eliminating bogus port 43 exits

Kyle Williams kyle.kwilliams at gmail.com
Fri Jun 12 22:51:25 UTC 2009

On Fri, Jun 12, 2009 at 3:28 PM, Andrew Lewman <andrew at torproject.org>wrote:

> grarpamp wrote:
>  > 3 - Further, there needs to be an understanding of what the traffic
> > ACTUALLY IS. Operators should be using tools such as wireshark,
> > tcpdump, bro, etc to determine the content. And if it turns out to
> > be encrypted to destinations and services unknown, NO such determination
> > can be made. The only thing left to go on is impact as in #2 above.
> I wasn't going to comment on this thread in general because I have
> nothing new to add to the conversation.
> However, I feel compelled to mention this #3 is possibly very bad advice
> for those in the USA.  Our Legal FAQ clearly states this is probably
> illegal; https://www.torproject.org/eff/tor-legal-faq.html.en#ExitSnooping
> .
> Until such a case determines it legal or not, some very savvy lawyers
> recommend against doing exactly what you suggest.  If your lawyer
> suggests otherwise, we're happy to talk to them.
> "Should I snoop on the plaintext that exits through my Tor relay?
> No. You may be technically capable of modifying the Tor source code or
> installing additional software to monitor or log plaintext that exits
> your node. However, Tor relay operators in the U.S. can create legal and
> possibly even criminal liability for themselves under state or federal
> wiretap laws if they affirmatively monitor, log, or disclose Tor users'
> communications, while non-U.S. operators may be subject to similar laws.
> Do not examine the contents of anyone's communications without first
> talking to a lawyer."
> --
> Andrew Lewman
> The Tor Project
> pgp 0x31B0974B
> Website: https://torproject.org/
> Blog: https://blog.torproject.org/
> Identica/Twitter: torproject

I think "snooping" and "statistical information" should be treated
differently.  Take Scott's case here.  He is making a claim that by using
the exit policy outlined above, it would reduce the amount of traffic on tor
by 70% or whatever.  What I would like to see proof of is that the IP
addresses that are now being blocked are NOT running a WHOIS services.  How
do we know for sure that they are not in fact a valid WHOIS service?

So, Andrew, would running 'iptraf' on a exit node to see the amount of
bandwidth that is being used or what IP/ports are being connected be
considered "wire tapping"?
I'm not trying to start an argument, I'm just trying to figure out how a
researcher can do his/her work, get real answers, without crossing the line
of "wire tapping".  That's all.

Best regards,

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20090612/36cd0250/attachment.htm>

More information about the tor-talk mailing list