Re: [tor-relays] "Potentially dangerous relay groups"

[nusenu]

> It - plus the follow up from that many contributors - did answer my questions 
> apart from two left:
> 
> - should only Markus be contacted instead of lets say at least all the folks 
> with more than 2 notes to make them aware?

I contacted many of the most relevant operators with incorrect MyFamily
setting in the past years. ansible-relayor [1] was also born to provide
a solution for the MyFamily "problem".

The email to Markus was just triggered by the OrNetRadar email that in
turn has been trigged by the fact that he added 3 relays on 2016-09-22.

MyFamily is not very relevant, but I use MyFamily data to to aggregate
relays for lists like
https://raw.githubusercontent.com/ornetstats/stats/master/o/main_operators_by_cw.txt

and if torpids would also set a proper MyFamily their ranking would be
better (because more relays would be aggregated into their group).



> I tend to agree with what has been written "I am in favour of a scheme where 
> the process of joining a family is 
> authenticated." Personally I will correct my entries soon to get me off that 
> list :-)

people interested in that topic might want to read:

https://gitweb.torproject.org/torspec.git/tree/proposals/242-better-families.txt
https://trac.torproject.org/projects/tor/ticket/5565




[1] https://github.com/nusenu/ansible-relayor



signature.asc
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] "Potentially dangerous relay groups"

[pa011]

Am 27.09.2016 um 19:37 schrieb nusenu:
> pa...@web.de wrote:
>> there is that list of "potentially_dangerous_relaygroups" you published.
>> Could yo please emphasize a bit more on what brings a relay on that list, 
>> apart from incorrect given MyFamily which doesnt seem to be always the case.
>> I mean I see quite a few well respected names on that list ?
> 
> 
> to quote from https://github.com/ornetstats/stats
> (1) "dangerous" in the sense that a tor client might has a chance to
> use more than one of these relays in a single circuit
> (2) these relays are aggregated based on contact information
> (3) if their groupsize is bigger than their effective family size
> and they are operated in more than one /16 network block they are listed
> (4) this list might contain false-positives (contact information is
> not authenticated)
> 
> Does that answer your question?
> 
> I probably should also filter entries where two out of guard_prob,
> middle_prob and exit_prob are 0 since that means that (1) is never the
> case - iff onionoo is right about these probabilities.

nusenu,

great respect of your work at first and thank you for the answer provided as 
well.

It - plus the follow up from that many contributors - did answer my questions 
apart from two left:

- should only Markus be contacted instead of lets say at least all the folks 
with more than 2 notes to make them aware?
- how could it take nearly a week for that serious discussion to start?

I tend to agree with what has been written "I am in favour of a scheme where 
the process of joining a family is 
authenticated." Personally I will correct my entries soon to get me off that 
list :-)


___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] "Potentially dangerous relay groups"

[Corné Oppelaar]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Personally I like what Petrusko provided the most

> In torrc, an idea...??
> 
> *MyFamily http://mydomain.org/myfamily.txt*

the list being a plaintext file of fingerprints seperated by newlines,
and if the server having that family list is not in that mentoined
family list, it's not authorized to be in that family.

Altho this will create an overhead of making a new http request when
looking for an Tor node, which may be a problem. it actually isn't
possibly at all without leaking the real IP to said server, or someone
needs to be more creative then me :s

But on the other hand, if you run more then 4 nodes, just let puppet
or any other system managment tool fill in the MyFamily field,
shouldn't be that hard imo

On 09/28/2016 02:44 PM, Random Tor Node Operator wrote:
> On 09/28/2016 02:01 PM, Chad MILLER wrote:
>> So? A relay can always have behaved badly. What's the harm in
>> you fraudulently claiming to be in family com.example.chadmiller
>> ? A user's path won't have passed through both you and me, but
>> you could have prevented traffic from passing through you any
>> time. At worst, you get to participate in a user's path and
>> exclude me from participating. That's no worse than you setting
>> your machine on fire and me participating.
> 
> 1) Bad actor sets up a bunch of relays fraudulently joining the
> majority of other relays. 2) Path selection of clients will now
> effectively prefer the bad actor's relays on which he performs
> eavesdropping, traffic analysis, or other nasty things.
> 
> The bad actor could also leave a few of his bad relays without
> family in order not to uncover himself so easily.
> 
> I am in favor of a scheme where the process of joining a family is 
> authenticated.
> 
> 
> 
> 
> ___ tor-relays mailing
> list tor-relays@lists.torproject.org 
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> 
-BEGIN PGP SIGNATURE-

