Re: [tor-relays] UbuntuCore relays
Chad MILLER:> I have assumed that 95% of users don't have public addresses or have port > forwarding. It's a connectivity problem, I think. Yes, understood. And >5k deployments without anyone(?) asking about why it does not work is the crucial part that makes it odd (makes it look like bots). > are these actual 6000 unique deployments? how are they counted? >> are endpoints submitting a unique ID to the update endpoint for the >> counter to work? >> (or are these counters just based on counting unique source IPs hitting >> the update endpoint? [within a day?]) >> do you have AS or country break downs for that number? >> > > I think it's a count of update checks within a normal update-check window. do you have the possibility to find out? (via authoritative documentation?) It would be great to have some affirmative data. any comment about this? > maybe you could add a simple check for the existence of a file where the > operator needs to add the ContactInfo > and if it is not there the snap exits + adding that new requirement > prominently > to the snap documentation. > > Then we can observe how many > - disappear? > - get a ContactInfo? > - get the same ContactInfo? > - get a random ContactInfo? > - get an actual working ContactInfo? > I DO have country information. Attached. (I removed the countries with > fewer than 3 in case that could be used to identify them.) thanks for providing this data, interesting to see that there are even instances in China trying to come online. Do you have any other additional stats like hw architecture? or even hw arch per country? -- https://twitter.com/nusenu_ https://mastodon.social/@nusenu signature.asc Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] UbuntuCore relays
On Sat, Nov 24, 2018 at 5:10 PM nusenu wrote: > Chad MILLER: > > Downloads are anonymous, but the dashboard I have says it should be about > > 6000 nodes wishing to join > > these are scary high numbers and the fact that no operator appears to be > asking why any of > these >5600 failing installations do not come online is making this even > more odd-looking to me. > I have assumed that 95% of users don't have public addresses or have port forwarding. It's a connectivity problem, I think. are these actual 6000 unique deployments? how are they counted? > are endpoints submitting a unique ID to the update endpoint for the > counter to work? > (or are these counters just based on counting unique source IPs hitting > the update endpoint? [within a day?]) > do you have AS or country break downs for that number? > I think it's a count of update checks within a normal update-check window. I DO have country information. Attached. (I removed the countries with fewer than 3 in case that could be used to identify them.) Countries greater than 100 are 613 Germany 539 France 530 United States 455 Russian Federation 373 Brazil 332 Italy 315 India 288 Spain 217 Iran, Islamic Republic of 172 United Kingdom 140 Mexico 131 Ukraine 125 Poland 119 Canada torrelay-snap-active-update-per-countryname Description: Binary data ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] UbuntuCore relays
Chad MILLER: > If someone is spoofing them, then I reckon they are doing a good job > updating them to match the (ever-increasing) revision number, now at > 249-252. I don't think anyone is "spoofing" the nickname behavior of your snap. I think these are actual running snap installations. > Downloads are anonymous, but the dashboard I have says it should be about > 6000 nodes wishing to join these are scary high numbers and the fact that no operator appears to be asking why any of these >5600 failing installations do not come online is making this even more odd-looking to me. are these actual 6000 unique deployments? how are they counted? are endpoints submitting a unique ID to the update endpoint for the counter to work? (or are these counters just based on counting unique source IPs hitting the update endpoint? [within a day?]) do you have AS or country break downs for that number? > (though failed connectivity might remove some) > and metrics.torproject.org says "at least 2000". There are currently[1] 359 running relays with a nickname starting with "UbuntuCore" (that is more than 0.5% of the tor network's consensus weight fraction). That would be the 10th biggest tor relay operator if it were a single operator. > If someone has an idea for a veracity experiment, contact me. What would you like to verify with an experiment? We were in contact about this before, but maybe you could add a simple check for the existence of a file where the operator needs to add the ContactInfo and if it is not there the snap exits + adding that new requirement prominently to the snap documentation. Then we can observe how many - disappear? - get a ContactInfo? - get the same ContactInfo? - get a random ContactInfo? - get an actual working ContactInfo? [1] onionoo data from 2018-11-24 23:00 UTC [2] https://medium.com/@nusenu/is-this-a-ubuntu-based-botnet-deploying-tor-relays-and-bridges-b4ce1a612039 -- https://twitter.com/nusenu_ https://mastodon.social/@nusenu signature.asc Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] UbuntuCore relays
If someone is spoofing them, then I reckon they are doing a good job updating them to match the (ever-increasing) revision number, now at 249-252. Downloads are anonymous, but the dashboard I have says it should be about 6000 nodes wishing to join (though failed connectivity might remove some) and metrics.torproject.org says "at least 2000". If someone has an idea for a veracity experiment, contact me. On Sat, Nov 24, 2018 at 3:32 PM nusenu wrote: > Roger Dingledine wrote: > > Btw, all of these UbuntuCore relays are from snap packages run by Tor > > enthusiasts > > Do you indeed mean "all"? Since there have also been other hypothesis about > at least some of these "UbuntuCore" relays in the past (see bad-relays ML > archive from 2017-11-13), > it would be great if you could elaborate on how you came to that > conclusion. > > thanks, > nusenu > > > -- > https://twitter.com/nusenu_ > https://mastodon.social/@nusenu > > ___ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > -- Chad Millerchad.orggpg:a806deac30420066 ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] UbuntuCore relays
On Sat, Nov 24, 2018 at 11:32:00PM +, nusenu wrote: > Roger Dingledine wrote: > > Btw, all of these UbuntuCore relays are from snap packages run by Tor > > enthusiasts > > Do you indeed mean "all"? Since there have also been other hypothesis about > at least some of these "UbuntuCore" relays in the past (see bad-relays ML > archive from 2017-11-13), > it would be great if you could elaborate on how you came to that conclusion. All I've got is Chad's original mail: https://lists.torproject.org/pipermail/tor-relays/2016-August/010046.html where he describes his snap. --Roger ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] UbuntuCore relays
Roger Dingledine wrote: > Btw, all of these UbuntuCore relays are from snap packages run by Tor > enthusiasts Do you indeed mean "all"? Since there have also been other hypothesis about at least some of these "UbuntuCore" relays in the past (see bad-relays ML archive from 2017-11-13), it would be great if you could elaborate on how you came to that conclusion. thanks, nusenu -- https://twitter.com/nusenu_ https://mastodon.social/@nusenu signature.asc Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] UbuntuCore stats update
teor: >> Chad MILLER: >>> Torix, that's still true. Snaps restrict syscalls so tightly that switching >>> users is not possible. >> >> Is it possible to start tor with a non-root user directly (without using >> tor's user parameter to drop privileges)? > > Yes, but you must pre-configure tor's directories with the correct user > and permissions. Tor has strict requirements for private key security. Generally speaking tor supports it (FreeBSD does it) but my question was more towards Chad's tor snap package. Was your answer also for the snap? thanks, nusenu -- https://mastodon.social/@nusenu twitter: @nusenu_ signature.asc Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] UbuntuCore stats update
> On 11 Dec 2017, at 09:50, nusenu wrote: > > Chad MILLER: >> Torix, that's still true. Snaps restrict syscalls so tightly that switching >> users is not possible. > > Is it possible to start tor with a non-root user directly (without using > tor's user parameter to drop privileges)? Yes, but you must pre-configure tor's directories with the correct user and permissions. Tor has strict requirements for private key security. If this doesn't work, let us know: there have been bugs in this code in the past. -- Tim / teor PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n signature.asc Description: Message signed with OpenPGP ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] UbuntuCore stats update
Chad MILLER: > Torix, that's still true. Snaps restrict syscalls so tightly that switching > users is not possible. Is it possible to start tor with a non-root user directly (without using tor's user parameter to drop privileges)? -- https://mastodon.social/@nusenu twitter: @nusenu_ signature.asc Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] UbuntuCore stats update
Torix, that's still true. Snaps restrict syscalls so tightly that switching users is not possible. - chad On Tue, Dec 5, 2017 at 8:35 AM, Torix wrote: > Dear Chad, > The last I read from nusenu a few months ago was that you have tor is > running as root, which sort of wiped it off my radar. Is that still true? > I do like your idea of democratizing tor relays so normal people can run > them. > > TIA, > > --torix > > > Sent with ProtonMail <https://protonmail.com> Secure Email. > > ---- Original Message > Subject: [tor-relays] UbuntuCore stats update > Local Time: December 4, 2017 10:18 PM > UTC Time: December 5, 2017 3:18 AM > From: c...@cornsilk.net > To: tor-relays@lists.torproject.org > > Hi all. I generate* the packages that make up those UbuntuCore relays and > bridges you hear about some time in here. > I intended it to be a low-friction way normal joes can help Tor. There > have been a good number of volunteers. > > The automatic-update system of Snap means the security update of a few > days ago gives some population info through download stats. > > About 2200+ machines updated to last week's release. Almost all are amd64, > though a few percent are i386 or armhf. I don't know of any arm64 yet. > They're mostly desktops and servers. I see several new downloads every day. > > Judging from the new Atlas, about 800 are have checked in to try to join > the consensus, and a little more than 100 are active at any time. > > Some working details: The package has a kill-switch so that it no longer > starts after a few months of staleness (if I'm ever hit by a bus). At first > launch, Tor creates a key and the last two bits of the key determines the > role of the instance, with a 1/4 chance of becoming a obfs4 bridge. The > default bandwidth limit is a modest 4 megabits per second. Also by default, > it tries to punch holes in NAT to make itself available for incoming > connections, but I don't have a lot of confidence that is often successful. > > I remain on this list and am always happy to answer questions or > suggestions. > > * http://bazaar.launchpad.net/~privacy-squad/+junk/tor- > middle-relay-snap/files > > -- > Chad Millerchad.orggpg:a806deac30420066 > > > > ___ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > > -- Chad Millerchad.orggpg:a806deac30420066 ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] UbuntuCore stats update
Dear Chad, The last I read from nusenu a few months ago was that you have tor is running as root, which sort of wiped it off my radar. Is that still true? I do like your idea of democratizing tor relays so normal people can run them. TIA, --torix Sent with [ProtonMail](https://protonmail.com) Secure Email. > Original Message > Subject: [tor-relays] UbuntuCore stats update > Local Time: December 4, 2017 10:18 PM > UTC Time: December 5, 2017 3:18 AM > From: c...@cornsilk.net > To: tor-relays@lists.torproject.org > > Hi all. I generate* the packages that make up those UbuntuCore relays and > bridges you hear about some time in here. > I intended it to be a low-friction way normal joes can help Tor. There have > been a good number of volunteers. > > The automatic-update system of Snap means the security update of a few days > ago gives some population info through download stats. > > About 2200+ machines updated to last week's release. Almost all are amd64, > though a few percent are i386 or armhf. I don't know of any arm64 yet. > They're mostly desktops and servers. I see several new downloads every day. > > Judging from the new Atlas, about 800 are have checked in to try to join the > consensus, and a little more than 100 are active at any time. > > Some working details: The package has a kill-switch so that it no longer > starts after a few months of staleness (if I'm ever hit by a bus). At first > launch, Tor creates a key and the last two bits of the key determines the > role of the instance, with a 1/4 chance of becoming a obfs4 bridge. The > default bandwidth limit is a modest 4 megabits per second. Also by default, > it tries to punch holes in NAT to make itself available for incoming > connections, but I don't have a lot of confidence that is often successful. > > I remain on this list and am always happy to answer questions or suggestions. > > * http://bazaar.launchpad.net/~privacy-squad/+junk/tor-middle-relay-snap/files > > -- > Chad Millerchad.orggpg:a806deac30420066___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] UbuntuCore stats update
Hi all. I generate* the packages that make up those UbuntuCore relays and bridges you hear about some time in here. I intended it to be a low-friction way normal joes can help Tor. There have been a good number of volunteers. The automatic-update system of Snap means the security update of a few days ago gives some population info through download stats. About 2200+ machines updated to last week's release. Almost all are amd64, though a few percent are i386 or armhf. I don't know of any arm64 yet. They're mostly desktops and servers. I see several new downloads every day. Judging from the new Atlas, about 800 are have checked in to try to join the consensus, and a little more than 100 are active at any time. Some working details: The package has a kill-switch so that it no longer starts after a few months of staleness (if I'm ever hit by a bus). At first launch, Tor creates a key and the last two bits of the key determines the role of the instance, with a 1/4 chance of becoming a obfs4 bridge. The default bandwidth limit is a modest 4 megabits per second. Also by default, it tries to punch holes in NAT to make itself available for incoming connections, but I don't have a lot of confidence that is often successful. I remain on this list and am always happy to answer questions or suggestions. * http://bazaar.launchpad.net/~privacy-squad/+junk/tor-middle-relay-snap/files -- Chad Millerchad.orggpg:a806deac30420066 ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] UbuntuCore (botnet?)
I am probably responsible for the existence of these UbuntuCore relays. I package something with this name, but I do not have a lot of insight into its users, who are anonymous. I do have package download statistics, so I can tell you that on a new release, there are about 1700 downloads of those packages, with about 50 downloads each day normally. (They should start automatically and be updated automatically.) I'll push out v 0.3.1.8-1 today or tomorrow, so you should see the nickname increment a bit (+4 or so). -chad On Mon, Oct 30, 2017 at 1:09 AM, nusenu wrote: > > > Paul Templeton: > > These nodes are popping up everywhere - is this some sort of malware > being deployed on systems around the globe? > > I wrote about them in April 2017: > https://medium.com/@nusenu/is-this-a-ubuntu-based-botnet- > deploying-tor-relays-and-bridges-b4ce1a612039 > > I assume they are not setup by humans. > > Since back then the overall CW fraction of these relays increased about > x4 (currently 92 concurrently running relays). > > That is about position #69 on the list of biggest operators by CW fraction > https://nusenu.github.io/OrNetStats/maincwfamilies > > -- > https://mastodon.social/@nusenu > twitter: @nusenu_ > > > ___ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > > -- Chad Millerchad.orggpg:a806deac30420066 ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] UbuntuCore (botnet?)
Paul Templeton: > These nodes are popping up everywhere - is this some sort of malware being > deployed on systems around the globe? I wrote about them in April 2017: https://medium.com/@nusenu/is-this-a-ubuntu-based-botnet-deploying-tor-relays-and-bridges-b4ce1a612039 I assume they are not setup by humans. Since back then the overall CW fraction of these relays increased about x4 (currently 92 concurrently running relays). That is about position #69 on the list of biggest operators by CW fraction https://nusenu.github.io/OrNetStats/maincwfamilies -- https://mastodon.social/@nusenu twitter: @nusenu_ signature.asc Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] UbuntuCore
On Mon, Oct 30, 2017 at 03:23:07AM +, Paul Templeton wrote: > These nodes are popping up everywhere - is this some sort of malware being > deployed on systems around the globe? It is an Ubuntu snap package. See this thread: https://lists.torproject.org/pipermail/tor-relays/2016-August/010046.html --Roger ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] UbuntuCore
> These nodes are popping up everywhere - is this some sort of malware being > deployed on systems around the globe? Interesting. It does look like malware to me. - all running Tor 0.3.1.7 on Linux - diverse AS / IP allocation, mostly looks like ISP end-subscriber - same exit policy (reject *:*)___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] UbuntuCore
These nodes are popping up everywhere - is this some sort of malware being deployed on systems around the globe? Paul ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays