Tor and network security/administration

Thu Jun 22 01:58:34 UTC 2006

Jeremy Chadwick wrote:

>On Wed, Jun 21, 2006 at 05:02:47PM -0400, Todd Vierling wrote:
>  
>
>>If the point of the technology is to add a degree of anonymity, you
>>can be pretty sure that a marker expressly designed to state the
>>message "Hi, I'm anonymous!" will never be a standard feature of said
>>technology.  That's a pretty obvious non-starter.
>>    
>>
>
>Which begs the original question of this thread which I started: with
>that said, how exactly does one filter this technology?
>  
>
..and that is also the reason why SORBS and Tor have been a logger 
heads...  This think that their answer addresses SORBS' position from 
their Abuse FAQ ( http://tor.eff.org/faq-abuse.html.en ):

SORBS is putting some Tor server IPs on their email blacklist as well. 
They do this because they passively detect whether your server connects 
to certain IRC networks, and they conclude from this that your server is 
capable of spamming. We tried to work with them to teach them that not 
all software works this way, but we have given up. We recommend you 
avoid them, and teach your friends (if they use them) to avoid abusive 
blacklists too <http://paulgraham.com/spamhausblacklist.html>.

Of course SORBS' position is actually this - if you are allowing Trojan 
traffic over the Tor network you will get listed (regardless of whether 
the Trojans can talk to port 25 or not)....  Considering they were told 
that, it shows the lack of concern, respect, intelligence or nettiqette 
for such issues.  The new SORBS DB (coming soon) will include a Tor 
DNSbl (like the AHBL's) where administrators of services can choose to 
block this type of traffic.

Our response to people whilst Tor is "That's what you get for using Tor, 
if you must use Tor we recommend moving it to a server/IP that is not 
used for anything important and getting a good lawyer."

>"You can't" doesn't make for a very practical solution, by the way.
>The same was said about BitTorrent (non-encrypted) when it came out,
>and the same is being said about encrypted BT (which has caused
>some ISPs to induce rate-limiting).
>
>I'm also left wondering something else, based on the "Legalities"
>Tor page.  The justification seems to be that because no one's ever
>been sued for using Tor to, say, perform illegitimate transactions
>(Kevin's examples) or hack a server somewhere (via SSH or some other
>open service), that somehow "that speaks for itself".
>  
>
I actually know of someone who was caught trying to brute force an ISPs 
SSH server - he blamed it on Tor - that didn't stop legal action and 
getting his connection terminated.  (Sorry I am not permitted to give 
details of who or which ISP - so don't ask) - I don't know whether he 
was the responsible party or not, but I do know he has had several 
accounts terminated for similar 'suspect' activity.  He continues to run 
a Tor node.

>I don't know about the rest of the folks on NANOG, but telling a
>court "I run the Tor service by choice, but the packets that come
>out of my box aren't my responsibility", paraphrased, isn't going
>to save you from prison time (at least here in the US).  Your box,
>your network port, your responsibility: period.
>  
>
AFAIK nor here (Australia) nor in the UK - if the traffic is seen to be 
coming from your machine *you* are responsible unless *you* can show the 
traffic was generated by someone else. i.e. you cannot say 'sorry 
officer it was not me it was my machine' you have to be able to say (and 
prove), 'sorry officer it was not me it was someone else, I don't know 
who, but here is the information about the next step back to the source 
so that you can continue your investigation.' (same as speeding tickets 
- you can't just say "I wasn't driving" - you have to either say 'x was 
driving' or "It wasn't me, I don't know who was driving but I lent the 
car to x you should ask them."

...and for what it's worth, I have no problems with anonymous networks 
for idealistic reasons, however they are always abused, they will 
continue to be abused, Tor is being abused, and I should be able to 
allow or deny traffic into my networks as I see fit....

All of my discussions with Tor people have indicated [they] do not think 
I should have the right to deny traffic based on IP address, and that I 
should find other methods of authenticating traffic into my networks.

Regards,

Mat