial draft of doc/HARDENING. Please share any opinions or contributions you have. This was written in a little more than an hour, so it's still a work in progress. However, in the spirit of prototyping before polishing, I thought I'd share early. Here's the relevant ticket: https://trac.torproject.org/projects/tor/ticket/13703 A specific topic of conversation is how much of the advice should be in the document itself as opposed to linked sources. It could also use more OS diversity. After reading it, you can probably guess which *nix flavors I'm familiar with. Enjoy, Libertas -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJUc7qtAAoJELxHvGCsI27NOwsP/1bP+g4W2y1NHefR5bd+5hwo V927TXzarNneNFxfhKJsVewVnU593Ex13iHv+WgA+XM39xiK8KkhpxOaw2IpahZp pIRCk4/XX78YaEc/K3ci2AsNGFVXPBX7nm4/VOZ5qiGfo+FVeipykweF1dF+X1Wc 1wr8Q9LWKoIab+klu/BG5nG5NtwICYslbgXMvNnapHuy0Xn1+fvBx3mW9teMkJ0N Npssiy7XUqJx1XpdYNJr4XI28aHOV2p4FeCdsAgaQ1OBkOvpzMd+fw2Yb3FOiX/l 5pNCPMXFsS/+OXp1qOFKDQoOb7fEP6mY4NqdSovuJU0oWdurnHVk/X3SidALfH/L vFPdTwpCJSMLuYO7HsLLiLx6LkDtrDZ2y9+tUfpqKGAN0upXrIi5GWsbUeLcCqwY UFYdSg1GHsWJz7fU6F1vDLpGsiXU5yVqgaxfP06+nZ/smRt5sA3nlMDCZJi3BDes k0+c4+tAPZ5Yt6kJ5b1GBgxQMokDqnLm/4pb/qlp0EzDfhWpA+Un2lGdvInrz1ds VsVvbq/LLuxYylC3hlF8pNxBVMdbXycWM1w/VHtDjPZFdo9AO4CJHXeShYQa2O0W cBXdU+O59wWoxiCuEfo0O2xaJw2UIRfxauQbcp/A0rg8FKU1c2QeP2t7y8VdVC1Y SgQNVCUKYPBMCywJw9PA =yY3r -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 I'm considering opening it with something like: As a Tor relay operator, you have a responsibility to your users to maintain a secure system. Consider yourself something like a small ISP - - people rely on you for their safety and privacy. On 11/24/2014 06:09 PM, Libertas wrote:
I thought I'd share an initial draft of doc/HARDENING. Please share any opinions or contributions you have. This was written in a little more than an hour, so it's still a work in progress. However, in the spirit of prototyping before polishing, I thought I'd share early.
Here's the relevant ticket:
https://trac.torproject.org/projects/tor/ticket/13703
A specific topic of conversation is how much of the advice should be in the document itself as opposed to linked sources.
It could also use more OS diversity. After reading it, you can probably guess which *nix flavors I'm familiar with.
Enjoy, Libertas
_______________________________________________ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJUc7zkAAoJELxHvGCsI27NR6EP/1q3LOQKuCa8KYUgOdpxvVRT CrdOA20DAu4ATN+Fbfk6b2TZBxCocftS26dT9GCigpO84nZ9O0HIbBtZksImmlUi kuUGXZ9YpEIi/vzbRPsoCxoxWVVj1NxiBs7jg+ZlyydGr86aeUXbrXgYTvVLK8fe UNF6hhwqaeluh8mGxd9zWgEvAiXotyqhEHxlP5kL5IBUFBi495yomiFh2Lzd9FXb Wlqyaka9b2vXq0wUnjgwuS0mWkgeCV0dpxnw/T4IXN6Uq8tTqx1XnM2KZWVnxujt rYleuNsula+ZDRR+dvT1JbI9d1Iw4/r1eMbnG5RnoSQjHKmlX9COfU8LRs/cb5iN MP/NOlHB3QDxBhZL8+o5OLfj3iNjxQ5yDUSM1/e6M5n4diveqLpUD9GryggvXuwq DMWF3MzRpYnVCiZJgsfn15kfJIHDBwuY0s7P/B2xjmAfWv0b+lypx1ADso1Xl5j+ ctZ8uM5sXItf0AfBhWLp7xmFvwYOBIfDG4hVhvzPzQBIPWwHJqxSf4reMrOEscNY Wm9EzoMoZecEaDiLW64f8xHoSpttyG/yJ6gedo2zVCRH5IBahpfgzJtYZ94O+0qQ A4DgnJTdx5B8TZBHJEjPDIBRXzezkQcn/ioBtSrwuoY/cwztKndpxxZflgR5vNcz vtB7dyMUePBBBRXNOVGV =JAf8 -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 That works too. I was trying to convey a sense of immediate personal responsibility by using the term "your users", but it could be misunderstood. By the way, what's the policy for having discussions that span multiple mailing list subjects (tor-relays and tor-dev, in this case)? I'm not sure how to best do this without spamming people or fragmenting conversations. On 11/24/2014 06:22 PM, I wrote:
"..to Tor users and the Tor system"?
