Tor: The Blog

The official version of "What to expect" when running a Tor exit relay is fairly brief. This post will be verbose.

I've been running a node since 2003. I first started off running a node in Xen on a server at a colocation datacenter with an un-metered line. The dual Xeon kept up with the demands fairly well. I ran it with the default exit policy with open irc ports. Things went smoothly for many months until my ISP called. The Abuse Department said my IP was reported in a mass irc bot attack against DalNet. I spent some time on the phone explaining Tor, explaining how it's an anonymizing proxy, and how it's used for good in the world. I highlighted that of the megabits of bandwidth it provided 7x24 for many months, this was the first issue. They asked that I block irc ports, and all would be well. I modified the exit policy to block irc ports.

Many more months passed without issue. Apparently, given the lax bandwidth controls, many other customers ran Tor exit nodes as well. The ISP updated their Terms of Service, and notified all of us that running any proxy was now in violation of the ToS. This meant I was at risk of disconnection. I switched to a non-exit configuration. I ran this way for months. I knew full well I was violating the ToS. If I was disconnected, it was my fault. Then the ISP was bought; and the new owners demanded I shut off my Tor node or be disconnected. It was fun while it lasted.

Welcome to 2005. New ISP, same nickname, different server, same non-exit Tor configuration. Tor loved the dual opteron cpus. The difference in cpu load was dramatic. The load before was 40-50% cpu for "NumCPU 2" on the dual Xeons. On the dual Opterons, the load was 5-10%. Same non-exit config. Same version of Tor. Different hardware, newer version of the OS (Redhat 4 as opposed to CentOS 3). read more »

We've already asked about how to handle the forthcoming data retention directive in Germany.

A few more governments are either heading down that path, or already there:

• Internet black boxes to record every email and website visit at The Telegraph UK.
• Data Retention in Denmark.
• SORM-2 in Russia
• Sweden wants to record all cross-border communications.

I suspect we'll see proposals for this in the USA soon enough.

A few people have told me about this TechRadar story. The implication is that the US Air Force is going to do away with the anonymity of the Internet. In reality, I think these people are looking for Tor's opinion on this sort of "news". Rather than pick apart the silliness of the statements, a few things bothered me about the TechRadar article; which I've already heard many times.

Let's tackle the misnomer that the Internet is inherently anonymous. This quote states the "common wisdom":

It's true that the TCP/IP protocol, as currently implemented, makes it very hard to verify the source of any given network packet, but that's purely because the network architects chose to make it that way.

In fact, IP addresses are designed and used for routing. It's easy to figure out where traffic originates if you have the IP address. What's not so easy is figuring out if the owner of the system at that IP address was the actual sender of the traffic. There's a popular notion that you are your IP address; and that actions taken with your IP can be tied back to you. IP addresses are for routing, not authentication. The Air Force plan wants to solve the latter problem of authentication (Network friend or foe). A subpoena or legal demand of a provider (blog, forum, ISP, etc) can reveal the IP address and possibly its owner.

The larger concern with the article is that it states:

But it's also what lets protesters protest and dissidents diss, so there are some genuinely valid reasons for wanting to preserve internet privacy

and then ends with read more »

A few weeks ago, I watched some non-technical OS X users attempt to install the Vidalia-Tor Bundle. Many of them tried to drag the installation package to Applications. A few were surprised it required an installation at all.

In Vidalia trunk I committed a different way to install Vidalia, Tor, and Polipo. In this new dmg, you just open it up and drag the Vidalia icon into Applications. You now have Tor, Vidalia, and Polipo pre-configured and running completely out of Applications. While this works well for users that never installed Tor/Vidalia before, it doesn't work so well for existing installations.

Is it smart to think users will un-install their existing Vidalia/Tor bundle before using the drag and drop installation method? My inclination is that it isn't smart. This installation method also removes the ability to automatically install Torbutton for Firefox.

In comparison, the current method is to ship a dmg which contains a metapackage. This metapackage contains a few scripts to run pre and post-installation, which do smart things to save current configurations, upgrade existing software binaries, and try to install Torbutton for Firefox. In general, this method has worked well for most users. I've heard from enough people to know they tried to drag and drop the metapackage into Applications at first, and when that didn't work, double-clicked the metapackage to start the installer.