iQEcBAEBCAAGBQJX677wAAoJEE6fMe4ysJ7McdUH/1TzCArbxb0kZ1SDwc1P01LE
5bWvTtFj++C3PqcDzeiN3UrzVwm1AtJLa5pW3yZlAorgHksL98oX/om4EY2DKptz
IpEreQeobE/bd6c9Klhjc+FwVwW6Lb3D61KbeZkxE9+nyXrMjWUS8Nws0REZgKhc
IW6Q6kmuBt48yudbTm/dBAYPPND290ebGDuF7EDhsS9shx3+SxchuXYapwh8S1Xi
mZENyKDqxxcZT/8Ua7xMTreOzFFfscpcbFBnsKCbMjqJg0/bGKENyASoNJVQha7t
xmd5dL4fLyLrDlsi3AK4IVFCuWp3rsFpZZJ5An4FPHUe6NBSAX7pbfRko0cmq/E=
=Xptb
-END PGP SIGNATURE-
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] "Potentially dangerous relay groups"

[grarpamp]

On Wed, Sep 28, 2016 at 6:24 AM, Chad MILLER  wrote:
> Why isn't MyFamily a family name, instead of a list of members? I see no
> downside to having an unauthenticated

Because anyone can assert the string and
shared strings can't cross certify each other.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] "Potentially dangerous relay groups"

[Chad MILLER]

Why isn't MyFamily a family name, instead of a list of members? I see no
downside to having an unauthenticated advisory
don't-route-through-me-if-you-also-route-through...

So, all of my nodes could have

MyFamilyName org.example

On Sep 28, 2016 05:52, "Roman Mamedov"  wrote:

> On Wed, 28 Sep 2016 11:41:16 +0200
> Ralph Seichter  wrote:
>
> > Key fingerprints are technically much closer to being IDs than nicknames,
> > which are nothing but short strings that can - and do - change at a whim.
>
> We're talking MyFamily, so it's you who is in control of all the nicknames,
> and it's only by your whim they may or may not change.
>
> Still did not see any concrete practical arguments to why fingerprints are
> worth the additional hassle, especially when what we see in reality is
> nicknames working there perfectly well and causing zero issues whatsoever
> for
> years.
>
> --
> With respect,
> Roman
>
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
>
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] "Potentially dangerous relay groups"

[Roman Mamedov]

On Wed, 28 Sep 2016 11:41:16 +0200
Ralph Seichter  wrote:

> Key fingerprints are technically much closer to being IDs than nicknames,
> which are nothing but short strings that can - and do - change at a whim.

We're talking MyFamily, so it's you who is in control of all the nicknames,
and it's only by your whim they may or may not change.

Still did not see any concrete practical arguments to why fingerprints are
worth the additional hassle, especially when what we see in reality is
nicknames working there perfectly well and causing zero issues whatsoever for
years.

-- 
With respect,
Roman


pgphLU5fB1WRV.pgp
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] "Potentially dangerous relay groups"

[Ralph Seichter]

On 28.09.2016 08:53, Roman Mamedov wrote:

> Any actual rationale, other than "do as I say"? And aside from linking
> to the man page which doesn't provide one EITHER.

Key fingerprints are technically much closer to being IDs than nicknames,
which are nothing but short strings that can - and do - change at a whim.

I think that grarpamp's recommendation to use fingerprints is much
better advice than your choice of using nicknames. I only ever use
fingerprints in MyFamily.

-Ralph
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] "Potentially dangerous relay groups"

[grarpamp]

On Wed, Sep 28, 2016 at 2:53 AM, Roman Mamedov  wrote:
> Any actual rationale, other than "do as I say"? And aside from linking to the
> man page which doesn't provide one EITHER.

The ambiguity problems are long known, leading to it going away.
Feel free to search historical references and better document things.

Though I endorse it, I didn't make it up, so it's not me.

> The only problem I can imagine with this is that Nefarious People can run a
> my family, possibly knocking out one of my actual relays out of it. But what

It may require bidirectional assertion, at least it should.
See search like above, and torspec.

> Then expect the number of people to even bother with MyFamily, to dwindle

The line counts just posted debunk this.
Both fp and nick are currently accepted (as well as random garbage) so
no dwindle possibility there, and when they bother, orders of magnitude
bother to do it right.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] "Potentially dangerous relay groups"

[Roman Mamedov]

On Wed, 28 Sep 2016 11:53:51 +0500
Roman Mamedov  wrote:

> The only problem I can imagine with this is that Nefarious People can run a

same nickname relay *


-- 
With respect,
Roman


pgp6uN5Itqc5L.pgp
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] "Potentially dangerous relay groups"

[Roman Mamedov]

On Wed, 28 Sep 2016 02:38:37 -0400
grarpamp  wrote:

> On Tue, Sep 27, 2016 at 4:38 PM, Roman Mamedov  wrote:
> > *) Give up on listing fingerprints, instead simply list nicknames.
> 
> No. Fingerprints are what to use here. Please do not use nicknames.