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJUc8d7AAoJELxHvGCsI27NbWsP/0e8EXclDiVhfH+aXWR7TVPm V0vd2U7y4m9pqjMgaj6JYFhWCEMNBnqKPDtIhuvLTYgz8WaWZtPD6wk9CRj41djt Ua1Iknl0VU8HPHqSxfZNqyZkv96QjTP/wXZIkfbbKpGlm5jo0RcVG8k2GfCr/JNc wH1GoHO8HhZiBY268ILIstlAXZaD906oBmKfhvUEMeiOWuPClLBuqtNv45X2dNYX OqfITRDvmCutMDJBnpldCe3DbzcsdIL4l+h8yv1ea4m7W8wNsxi3KZqEUGyBLiek qlAJuOZAHqINa7FE4zWpG09ah9ybcjX46vYehvHrRPRKgBEC8jPv4f5NVOP/JSIh q443IkmDSSE6Vq2T+qIpurp7aeXmMB/uXWvfEeKdbjbP1M0ZHEVydR0puy8JFIvz kfa8raOK9hH1/FYsNxIYdxqfQJq1SDZxKu3ZZdE3QpR99UoOUGItI4x+Z52nDkA9 1EsE9qgWsKJA4hyCUMH+tnN4HXfEHvl/+AYI6S+ZuWsaEaHuZycFgsB+IWDlUYgK zeqEK2EF9/8+xkcaWRfRFFq9OYOAQQ/1GGd7oJs0kntB1i/U4cVAQ7YbYxBxgBIs HFqob+aNcwT7aF6hrPqaDMuFhkAILfIm/qUALyIFkYl4i5yIRl7rwLPwFcWxDq2Q VeJKTAHOvBmL1lfBsi8V =QVTp -----END PGP SIGNATURE-----
On Mon, Nov 24, 2014 at 06:09:34PM -0500, Libertas wrote:
Be sure to stay up-to-date using apt-get, and consider using cron-apt to automatically update: https://www.debian.org/doc/manuals/debian-faq/ch-uptodate.en.html
Maybe it also worth covering unattended-upgrades package to keep Debian up to date. It requires to run "dpkg-reconfigure unattended-upgrades" after install as it doesn't enable automatic upgrades right away after install and supposedly don't do potentially dangerous operations like kernel upgrades automatically. Using it in production myself, really helps to keep OS up to date. Also for protecting SSH SSHGuard is in my opinion a much better choice as it supports IPv6 unlike fail2ban (I heard there were patches for fail2ban to address that but I'm not sure if they are already in mainstream and available in all distributions). -- Random
cron-apt is also a viable option for debians. https://wiki.archlinux.org/ is afaik the best standard repository of all knowledge and wisdom about current linux, always solved my debian-*codename* problems. On 25 November 2014 at 05:29, Tor Operator <tor@ssessess.es> wrote:
On Mon, Nov 24, 2014 at 06:09:34PM -0500, Libertas wrote:
Be sure to stay up-to-date using apt-get, and consider using cron-apt to automatically update: https://www.debian.org/doc/manuals/debian-faq/ch-uptodate.en.html
Maybe it also worth covering unattended-upgrades package to keep Debian up to date. It requires to run "dpkg-reconfigure unattended-upgrades" after install as it doesn't enable automatic upgrades right away after install and supposedly don't do potentially dangerous operations like kernel upgrades automatically. Using it in production myself, really helps to keep OS up to date.