I'm now leaning towards creating a Tor Browser Bundle for OS X; which can run out of the dmg or be installed via drag and drop. Much like the current Tor Browser Bundle (also, we should stop naming everything Tor), it would be self-contained and leave zero trace on the machine after closing. read more »

With the "enforcement" phase of Germany's data retention law coming
into effect on January 1 2009, it's time to start considering design
modifications for Tor to make us more resistant. There are many different
pieces to consider, including

• How should we change path selection so Tor clients are less at risk
  from German ISPs that decide to log?

• What exactly will German ISPs log, and who is supposed to have access
  to it?

• What suggestions should we give to German Tor relay operators, and
  German privacy advocates in general, about how they should fight this
  law without putting themselves too much at risk?

I propose some technical changes to Tor in this or-dev post:
http://archives.seul.org/or/dev/Oct-2008/msg00001.html

Stay tuned for the policy suggestions -- perhaps we'll cover those at 25C3!

An article about the debate over online anonymity in South Korea caught my eye for a few reasons. The topic of online anonymity periodically rises to the social consciousness in South Korea. This time, it's about the suicide of a well-known actress, Choi Jin-sil. It's sad that she chose to commit suicide, and I'm sorry she felt she had no where to go for help. However, blaming the Internet for her death is dubious at best. The Internet is a collection of networks. The Internet is a thing, not a person. While I dislike rude telemarketers, I don't blame the telephone company for providing the connection. In this case, there seemed to be a subset of people bent on defaming her regardless of the circumstances, while using the Internet as their communication medium.

The real goal behind this upswelling of support for banning anonymity is to pass the Cyber Defamation Law. This appears to be the equivalent of user verification where all online activities must be in a real name and, in some way, verifiable.

"We will press hard to pass the Cyber Defamation Law and the real-name system," Hong Joon-pyo, the ruling Grand National Party's floor leader, told reporters last week. "It is wrong to neglect the fact that violence is rampant online, due to anonymity."

Defamation is already a crime in South Korea. The irony is that the person who possibly first defamed Choi Jin-sil has been found, a person only known by their last name, Paik. According to the article,

"Paik was questioned by investigators soon after Choi's suicide and ultimately indicted for defamation." read more »

Tor 0.2.1.6-alpha further improves performance and robustness of hidden
services, starts work on supporting per-country relay selection, and
fixes a variety of smaller issues.

The original announcement can be found at
http://archives.seul.org/or/talk/Oct-2008/msg00093.html

Changes in version 0.2.1.6-alpha - 2008-09-30 read more »

• Major features:
• Implement proposal 121: make it possible to build hidden services
  that only certain clients are allowed to connect to. This is
  enforced at several points, so that unauthorized clients are unable
  to send INTRODUCE cells to the service, or even (depending on the
  type of authentication) to learn introduction points. This feature
  raises the bar for certain kinds of active attacks against hidden
  services. Code by Karsten Loesing.
• Relays now store and serve v2 hidden service descriptors by default,
  i.e., the new default value for HidServDirectoryV2 is 1. This is
  the last step in proposal 114, which aims to make hidden service
  lookups more reliable.
• Start work to allow node restrictions to include country codes. The
  syntax to exclude nodes in a country with country code XX is
  "ExcludeNodes {XX}". Patch from Robert Hogan. It still needs some
  refinement to decide what config options should take priority if
  you ask to both use a particular node and exclude it.
• Allow ExitNodes list to include IP ranges and country codes, just
  like the Exclude*Nodes lists. Patch from Robert Hogan.
• Major bugfixes:
  

Releases
Vidalia 0.1.9 (released September 2) fixes a big pile of bugs and inconveniences in the earlier releases. This new release marks the first "stable" release of Vidalia, in that we have now branched into a stable (0.1.x) branch and a development (0.2.x) branch.
http://trac.vidalia-project.net/browser/vidalia/tags/vidalia-0.1.9/CHANG...

Tor 0.2.0.31 (released September 3) addresses two potential anonymity issues, starts to fix a big bug we're seeing where in rare cases traffic from one Tor stream gets mixed into another stream, and fixes a variety of smaller issues.
http://archives.seul.org/or/announce/Sep-2008/msg00000.html

Tor 0.2.1.6-alpha (released September 30) further improves performance and robustness of hidden services, starts work on supporting per-country relay selection, and fixes a variety of smaller issues.
http://archives.seul.org/or/talk/Oct-2008/msg00093.html

Circumvention Enhancements
From the Vidalia 0.1.9 ChangeLog:
"Correct the location of the simplified Chinese help files so they will actually load again."

