Tor and network security/administration

Jeremy Chadwick wrote:

If the point of the technology is to add a degree of anonymity, you
can be pretty sure that a marker expressly designed to state the
message "Hi, I'm anonymous!" will never be a standard feature of said
technology. That's a pretty obvious non-starter.
   
Which begs the original question of this thread which I started: with
that said, how exactly does one filter this technology?

..and that is also the reason why SORBS and Tor have been a logger heads... This think that their answer addresses SORBS' position from their Abuse FAQ ( http://tor.eff.org/faq-abuse.html.en ):

SORBS is putting some Tor server IPs on their email blacklist as well. They do this because they passively detect whether your server connects to certain IRC networks, and they conclude from this that your server is capable of spamming. We tried to work with them to teach them that not all software works this way, but we have given up. We recommend you avoid them, and teach your friends (if they use them) to avoid abusive blacklists too <http://paulgraham.com/spamhausblacklist.html&gt;\.

Of course SORBS' position is actually this - if you are allowing Trojan traffic over the Tor network you will get listed (regardless of whether the Trojans can talk to port 25 or not).... Considering they were told that, it shows the lack of concern, respect, intelligence or nettiqette for such issues. The new SORBS DB (coming soon) will include a Tor DNSbl (like the AHBL's) where administrators of services can choose to block this type of traffic.

Our response to people whilst Tor is "That's what you get for using Tor, if you must use Tor we recommend moving it to a server/IP that is not used for anything important and getting a good lawyer."

"You can't" doesn't make for a very practical solution, by the way.
The same was said about BitTorrent (non-encrypted) when it came out,
and the same is being said about encrypted BT (which has caused
some ISPs to induce rate-limiting).

I'm also left wondering something else, based on the "Legalities"
Tor page. The justification seems to be that because no one's ever
been sued for using Tor to, say, perform illegitimate transactions
(Kevin's examples) or hack a server somewhere (via SSH or some other
open service), that somehow "that speaks for itself".

I actually know of someone who was caught trying to brute force an ISPs SSH server - he blamed it on Tor - that didn't stop legal action and getting his connection terminated. (Sorry I am not permitted to give details of who or which ISP - so don't ask) - I don't know whether he was the responsible party or not, but I do know he has had several accounts terminated for similar 'suspect' activity. He continues to run a Tor node.

I don't know about the rest of the folks on NANOG, but telling a
court "I run the Tor service by choice, but the packets that come
out of my box aren't my responsibility", paraphrased, isn't going
to save you from prison time (at least here in the US). Your box,
your network port, your responsibility: period.

AFAIK nor here (Australia) nor in the UK - if the traffic is seen to be coming from your machine *you* are responsible unless *you* can show the traffic was generated by someone else. i.e. you cannot say 'sorry officer it was not me it was my machine' you have to be able to say (and prove), 'sorry officer it was not me it was someone else, I don't know who, but here is the information about the next step back to the source so that you can continue your investigation.' (same as speeding tickets - you can't just say "I wasn't driving" - you have to either say 'x was driving' or "It wasn't me, I don't know who was driving but I lent the car to x you should ask them."

...and for what it's worth, I have no problems with anonymous networks for idealistic reasons, however they are always abused, they will continue to be abused, Tor is being abused, and I should be able to allow or deny traffic into my networks as I see fit....

All of my discussions with Tor people have indicated [they] do not think I should have the right to deny traffic based on IP address, and that I should find other methods of authenticating traffic into my networks.

Regards,

Mat

FWIW, I've received such notices in the past, for content my users
hosted. Most organisations sending take-down notices give you a 48
hour window to remove the offending content before legal action is
taken. I'm thankful for those windows, since I do tend to sleep 10
hours a day... :slight_smile:

In the two instances where it happened, the users were removed from
the system immediately (within about 30 minutes) with all of their
data backed up (so they could be given it later, plus in the case
there was any involvement with law enforcement). Nothing became of
either situation.

In both scenarios, I was prepared to take full responsibility since
technically speaking the facilities (co-location and bandwidth) I pay
for are under my name. It's my rear on the line, and my users content
can possibly get my co-location network + cage access removed and my
account with my co-location provider terminated (extreme circumstances,
but I have to assume the worst). That makes the issue my responsibility,
whether I like it or not -- what goes out from my network is my
responsibility.

In regards to Tor, I'm not referring to "infringing material
found on my network" -- I'm referring to shady individuals using
machines on the Tor network (which are run by willing members of
the network) to do things such as bust root on .gov or .mil boxes
and raise all sorts-of hell. Since Tor server administrators don't
appear to have any idea of who's using their box for what or when
("I know nothing! I'm innocent! I just installed this Tor daemon
and partook in the whole thing willingly!"), who is going to end
up paying fines and serving jail time for an individual doing
nasty things through aforementioned Tor server?

The list of IP addresses of tor nodes is *public*. If tor users can
get it, you can, too. Some IRC networks already run a stripped-down
tor client to always tag connections from tor as such, and permit
channel operators to ban such connections from their channel should
they wish so.

Jeremy Chadwick wrote:

If the point of the technology is to add a degree of anonymity,
you can be pretty sure that a marker expressly designed to state
the message "Hi, I'm anonymous!" will never be a standard feature
of said technology. That's a pretty obvious non-starter.

Which begs the original question of this thread which I started:
with that said, how exactly does one filter this technology?

Of course SORBS' position is actually this - if you are allowing
Trojan traffic over the Tor network you will get listed (regardless
of whether the Trojans can talk to port 25 or not)....

How an open proxy that will not connect to port 25 is relevant for an
*email* blacklist is beyond me.

...and for what it's worth, I have no problems with anonymous
networks for idealistic reasons, however they are always abused,
they will continue to be abused, Tor is being abused, and I should
be able to allow or deny traffic into my networks as I see fit....

All of my discussions with Tor people have indicated [they] do not
think I should have the right to deny traffic based on IP address,
and that I should find other methods of authenticating traffic into
my networks.

Isn't it rather that they think that filtering on the base of IP
address is broken in today's Internet, even if tor didn't exist? Open
proxies, trojans, multi-user computers, dynamic IPs, ... all this
makes that substituting IP address for people is very, very,
imprecise.

Lionel Elie Mamane wrote:

Jeremy Chadwick wrote:
   

If the point of the technology is to add a degree of anonymity,
you can be pretty sure that a marker expressly designed to state
the message "Hi, I'm anonymous!" will never be a standard feature
of said technology. That's a pretty obvious non-starter.
       
Which begs the original question of this thread which I started:
with that said, how exactly does one filter this technology?
     
Of course SORBS' position is actually this - if you are allowing
Trojan traffic over the Tor network you will get listed (regardless
of whether the Trojans can talk to port 25 or not)....
   
How an open proxy that will not connect to port 25 is relevant for an
*email* blacklist is beyond me.

Perhaps because SORBS is not just an email blacklist? Perhaps because it is also used for webmail and other things...

...and for what it's worth, I have no problems with anonymous
networks for idealistic reasons, however they are always abused,
they will continue to be abused, Tor is being abused, and I should
be able to allow or deny traffic into my networks as I see fit....
   
All of my discussions with Tor people have indicated [they] do not
think I should have the right to deny traffic based on IP address,
and that I should find other methods of authenticating traffic into
my networks.
   
Isn't it rather that they think that filtering on the base of IP
address is broken in today's Internet, even if tor didn't exist? Open
proxies, trojans, multi-user computers, dynamic IPs, ... all this
makes that substituting IP address for people is very, very,
imprecise.

....and that is your opinion, which you are entitled to, others feel filtering by IP address is still valid and needed which is why they do it... Surely they are entitled to their opinions....?

Regards,

Mat

Lionel Elie Mamane wrote:

How an open proxy that will not connect to port 25 is relevant for
an *email* blacklist is beyond me.

Perhaps because SORBS is not just an email blacklist?

My bad. I must have misunderstood its tagline.

Perhaps because it is also used for webmail and other things...

Someone running a webmail that doesn't ask for authentication before
accepting mail is asking for trouble. You know it, and I'm fairly sure
you would list him.

If the user has authenticated himself on the webmail, why care whether
the TCP connection came from an open TCP or HTTP proxy? The user has
identified himself, so you know who it is.

All of my discussions with Tor people have indicated [they] do not
think I should have the right to deny traffic based on IP address,
and that I should find other methods of authenticating traffic
into my networks.

Isn't it rather that they think that filtering on the base of IP
address is broken in today's Internet, even if tor didn't exist?
Open proxies, trojans, multi-user computers, dynamic IPs, ... all
this makes that substituting IP address for people is very, very,
imprecise.

....and that is your opinion,

Actually, no. It is what I understand the tor people's opinion to be
from their public statements. As for my opinion, I think IP-based is
the best you've got when you are dealing with the world at large and
not just with a finite, known group of users. As with an MX. As with a
webshop. But IP-based authentication should be avoided if you can, and
does get over-used in contexts where it is worse than other
solutions. A prime example is the scientific journals publishers
blindly trusting the whole IP space of universities. We do give shell
accounts on some of our machines to externals: Other scientists from
abroad, high school students that can make good use of surplus
computing resources for a project, ...

> All of my discussions with Tor people have indicated [they] do not
> think I should have the right to deny traffic based on IP address,
> and that I should find other methods of authenticating traffic into
> my networks.

Isn't it rather that they think that filtering on the base of IP
address is broken in today's Internet, even if tor didn't exist?

This has been part of my point throughout this thread, in that:

substituting IP address for people is very, very, imprecise.

Tor just happens to point this out very vividly, and makes the
formerly small distinction between social and technological problems a
bit moer noticeable.

Anti-spam folk face a lot of the same issues. Ideally, there should
be zero need for content-based mail filtering, because that doesn't
reflect the intent of blocking spam (which is *really* based on
"solicited" status). However, the *social* issues of today's spam
abuse often make content-based filtering a necessary evil.