Also for protecting SSH SSHGuard is in my opinion a much better choice as it supports IPv6 unlike fail2ban (I heard there were patches for fail2ban to address that but I'm not sure if they are already in mainstream and available in all distributions).
-- Random
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Thanks for the heads-up about unattended-upgrades, I hadn't heard of that. And I agree about SSHGuard. I've had a better experience with it, and it generally seems like a more carefully developed and more thoroughly documented project. Strangely, though, most experienced sysadmins still use and suggest fail2ban. Maybe I'm just missing something, or maybe people don't know about SSHGuard. On 11/24/2014 11:29 PM, Tor Operator wrote:
On Mon, Nov 24, 2014 at 06:09:34PM -0500, Libertas wrote:
Be sure to stay up-to-date using apt-get, and consider using cron-apt to automatically update: https://www.debian.org/doc/manuals/debian-faq/ch-uptodate.en.html
Maybe it also worth covering unattended-upgrades package to keep Debian up to date. It requires to run "dpkg-reconfigure unattended-upgrades" after install as it doesn't enable automatic upgrades right away after install and supposedly don't do potentially dangerous operations like kernel upgrades automatically. Using it in production myself, really helps to keep OS up to date.
Also for protecting SSH SSHGuard is in my opinion a much better choice as it supports IPv6 unlike fail2ban (I heard there were patches for fail2ban to address that but I'm not sure if they are already in mainstream and available in all distributions).
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJUdKczAAoJELxHvGCsI27NF5cQAJWbTsG0pvFUx8YU10RtJ7ol 0pywtTI36HMXC4uYb44wOEpI5huC9a9AtXXNBJDwT0pUIIkVkZ6arEg7obTKf7nP V0I4YhLTP3s3jrVCRcBUGgfZ/0danQjOB3Vw41wEmoO1vaaC91m/ZIerfM2++E+3 mQZ0D5reeM49xkFX4Ym7nh1rBKWawqbkIHOnCY8Au4oAal8JFvhffKObjfslzMCi k3+gJA4/pYJq58PuNOE2V3iU94qJ5/iSTgx+0P6IusPcDI65TOjKo231zcXUFfZs 0JdzS4hDsMM3VF0TKDkMnXF/Upgk7u5DoMWWBHE0F6goc/tGNHy9J0CIdaeg45jX 6+Q98T7SyVjvwezcdDnETYdhIjPp1Cas/0rIGZleDULyfvMeMvESCdeH6L2SNkjt 7VleLfzcYqwf3Gxhe0bYTabxJYTBq7MxoRHxoetBPDY9A3zGEdO67Vv0ksUbJZlF OpPcdPzql9JbaDJf3lg3g43NJphb4fVRHYOyGOCbwoo525uqKU2EXw1F2yByyMUz AaNTGzVFtHaerXHeVRZ7aWi9h18bVMMrhO0fUbGACbtD/1BSlz+7HPvBOIyiT5Hb eaZDvThPGcgQaaSrwWBgnBFX/xbSt/xvWrZkPBXxD5ypYyhRvgSDEkBK9Nv6tpws qGsuYtdJDHUl+FXGN5+0 =Iloa -----END PGP SIGNATURE-----
Hi, On Tue, Nov 25, 2014 at 10:58:57AM -0500, Libertas wrote:
And I agree about SSHGuard. I've had a better experience with it, and it generally seems like a more carefully developed and more thoroughly documented project. Strangely, though, most experienced sysadmins still use and suggest fail2ban. Maybe I'm just missing something, or maybe people don't know about SSHGuard.