From the Tor 0.2.1.6-alpha ChangeLog:
"Start work to allow node restrictions to include country codes. The syntax to exclude nodes in a country with country code XX is "ExcludeNodes {XX}". Patch from Robert Hogan. It still needs some refinement to decide what config options should take priority if you ask to both use a particular node and exclude it."
This feature should allow users in China to specify that they don't want to enter (and/or exit) in China, which in theory could provide stronger security for them.

From the Tor 0.2.1.6-alpha ChangeLog:
"Allow ports 465 and 587 in the default exit policy again. We had rejected them in 0.1.0.15, because back in 2005 they were commonly misconfigured and ended up as spam targets. We hear they are better locked down these days." read more »

Releases

Vidalia 0.1.7 (released August 2) fixes a bug that caused Vidalia to not recognize Tor's version correctly in Tor 0.2.0.x, adds an "nsh2po" tool that helps Pootle translate the Vidalia bundle installer strings, adds "TZ=UTC" to the BrowserExecutable's environment variables when launched via Vidalia, and updates the Czech, French, and German translations.
http://trac.vidalia-project.net/browser/vidalia/tags/vidalia-0.1.7/CHANG...

Incognito 2008.1 (released August 2) is a Gentoo-based Tor LiveCD. This new release adds a "walkthrough" which will launch on startup; adds language support for Arabic, Green, Hebrew, Russian, and Swedish; improves the support for Chinese and Japanese fonts; adds support for VMWare and partial support for VirtualBox; switches to Tor 0.2.0.30 and Torbutton 1.2.0; and adds some new privacy-supporting software and removes some applications that are too likely to leak private information.
https://svn.torproject.org/svn/incognito/trunk/ChangeLog

Tor 0.2.1.3-alpha (released August 3) implements most of the pieces to prevent infinite-length circuit attacks (see proposal 110); fixes a bug that might cause exit relays to corrupt streams they send back; allows address patterns (e.g. 255.128.0.0/16) to appear in ExcludeNodes and ExcludeExitNodes config options; and fixes a big pile of bugs.
http://archives.seul.org/or/talk/Aug-2008/msg00039.html

Tor 0.2.1.4-alpha (released August 4) fixes a pair of crash bugs in 0.2.1.3-alpha.
http://archives.seul.org/or/talk/Aug-2008/msg00039.html

Tor Browser Bundle 1.1.2 (released August 9) updates Vidalia to version 0.1.6, updates Firefox to 2.0.0.16, updates Tor to 0.2.1.4-alpha, updates Torbutton to 1.2.0, and disables the TZ=UTC environment variable trick since Vidalia 0.1.7 now handles that for us.
https://svn.torproject.org/svn/torbrowser/trunk/README read more »

A better formatted version of this can be found at the OR-Announce Archives.

Tor 0.2.0.31 addresses two potential anonymity issues, starts to fix
a big bug we're seeing where in rare cases traffic from one Tor stream
gets mixed into another stream, and fixes a variety of smaller issues.

https://www.torproject.org/download.html

Changes in version 0.2.0.31 - 2008-09-03
o Major bugfixes:
- Make sure that two circuits can never exist on the same connection
with the same circuit ID, even if one is marked for close. This
is conceivably a bugfix for bug 779. Bugfix on 0.1.0.4-rc.
- Relays now reject risky extend cells: if the extend cell includes
a digest of all zeroes, or asks to extend back to the relay that
sent the extend cell, tear down the circuit. Ideas suggested
by rovv.
- If not enough of our entry guards are available so we add a new
one, we might use the new one even if it overlapped with the
current circuit's exit relay (or its family). Anonymity bugfix
pointed out by rovv.

o Minor bugfixes:
- Recover 3-7 bytes that were wasted per memory chunk. Fixes bug
794; bug spotted by rovv. Bugfix on 0.2.0.1-alpha.
- Correctly detect the presence of the linux/netfilter_ipv4.h header
when building against recent kernels. Bugfix on 0.1.2.1-alpha.
- Pick size of default geoip filename string correctly on windows.
Fixes bug 806. Bugfix on 0.2.0.30.
- Make the autoconf script accept the obsolete --with-ssl-dir
option as an alias for the actually-working --with-openssl-dir
option. Fix the help documentation to recommend --with-openssl-dir.
Based on a patch by "Dave". Bugfix on 0.2.0.1-alpha.
- Disallow session resumption attempts during the renegotiation
stage of the v2 handshake protocol. Clients should never be trying read more »