[tor-relays] Why MyFamily?

Michael Gerstacker michael.gerstacker at googlemail.com
Sat Feb 22 20:41:22 UTC 2020 

Am Sa., 22. Feb. 2020 um 17:11 Uhr schrieb nusenu <nusenu-lists at riseup.net>:

> Michael Gerstacker:
> >>> But as long as my family is still a small
> >> It is rather hard, time consuming and error prone
> >> to asses group sizes without proper MyFamily declarations.
> >>
> > I am the operator of my relays so if i for whatever reason decide to not
> > publish that i run a bigger family then this should be my own decision.
>
> There are two notions to this, depending on what you mean by 'publish'.
>
> 'publish' in the sense of linkability relays <-> operator identity:
> Correct there is no need for that.
>
> 'publish' in the sense of declaring a proper MyFamily set:
>
> from the tor manual page:
> "If you run more than one relay, the MyFamily option on each relay
> **must** list all other relays"
>

I will list them or shut them down. Just not right now.

I thought about why i do not want to list them right now and this reason
might sound stupid to others but for me including a new relay into MyFamily
is some sort of "celebration".
When i include a new relay i commit myself to care for it for the next time
period (no matter how long that means).
For me that means checking nyx and the logfile everyday and taking a quick
look into nmon.

So as an operator who paies the bills for my new children i expect the
torproject and all affected people to wait till i did my "celebration" or
take the necessary steps and reject them so that i understand this as a
message that the celebration took too long and that these relays are not
wanted anymore.

I think i do not want to automate this because it would destroy my
celebration.
I already automated upgrades because i see a purpose in this but from my
point of view i can not see any porpose to automate MyFamily.

I also thought about why i include them in MyFamily at all and i think the
reason is because i want that others have the possibility to exclude my
relays if they see a need to do so.



> > If the torproject needs these information urgently they need to force it
>
> The Torproject Inc does not run the Tor network, nor the majority of Tor
> directory authorities,
> but yes, some Torproject employees play a key role on what gets actually
> enforced on the network and what not
> and The Torproject produces the software that dir auths run so they have
> at least partial/indirect control over the imposed rules
> and the network.
> As far as I know there is no formal or informal written agreement between
> Tor directory authorities as to how they run the network.
> Past attempts by a Torproject employee an me, to establish something like
> that unfortunately failed [1].
>

I think i remember something where nick explained that he (or any other
torproject member listed on the torprojects peoples page) can not directly
tell the authorities operators what they should do.
This made me think about for the first time what the torproject actually is.

And i think that the way it is right now is actually a good thing. Maybe it
even must be like that to ensure free speech as good as possible and to not
make some people a big target.
Bu its funny to hear from one of the main designers of Tor that he can
actually not really decide what happens.

I think there is the difference between a normal company and Tor and thats
the reason why i am okay paying bills without getting something countable
back (beside the fact that i learned a lot in many ways since i started my
first relay).

I think it is impressive how good this project works and i think you would
put that at risk if you try to force standards too easily and telling
directory authorities operators how to run them is one of these examples.

Of course i only see what i can see and i see that you are more involved
than i am but i think as long as its not broken dont try to fix it.


>
> > Not proposing relays of honest operators for removal should be in the
> > interest of all to help protect tor users
>
> It is hard to tell honest operators from others if the relay has no
> ContactInfo
> or does not reply to emails. Even if they reply it can be non-trivial. So
> if there were actual technical rules
> they should apply to all relays equally and not just to dishonest operators
> because how do you define and measure "honest" operator?
> Should an operator who confirms to bad-relays@ that he setup modified
> relays to collect onion addresses
> be allowed on the network because he is at least honest about it?
>

(Just for the record i had contact info on all my relays and check that
email address weekly. Since my first exit even daily.)
Yes of course this is a problem and the only "solution" is to raise the bar
for all.
But this is not what MyFamily is doing. It is raising the bar for the
honest ones but not for the dishonest ones.

If this problem need to get fixed i propose using a contact email address
as a replacement of MyFamily and sending a validation email.
Maybe even send another validation email after some randomized timeframe
from time to time to validate that the operator is still caring and
reachable.
This way you at least raise the bar for all and most honest operators will
just use one email address for it so automatically using this one as "the
family" is easy.
If a malicious entity wants to put for example 20 relays on the network
with different contact email addresses this is still manageable but 200 of
them is a whole other thing.

Sending validation emails is generally stupid but if this would solve a
problem which needs a fix then why not?
People are used to it because whatever they do on the internet they get a
validation email and the torproject already uses this for its mailing lists.

The idea with somehow using the comtact info was raised here already but
never really discussed:
https://trac.torproject.org/projects/tor/ticket/6676

About the question if someone should be allowed to for example collect
onion addresses with a modified tor client/relay:
Actually in the first moment i would say yes.
Where is the difference between a crazy user writing down every onion he
can find an an automatic system doing this?

If you are talking about HSdirs collecting the hidden services they got i
would say "better not" because this is not what they were made for and i
can not see a benefit for the network.

But this should be technically solved and not by blocking them and as far
as i know v3 onion addresses are solving that problem so an hidden service
operator can now choose if they want to take that risk or they could use
client authentication right away.

Another reason to allow it would be because if you dont allow it but it is
still possible and someone do this and you try to solve that by blocking
them that means you are constantly failing in what you do because if they
want to do it then they will just come back.

But if you say "Yes it is allowed! (... if you are able to do it) then you
have a competition and an overall improvement or at least a bigger
viewpoint about what to fix, what to allow and where to aggree.


>
> > but an opt-in solution for
> > MyFamily which gets forced by random people on a public [tor-]bad-relays
> > mailinglist
>
> bad-relays@ is not public in the sense that everyone can read it, but
> everyone can send to it,
> which is its main purpose.
>

>
>
>
> [1]
> https://medium.com/@nusenu/the-growing-problem-of-malicious-relays-on-the-tor-network-2f14198af548
>
>
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20200222/31a7f51e/attachment.html>

More information about the tor-relays mailing list