I'm still wondering about the popularity of fail2ban and SSHGuard, specially in regard to the ssh service. You can achieve almost the some behaviour with every major firewall. See for example [1] and [2]. And for the lazy ones, my current configs: iptables & ip6tables under linux: # ssh incoming # bucket: /proc/net/xt_recent/SSH - see for stats # ipv4 iptables -N SSHSCAN iptables -F SSHSCAN iptables -A INPUT -p tcp -m tcp --dport <YOUR-SSH-PORT> -m state --state NEW -j SSHSCAN iptables -A SSHSCAN -m recent --set --name SSH --rsource iptables -A SSHSCAN -m recent --update --seconds 900 --hitcount 5 --name SSH --rsource -j ULOG --ulog-prefix "SSH-Bruteforce iptables: " iptables -A SSHSCAN -m recent --update --seconds 900 --hitcount 5 --name SSH --rsource -j DROP iptables -A SSHSCAN -p tcp --dport <YOUR-SSH-PORT> -j ACCEPT # ipv6 ip6tables -N SSHSCAN ip6tables -F SSHSCAN ip6tables -A INPUT -p tcp -m tcp --dport <YOUR-SSH-PORT>8080 -m state --state NEW -j SSHSCAN ip6tables -A SSHSCAN -m recent --set --name SSH --rsource ip6tables -A SSHSCAN -m recent --update --seconds 900 --hitcount 5 --name SSH --rsource -j LOG --log-prefix "SSH-Bruteforce iptables: " ip6tables -A SSHSCAN -m recent --update --seconds 900 --hitcount 5 --name SSH --rsource -j DROP ip6tables -A SSHSCAN -p tcp --dport <YOUR-SSH-PORT> -j ACCEPT pf under FreeBSD: block quick from <blacklist> # . # . # . pass in proto tcp from any to <YOUR-IP> port = <YOUR-SSH-Port flags S/SA keep state \ (max-src-conn 4, max-src-conn-rate 4/10, overload <blacklist> flush global) label "ssh: in " You can adjust the parameters to control when a host is blacklisted and for how long. -- regards alex
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 11/27/2014 07:50 PM, tor@zengers.de wrote:
And I agree about SSHGuard. I've had a better experience with it, and it generally seems like a more carefully developed and more thoroughly documented project. Strangely, though, most experienced sysadmins still use and suggest fail2ban. Maybe I'm just missing something, or maybe people don't know about SSHGuard.
I'm still wondering about the popularity of fail2ban and SSHGuard, specially in regard to the ssh service. You can achieve almost the some behaviour with every major firewall. See for example [1] and [2].
And for the lazy ones, my current configs: ...
True, and thanks for the examples. I think the daemons are probably a better move for those who aren't firewall veterans, as everyone else would probably be copy-and-pasting firewall configs like the ones you gave and praying that they worked. The daemons probably also have more nuanced and flexible policies. You also reminded me of a big factor I forgot to mention in the doc: firewalls. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJUd9MUAAoJELxHvGCsI27NlY0P/0MeYML3CCLlF3JHRDVy85CE FjjQlUjIH3wnTGuQJE/ooubWH8KslLhSq2PjBXMgxuObshf9DEHWHy7KNYvAJ+GE 1VMjONDV6uuZILLPur1UxFlSPrB2LfzBJCqLfx/LmtQFPoH3AztJnkyqLZIkVcMs X8IJ4Dv2kvX3q9oIXdqyiTECLSsAZ5GyhOcNPZGLdijaijWL6ajrpq74NE89cjNu TX4d5eR2WSJm18lQ3ViOwh4DmdRA/HeqtH/M3/DsDJvOP4D5lrERrc6ghBShZdsl dKndLPLWFTGGdV4DAbn96FBZQW9q2feRb+DBSdOXPlc8KqOFF2BMrb2a4tWv/szs uiTqsYTDj7TkvOLIR3Y1V1uRm6WvxdU5FKNH7+qouQg8G4hLPrcxmIGOTELDZtzn s30ffOScgM7kn3qb8hbs50peMDb3A67GXgNFnvFSf1eAaWJQdDbzYEfxzBzGvtvb DYCeavXAKC8LsgRIcfjnuhPuTfP0PSKX0RABgPR0hkt3TGsCObMSUETHD1IqRv+1 wWjLf+52Kn9ZwPxPxUt8yngaOZr9iGAKlQJJwoacujAFCjoGR+SflEojFjBcdyVV mZqgyDgSeAhPZyMIY5shY5VJcT7wBbUy8oLSEjdfOxrfUe4dHLPfGvPmv7U2sJQX rVwbNoRfYr2mhgLap7dN =UtrW -----END PGP SIGNATURE-----
Stop Sent from my iPhone
On Nov 27, 2014, at 8:42 PM, Libertas <libertas@mykolab.com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 11/27/2014 07:50 PM, tor@zengers.de wrote: And I agree about SSHGuard. I've had a better experience with it, and it generally seems like a more carefully developed and more thoroughly documented project. Strangely, though, most experienced sysadmins still use and suggest fail2ban. Maybe I'm just missing something, or maybe people don't know about SSHGuard.
I'm still wondering about the popularity of fail2ban and SSHGuard, specially in regard to the ssh service. You can achieve almost the some behaviour with every major firewall. See for example [1] and [2].
And for the lazy ones, my current configs: ...
True, and thanks for the examples. I think the daemons are probably a better move for those who aren't firewall veterans, as everyone else would probably be copy-and-pasting firewall configs like the ones you gave and praying that they worked. The daemons probably also have more nuanced and flexible policies.
You also reminded me of a big factor I forgot to mention in the doc: firewalls. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIcBAEBCAAGBQJUd9MUAAoJELxHvGCsI27NlY0P/0MeYML3CCLlF3JHRDVy85CE FjjQlUjIH3wnTGuQJE/ooubWH8KslLhSq2PjBXMgxuObshf9DEHWHy7KNYvAJ+GE 1VMjONDV6uuZILLPur1UxFlSPrB2LfzBJCqLfx/LmtQFPoH3AztJnkyqLZIkVcMs X8IJ4Dv2kvX3q9oIXdqyiTECLSsAZ5GyhOcNPZGLdijaijWL6ajrpq74NE89cjNu TX4d5eR2WSJm18lQ3ViOwh4DmdRA/HeqtH/M3/DsDJvOP4D5lrERrc6ghBShZdsl dKndLPLWFTGGdV4DAbn96FBZQW9q2feRb+DBSdOXPlc8KqOFF2BMrb2a4tWv/szs uiTqsYTDj7TkvOLIR3Y1V1uRm6WvxdU5FKNH7+qouQg8G4hLPrcxmIGOTELDZtzn s30ffOScgM7kn3qb8hbs50peMDb3A67GXgNFnvFSf1eAaWJQdDbzYEfxzBzGvtvb DYCeavXAKC8LsgRIcfjnuhPuTfP0PSKX0RABgPR0hkt3TGsCObMSUETHD1IqRv+1 wWjLf+52Kn9ZwPxPxUt8yngaOZr9iGAKlQJJwoacujAFCjoGR+SflEojFjBcdyVV mZqgyDgSeAhPZyMIY5shY5VJcT7wBbUy8oLSEjdfOxrfUe4dHLPfGvPmv7U2sJQX rVwbNoRfYr2mhgLap7dN =UtrW -----END PGP SIGNATURE----- _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Hi, On Thu, Nov 27, 2014 at 08:42:44PM -0500, Libertas wrote:
True, and thanks for the examples. I think the daemons are probably a better move for those who aren't firewall veterans, as everyone else would probably be copy-and-pasting firewall configs like the ones you gave and praying that they worked. The daemons probably also have more nuanced and flexible policies.
yeah you're right about that. But when it comes to security, you should but in the extra effort :-). And I didn't want to say, don't use these daemons. I'm just saying if you have trouble or want a solution without any extra software, the firewalls can do this.
You also reminded me of a big factor I forgot to mention in the doc: firewalls.
Hehe no problem. Thx for putting up with the effort to create such a doc. -- regards alex
On Mon, Nov 24, 2014 at 11:29 PM, Tor Operator <tor@ssessess.es> wrote:
On Mon, Nov 24, 2014 at 06:09:34PM -0500, Libertas wrote:
Be sure to stay up-to-date using apt-get, and consider using cron-apt to automatically update: https://www.debian.org/doc/manuals/debian-faq/ch-uptodate.en.html
Maybe it also worth covering unattended-upgrades package to keep Debian up to date. It requires to run "dpkg-reconfigure unattended-upgrades" after install as it doesn't enable automatic upgrades right away after install and supposedly don't do potentially dangerous operations like kernel upgrades automatically. Using it in production myself, really helps to keep OS up to date.
Agreed, but note that unattended-upgrades does not restart services whose libraries have been upgraded underneath them -- that's rather important for making sure that an OpenSSL patch, for instance, actually gets loaded into the running Tor and SSH daemons. You need 'needrestart' as well (and it, too, has to be configured to do stuff automatically). zw
On Monday 24 November 2014 18:09:34 Libertas wrote:
Here's the relevant ticket:
https://trac.torproject.org/projects/tor/ticket/13703
A specific topic of conversation is how much of the advice should be in the document itself as opposed to linked sources.