Any actual rationale, other than "do as I say"? And aside from linking to the
man page which doesn't provide one EITHER.

The only problem I can imagine with this is that Nefarious People can run a
same fingerprint relay with the same MyFamily string as mine, and by that join
my family, possibly knocking out one of my actual relays out of it. But what
exactly would anyone achieve with that, is entirely unclear.

> Besides, other than for simply announcing a vanity tag, nicks are
> going away in every area they are currently accepted as config input,
> so don't get used to them as such. See tickets 12898, etc.

Then expect the number of people to even bother with MyFamily, to dwindle
further.

-- 
With respect,
Roman


pgpaAETTCEr2K.pgp
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] "Potentially dangerous relay groups"

[Petrusko]

In torrc, an idea...??

*MyFamily http://mydomain.org/myfamily.txt*

So > there will be only 1 list to update / maintain by the operator(s).
Ctrl+F to find if a fingerprint is already here (for lazy guyz)... if
not, Ctrl-V to add the new fingerprint,
if Atlas shows a down fingerprint, Ctrl+F too...
then /service tor reload/ to eat the new txt file?
> One list is much easier.
>
> Robert

-- 
Petrusko
PubKey EBE23AE5
C0BF 2184 4A77 4A18 90E9 F72C B3CA E665 EBE2 3AE5




signature.asc
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] "Potentially dangerous relay groups"

[grarpamp]

On Tue, Sep 27, 2016 at 4:38 PM, Roman Mamedov  wrote:
> *) Give up on listing fingerprints, instead simply list nicknames.

No. Fingerprints are what to use here. Please do not use nicknames.
Ignoring the ambiguous assertions you'd be making with nicks,
it inserts the same ambiguity into downstream consensus parsers.
Just grok FP's your configs and assemble the family like any good admin.
Besides, other than for simply announcing a vanity tag, nicks are
going away in every area they are currently accepted as config input,
so don't get used to them as such. See tickets 12898, etc.

Note in current consensus, there are about 1500 different good strict
FP only family lines, and 60 different bad essentially random lines to fix.
'^family( \$[0-9A-F]{40})+$'

Ticket 12799 will apply further needed sanity to fingerprints.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] "Potentially dangerous relay groups"

[I]

>> -Original Message-
>> From: noc@babylon.network
> 
>> Always watching my ass to be a good old .
> 
> Watching your arse or watching an ass are both odd things to do

Presuming that is North Amerca as winter is approaching it would be good to 
cover your ass.


___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] "Potentially dangerous relay groups"

[I]

> -Original Message-
> From: noc@babylon.network

> Always watching my ass to be a good old .

Watching your arse or watching an ass are both odd things to do


___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] "Potentially dangerous relay groups"

[I]

> To possibly simplify this a bit, consider that:

> *) It doesn't hurt anything if a node has itself listed in its own
> MyFamily.
> You can just use the same MyFamily string in all your configs.
> Roman

Would that unknown fact be the reason so many MyFamily sections are botched?

With changing fingerprints through updating or VPS problems it has been 
difficult to keep up-to-date MyFamily entries unique to each relay.
One list is much easier.

Robert


___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] "Potentially dangerous relay groups"

[nusenu]

>> Always watching my ass to be a good old Tor operator, I got my
>> nodes on the list. Always fun to see how one time not updating all
>> your MyFamily's gets you marked for life xD
>> 
>> Time for some conf-updating.
> 
> To possibly simplify this a bit, consider that:
> 
> *) It doesn't hurt anything if a node has itself listed in its own
> MyFamily. You can just use the same MyFamily string in all your
> configs.
> 
> *) Give up on listing fingerprints, instead simply list nicknames.
> Any harm this can possibly cause, is largely hypothetical. So if that
> simplifies management for you, just go for it.

I would recommend to use fingerprints:

https://www.torproject.org/docs/tor-manual.html.en
> When listing a node, it’s better to list it by fingerprint than by
> nickname: fingerprints are more reliable.







signature.asc
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] "Potentially dangerous relay groups"

[Roman Mamedov]

On Tue, 27 Sep 2016 21:24:59 +0200
Tim Semeijn  wrote:

> Always watching my ass to be a good old Tor operator, I got my nodes on
> the list. Always fun to see how one time not updating all your
> MyFamily's gets you marked for life xD
> 
> Time for some conf-updating.

To possibly simplify this a bit, consider that:

*) It doesn't hurt anything if a node has itself listed in its own MyFamily.
You can just use the same MyFamily string in all your configs.

*) Give up on listing fingerprints, instead simply list nicknames. Any harm
this can possibly cause, is largely hypothetical. So if that simplifies
management for you, just go for it.

*) Over-listing is better than under-listing, so you can add ALL node nicknames
you currently use or plan to use soon, and don't worry about listing some which
are down at the moment, or not set up just yet.

-- 
With respect,
Roman


pgpondiy46qOK.pgp
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] "Potentially dangerous relay groups"

[Tristan]

Sounds like CloudFlare's threat policy.

On Sep 27, 2016 2:36 PM, "Tim Semeijn"  wrote:

> Always watching my ass to be a good old Tor operator, I got my nodes on
> the list. Always fun to see how one time not updating all your
> MyFamily's gets you marked for life xD
>
> Time for some conf-updating.
>
> On 27/09/16 19:37, nusenu wrote:
> > pa...@web.de wrote:
> >> there is that list of "potentially_dangerous_relaygroups" you
> published.
> >> Could yo please emphasize a bit more on what brings a relay on that
> list, apart from incorrect given MyFamily which doesnt seem to be always
> the case.
> >> I mean I see quite a few well respected names on that list ?
> >
> >
> > to quote from https://github.com/ornetstats/stats
> > (1) "dangerous" in the sense that a tor client might has a chance to
> > use more than one of these relays in a single circuit
> > (2) these relays are aggregated based on contact information
> > (3) if their groupsize is bigger than their effective family size
> > and they are operated in more than one /16 network block they are listed
> > (4) this list might contain false-positives (contact information is
> > not authenticated)
> >
> > Does that answer your question?
> >
> > I probably should also filter entries where two out of guard_prob,
> > middle_prob and exit_prob are 0 since that means that (1) is never the
> > case - iff onionoo is right about these probabilities.
> >
> >
> >
> > ___
> > tor-relays mailing list
> > tor-relays@lists.torproject.org
> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> >
>
> --
> Tim Semeijn
> Babylon Network
>
> PGP: 0x2A540FA5 / 3DF3 13FA 4B60 E48A E755 9663 B187 0310 2A54 0FA5
>
>
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
>
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] "Potentially dangerous relay groups"

[nusenu]

> Always watching my ass to be a good old Tor operator, I got my nodes on
> the list. Always fun to see how one time not updating all your
> MyFamily's gets you marked for life xD
> 
> Time for some conf-updating.

I wouldn't bother doing that manually.

I guess a good lazy operator automates all the things(tm).



signature.asc
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] "Potentially dangerous relay groups"

[Tim Semeijn]

Always watching my ass to be a good old Tor operator, I got my nodes on
the list. Always fun to see how one time not updating all your
MyFamily's gets you marked for life xD

Time for some conf-updating.

On 27/09/16 19:37, nusenu wrote:
> pa...@web.de wrote:
>> there is that list of "potentially_dangerous_relaygroups" you published.
>> Could yo please emphasize a bit more on what brings a relay on that list, 
>> apart from incorrect given MyFamily which doesnt seem to be always the case.
>> I mean I see quite a few well respected names on that list ?
> 
> 
> to quote from https://github.com/ornetstats/stats
> (1) "dangerous" in the sense that a tor client might has a chance to
> use more than one of these relays in a single circuit
> (2) these relays are aggregated based on contact information
> (3) if their groupsize is bigger than their effective family size
> and they are operated in more than one /16 network block they are listed
> (4) this list might contain false-positives (contact information is
> not authenticated)
> 
> Does that answer your question?
> 
> I probably should also filter entries where two out of guard_prob,
> middle_prob and exit_prob are 0 since that means that (1) is never the
> case - iff onionoo is right about these probabilities.
> 
> 
> 
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> 

-- 
Tim Semeijn
Babylon Network

PGP: 0x2A540FA5 / 3DF3 13FA 4B60 E48A E755 9663 B187 0310 2A54 0FA5



signature.asc
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

[tor-relays] "Potentially dangerous relay groups"

[nusenu]

pa...@web.de wrote:
> there is that list of "potentially_dangerous_relaygroups" you published.
> Could yo please emphasize a bit more on what brings a relay on that list, 
> apart from incorrect given MyFamily which doesnt seem to be always the case.
> I mean I see quite a few well respected names on that list ?


to quote from https://github.com/ornetstats/stats
(1) "dangerous" in the sense that a tor client might has a chance to
use more than one of these relays in a single circuit
(2) these relays are aggregated based on contact information
(3) if their groupsize is bigger than their effective family size
and they are operated in more than one /16 network block they are listed
(4) this list might contain false-positives (contact information is
not authenticated)

Does that answer your question?

I probably should also filter entries where two out of guard_prob,
middle_prob and exit_prob are 0 since that means that (1) is never the
case - iff onionoo is right about these probabilities.



signature.asc
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays