[tor-talk] badfamilies: searching for undeclared families (detection method: contactInfo)

[Nusenu]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

(if you are on CC you might want to jump to the URL and have a look at
your relays' MyFamily config)

as a tor client one probably doesn't wish to use relays from one
entity only when creating circuits. So it might make sense to find
undeclared families.
This first very simple approach uses contactInfo data to detect
myfamily misconfiguration - so it detects potential families that are
not "hiding" on purpose.

https://raw.githubusercontent.com/nusenu/misc-files/master/potential_badfamilies_detectionByContact_sorted_by_relay_count.txt

The last column shows the number of relays which have the given
contact string and the 3th column shows the number of family members
this relay has (in a perfect setup these numbers match).

This is obviously a non-perfect approach and might contain false
positives since everyone can set a contactInfo string on his relay as
he wishes.

Should this list worry you?

The two biggest undeclared families (by relay count) - perfect-privacy
& torpids run relays in over 30 distinct /16 netblocks but they don't
seem to run any exits which makes it currently impossible to create
exiting circuits through them exclusively.
torservers.net on the other hand seems to have a current guard
probability of 0% according to compass, but as one can see in the
atlas graphs that is not always the case. Additionally torservers runs
only in 8 distinct /16 netblocks. I guess the odds are low for one to
create a circuit through torservers only - depending on your currently
selected guard node.


In contrast here the hitlist (by relay count) of *perfectly* declared
families:

relaycount contact
==============================
27      juha.nurmi(att)tut.fi
20	AccessNow
17	tor0102.10.swsnyder
12	Mozilla
11	TvdW
10	Felix <zwiebel ta quantentunnel tod de>
8	Frenn vun der Enn
8	tor-relay at guy.net.au
8	GTor
7	rdump at OFTC
7	TEN <abuse-team _at_ tor-exit-node _dot_ org>
6	ccc.de


I heard about a few of them an know that some are using central
management tools to keep MyFamily in sync: ansible or puppet. That is
probably the reason why they are in good shape.

The good news is that at least one of the big operators not having
perfect MyFamily setup yet might start using a central management as well.


Looking forward to find actually hiding families aka (slow) sibyl
attacks ;)
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJVFsVOAAoJEFv7XvVCELh0qJgP/1dM7pklvJ3LJFxMUFeYFAXh
jSUZ/OH44BD+kS3gR38wYGUYTWHNa+GZ9qfWiLy8MLmZHo5I1j22xPqE5XwPZ9hQ
mNZAEp52RvUHkWp8tfBFu5W97sHioa8H9Kc0RimJ6QIvmdmu5WxJagF5WOJNegBF
TTcKzAX7eJwrBpFWDAu3C/um5g8TtkP98ppCSxEPoFvNLSeGGYL+y2PrBvBNMDx9
ZiGRUcvzPiUf4IlcP6rouemgj+a1cb36M5AgNiBBPFQwdfIbhqtRIjh1LUxHZHgq
CoeNOItAeMkQEMrj54z2tYlEAEf+yGSDPJGrYY/HbAiEZrXddoSMod/1/TnunX0i
8kMXxXuHYj9fKp9FpUCuY9yPS0KOLV5NaEPLhs2oq71ivaNeWtWNvOTrtgcfRnZR
LTSUwx+AUSyaXDvsZ7lcgw/InHcd07Qy91vtQA8ROk1Mc23yOe/ALm5mbEtRS28L
ha7Y4kKRjy3jn3sdahjP/jb9BnTRvQ+KeRMIG2nuqZ6mFAtCZGU3yAAZnG2R8PiB
LOFleeZquTjQjjnptQTzLHp/qHB+i0mNxGvVaoKUjR4a745CNWKxYeZa5dLK7Qoe
GFSqXhxPJ69qjrjM1Viw6Po2C/HN5GgqhQM2GCj+s6/magBvl0u61BFWskFhmwOp
yPKslAOZMtdGwqBgD9yc
=Hdj4
-----END PGP SIGNATURE-----