It could also use more OS diversity. After reading it, you can probably guess which *nix flavors I'm familiar with.
Enjoy, Libertas
I would add the following advice: Don't store identity keys on the hard disk. Keep them offliner. Use a ramdisk for /var/lib/tor/keys/ and copy keys to it via scp before starting your tor instance. Remove it from the ramdisk after startup. So the keys cannot be easily taken during unexpected downtimes. Regards, torland
Hi, On Tue, Nov 25, 2014 at 08:58:04PM +0100, tor-admin@torland.me wrote:
Don't store identity keys on the hard disk. Keep them offliner. Use a ramdisk for /var/lib/tor/keys/ and copy keys to it via scp before starting your tor instance. Remove it from the ramdisk after startup. So the keys cannot be easily taken during unexpected downtimes.
that's a nice idea. But keep in mind that your ramdisk could be offloaded to swap. So make sure your swap is encryted too. Also your keys could still be stolen while the server is running. -- regards alex
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/24/2014 4:09 PM, Libertas wrote:
I thought I'd share an initial draft of doc/HARDENING. Please share any opinions or contributions you have. This was written in a little more than an hour, so it's still a work in progress. However, in the spirit of prototyping before polishing, I thought I'd share early.
Thank you for sharing. There may be mixed opinions about using a resource like this but the NSA's Guide to the Secure Configuration of Red Hat enterprise Linux 5 [0] covers a great deal of areas that can apply to other distros. Much of it appears to be included in the debian documentation (which I believe the .pdf also references). One might consider fwknop [1] to require single packet authentication (SPA) before the target ssh port is opened for you and and only for a few seconds. Sure, moving your ssh to a non-standard port makes for clean logs but having the port closed to all unless validated through SPA can present a significant hurdle for a more dedicated adversary. I've heard of a lot of people using fail2ban but not csf [2] however nobody has really weighed in on why. There are ways of integrating fwknop with csf. I'd be happy to share more info by request. Also let us not forget astandard access restriction layers like tcpwrappers, and pam + /etc/security/access.conf for ssh. [0] https://www.nsa.gov/ia/_files/os/redhat/NSA_RHEL_5_GUIDE_v4.2.pdf [1] https://www.cipherdyne.org/fwknop/ [2] http://configserver.com/cp/csf.html (http link because of invalid ssl cert) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) iQIcBAEBAgAGBQJUdRSwAAoJEN+MkWRY9DUsNH4P/1qooQgSvFu0ppN5e9OJEt72 M0M1XylF+rlqMfMFBKkbH3ef6v7i3dnuSBeIPhAzGOajvL8P1ji0eMK/2O0Bwe1a ufbzutcrc9UBgE1GOjlXIhTSoaQgG0KzNRrtbRzkTiBIGrAazpZZPR9sxbNmRQ9/ 21mvbQ7hdqaq0g51/HCn88wJETYHzilPJ9u3BPNZ6knEMd3WeW0RDp5iaC0itw3s NF7X4lQFP13WxQz8JLKBrvcMuZYRd5oz08VP+EhHjeTE9LkGsRve0gwk706tOrOl yzdQQc6ftYyb3kQfvA65stYSSfB+/4EQVtz2vJGozeAz6HybSy5RAcw7zo39cOLA VMsc78CVTDn7sQWLq6qAa5d0DEwQw/CXi70zMw/eBnn5vZ5DpIoAKguE/NHiY9yp pENJMNcVA5Rs1byN2AoHq9y2UtNmADKK/V89NNtwj7zT4lv4YyA6h9p2BztQlXkm jTm730h6wpdW35QchU/tsGypexxio4o1i+MitvIwqcp5SiaS+wJVgFjxQ9sZIos5 r8Hr/sZKva8i1CWRYhH+k/cXdp6/1ec1AD8AEDLQD2yMQvFpvZ0vdHKswuqkvZIu VcKRcE5g9ux+BcmLDG27aeM96ltVFqRmkT0ZvMlLAuyhljio2wFWiKtWv7KYXUaD XH/2lUc87Igpvs5EpNGT =f1un -----END PGP SIGNATURE-----
participants (9)
-
Garrett DeBoer -
I -
Libertas -
Tor Operator -
tor-admin@torland.me -
tor-exit0 -
tor@zengers.de -
usprey -
Zack Weinberg