[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: Tor bug?: AllowInvalidNodes

To: or-talk@xxxxxxxxxxxxx
Subject: Re: Tor bug?: AllowInvalidNodes
From: crackedactor@xxxxxxxxxxx
Date: Thu Aug 17 17:27:27 2006
Delivered-to: archiver@seul.org
Delivered-to: or-talk-outgoing@seul.org
Delivered-to: or-talk@seul.org
Delivery-date: Thu, 17 Aug 2006 12:27:40 -0400
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx

----- Original Message ----- 

> On Wed, Aug 16, 2006 at 08:59:12PM +0000, crackedactor@xxxxxxxxxxx wrote:
> >
> > On Wed, Aug 16, 2006  Nick Mathewson wrote:
>  [...]
> > >It works. It just doesn't mean what you thought.
> >
> > You obviously didnt read Arrakistor 16 August 2006 00:44 Tor bug?:
> AllowInvalidNodes
> >
> > who wrote
> >
> > "Roger, Nick, et al,
> >
> > Tor *.23
> >
> > AllowInvalidNodes  seems  to  having a problem.  We've  tried a few
> versions,
> > including the deprecated AllowUnverifiedNodes to no avail. However the
> > exit node of the circuit is still often invalid according to
> > http://serifos.eecs.harvard.edu/cgi-bin/ipaddr.pl?tor=1
> 
> See Roger's message, which you quote below:
> 
>    > The exit.pl script that Geoff wrote and runs on Serifos uses the
>    > phrase "not a valid Tor server" to mean "not a Tor server as far
>    > as I know".
> 
> This is the serifos script that Roger is talking about.  It lists IP
> addresses as "invalid" if they are not the IP of a tor server it
> knows.  Some "valid" (according to the directory authorities) Tor
> servers exit on IPs that are not the same as the IP they listen on.
> This means that the IP they exit on will not appear on serifos's list
> of valid nodes.
>

Ok thats clear, thankyou.

> 
>  [...]
> > >> Now I find out that it was never intended to work and that it was
> > >> never an  "AllowUnverifiedNodes" replacement.
> > >
> > >Sure it was.  "Unverified" and "Invalid" are the same concept:
> > >'attested to as likely to be okay by the directory server.'  The only
> > >that has changed is the name.
> > >
> >
> > Did you read Roger Dingledine 16 Aug 2006 13:42:17 -0400   Re: Tor bug?:
> AllowInvalidNodes
> >
> > who wrote (short version):
> >
> > "The fundamental confusion here is that the word 'invalid' means many
> > things to many people, but it means pretty much nothing to Tor. The
> > exit.pl script that Geoff wrote and runs on Serifos uses the phrase "not
> > a valid Tor server" to mean "not a Tor server as far as I know". The
> > word "valid" with respect to the AllowInvalidNodes config option is
> > simply defined as "not manually designed by the directory authorities
> > as invalid".
> >
> > "
> >
> > Are you argueing with this definition of INVALID as opposed to the
> > original "Unverified" definition? Or are you now informing us that
> > for some whole now the term "unverified" has always mbeen
> > meaningless? if so for how long has this been so?)
> 
> Hm?  No, they both meant "attested to as likely to be ok".  In the old
> days, directory authorities attested to servers as ok when they admins
> told them to, and the admins told them to as they got mail claiming to
> be from server admins.  We thought that this was a bad idea and
> created a false sense of security.  Now, directory authorities attest
> to servers as ok when the servers seem to be running, and the admins
> have not told them to consider the servers suspicious.
> 

OK currently what Mr Dingledine is saying is that INVALID "means pretty much nothing to Tor".

The problem is when I started as a Tor op (2 or 3 years back) I remember (possibly the eff Tor site) seeing blurb about the "verified" operators. Even today for the new term invalid the eff site reads as follows:

"AllowInvalidNodes entry|exit|middle|introduction|rendezvous|... 
Allow routers that the dirserver operators consider invalid (not trustworthy or otherwise not working right) in only these positions in your circuits. The default is "middle,rendezvous", and other choices are not advised." 
I think most of us would read the word TRUSTWORTHY as implying some sort of security/verification.

I wonder how many like me assumed that this at least meant registering our server's nic. 

And surely, if you did change the meaning of verified/valid then there was a duty upon those who made this change to ensure that  tor users and operators were informed with something approaching "A VERY IMPORTANT ANNOUNCEMENT",  prominantly displayed, if neccessary, on the eff site.

>
> The version 2 directory specification came into use during the Tor
> 0.1.1.x series, says:
> 
>     "Valid" -- a router is 'Valid' if it seems to have been running
>     well for a while, and is running a version of Tor not known to be
>     broken, and the directory authority has not blacklisted it as
>     suspicious.
> 

Well the "verified" version statement was still in my torcc file, so I suppose you could say updates fail to update the torrcc file and so fail to alert the user of the change. What you seem to be saying is that when we upgrade we all have to be terribly aware of "unannouncedchanges"  and have to read the tor specification for each update. Thats a huge amount of work.

Hardly what you would call user informative, safe and user friendly approach to software distribution.

Once again this smacks of trying to hide (sweep under the carpet) an issue that users should have been informed about. 

>  [...]
> > >Because "Verified" was a stupid name.  It implied that we had a good
> > >way to go out and tell whether a node's operator was honest, upright,
> > >and competent, and whether the node was physically secure and
> > >non-eavesdropped.
> > >
> > It implied you at least knew who they said they were (not that you
> > knew they were what they said).
> 
> Though that's what it meant in practice, that's not the interpretation
> of "verified" that I'd have made.  Moreover, it's not IMO a useful
> property to have.  Knowing who the adversary claims to be is only
> effective against an adversary who can't or won't lie about who they
> are.
> 

But it was better than NOTHING.

Today you have absolutely NO safeguards whatsoever. ANY country can flood their tor entry/exit server lists with high bandwidth snoops which will guarantee tor is pretty much useless. But the users will never be alerted to that fact and believe they are protected. No attempt is now being made to disadvantage these snoops, even by a simple registration process.  

And it would appear you dont care either, which is odd (??) considering you are making claims of having:

"
Tor: An anonymous Internet communication system
" 

  [...]
> > >If you know a way to do this, please let us know.  We're all ears.
> > >Please keep in mind that we haven't got much cash to do this with, and
> > >what cash we do have, we'd rather spend on rent and food and)
> > >developing Tor.
> >
> > You poor penniless, overworked person. Why dont you ask all the
> > VERIFIED TOR operators to VERIFY the new TOR operators, within say
> > 50-100miles (100-200km) of them (or closest one).
> >
> > I'll do 100mile radius (UK) of Portsmouth UK - but only if you "veryify"
> me.
> 
> It's not a bad idea.  Time permitting, a web-of-trust kind of system
> might be neat to do.  Of course, we'd need think about what effect
> this will have on route-based partitioning, and on possibly
> discouraging operators from running servers if they need to meet other
> operators face-to-face to do so.  And how hard is it really to foil a
> face-to-face meeting?  These are neat questions.
>

Well of course there's an old trueism - "Where there's a WILL there's a WAY".

Now if you want someone to draft a document for such a system then you need to ask people - but you dont ask that one do you?

Instead you tell then to branch the software. Why do that?


> 
> (Please forgive us if someday we eventually start doing this, and pick
> trust seeds in the UK from among people we already know and trust.
> I'm sure you would do the same.)
>

Oh.. a schoolboy snub.. grow up will you darling.

 "I'm not playing with you" / "You cant join my gang" games are inappropriate in software development/engineering. Do you do this for a living?

Please foregive me (us ?? - no ! - I've only one personality) for saying that.

> 
> > >[...]
> > >> If some "unverifiednode" exit server adversary has set themselves up
> > >> in business of monitoring TOR users then isnt it because
> > >> "AllowUnverifiedNodes" was removed (effectively).
> > >
> > >Right, you're confirming that we were right to change "Verified" to
> > >"Valid".  Apparently, you *did* think that "verified" was a magicial
> > >stamp of good intentions.
> > >
> > Well darling that is what it said... no?
> 
> Sorry, I don't think it ever said it was a magical stamp of good
> intentions.  If we said that, that was a stupid thing for us to say,
> and I'm glad we changed it.
> 
OK I've already made it clear above.

> > >[...]
> > >> Personally, I think its irrelevant today, that at one time persons
> > >> had to be known personally to run a verified server. Quaint but
> > >> irrelevant. But hey, I dont mind having someone round to my place
> > >> from the UK to verify me. Why not have 3 levels of security - level
> > >> 2 - Registered - just what we have now. Level 1 - Verified - visit
> > >> their setup. Level 3 - unregistered & unverified. And give us a
> > >> config statement to use these levels or not.
> > >
> > >Dude, we're not going to impose a worldwide server auditing system.
> > >We're not going to visit server operators' houses.   Even if it did,
> > >what would it prove?  Any organization could set up servers in a bunch
> > >of its members' houses.  Are we supposed to do background checks?
> > >
> > Chikita, you really must put your thinking cap on and stop ignoring
> > the obvious. I said..
> 
> ITYM "chiquita", but I am not a little girl.
> 

Upset..? Well dont use personal epithets in future then. I meant what I wrote darling dont be so presumptious. Why not look at Peter Palfraders list of ops, or did you do that already? 

>
> > Level 2 - registered - eg those that register their server name,
> > provide their real name and address. Do a web credit check - simple
> > and cheap. Get them to donate a COUPLE OF DOLLARS FOR THAT. Just
> > send them a registration code in the post to their credit card
> > address - the one they donated with and the address they gave for
> > it. Of course they can still forge this - but would they? With lots
> > of servers?
> >
> > Level 1 - verified - eg a visit from a VERIFIED operator after
> > provision (copies) of household bills, local tax statement, or
> > identification of company or org if an org, isp verification. Once
> > again, of course they can still forge this darling - but would they?
> > With lots of servers?
> >
> > You could even sub-level the Levels with a safety value.
> 
> Wow.  In my opinion, this would be tons of effort, would not pay for
> itself, would turn operators away, would create a risk of information
> leakage leading to identity theft, and would still be easy for
> governments and nefarious organizations to subvert.  (Your security
> model above seems based on the idea that the attacker can do things,
> but wouldn't think it was worth the resources.  I worry that the
> resource cost on server operators would also discourage them from
> running good nodes.)
> 
> I realize that I could be wrong here; I'm just pointing out that this
> is not a trivial idea, and it's not an obviously unalloyed win.
>

Well of course you are wrong and it doesnt take a mathmatician to tell you that if you cant afford a condom (sheath/rubber) then a bit of cling film is better than nothing.

> 
> > >> On a related issue, I have attempted to the "ExcludeNodes" config
> > >> and it doesnt seem to work. I am sure that of the dozens of nodes
> > >> I've tried to exclude (and failed to exclude - test only) ALL of
> > >> them cannot be my "guard" nodes. Ok this might only be winOS,
> > >> perhaps everyone should check it out for themselves. Just to be
> > >> sure. I've noticed others have seen similar. Re-check.
> > >
> > >ExcludeNodes *is* supposed to work.  If it doesn't, submit a bug
> > >report.  Warning! You will need to describe *exactly* what you did,
> > >and *exactly* what Tor did in response.  Logs will help. This is too
> > >hard for many people.
> >
> > Well hey thankyou for the advice. Without Vidalia working on Win2k
> > i'm stuffed, buit then you knew that didnt you.
> 
> No, I'm afraid I didn't know that; I genuinely would like this feature
> to work.  If vidalia isn't working for you, you could possibly try
> editing your torrc?  No pressure; I don't mean for this to be any kind
> of accusation or anything.  Just... if you want us to fix something
> that seems to work for us, we need information on how it's broken.
> 

Amazing isnt it... one moment you' re an expert, the next your a dummy..all very convenient.

I tell you I tested this out (implying, obviously even to the intellectualy challenged, that I edited my torcc file - without vidalia!) and you just get it all wrong. Did you say this on purpose, out of spite, just to humiliate me (are you freemor?)? or are you serious?

If you are serious then I'm afraid for the future of the whole Tor concept.

Here's how it looks from the users point of view... here's a man (I take it you are male - from your name) who has loads to write on reasons for doing nothing or explaining why some protection was taken out. To the point of being darn right rude.

And yet he cant follow or come up with any ideas himself to combat or make it more tortuous for an adversary to perform a blantant flood snooping attack on the Tor network.

And when someone suggests any strategy he just is full of ideas for why that wont work.



Are you beginning to get a handle on the problem ?.. because, IMO, its not a million miles away from where you are sitting.



Now everyone out here knows just how good this Tor network could be.. it just needs a few tweaks to make it so. But for some reason there's enormous enertia to make this happen. Indeed, at the moment, it looks like it might be getting less safe.

I'm giving it to you straight. I'm not one of your sycophant types who'll rustle you up a sick note even when you dead wrong.

>
> > >frustratedly yrs,
> >
> > I believe you. Its always frustrating when people start asking
> > questions about subjects you would really like swept under the
> > carpet and forgotten.
> >
> > Just remember to answer them with politeness and integrity. And you
> > wont go far wrong. If not you might be mistaken for a dictatorial
> > pleb with an axe to grind.
> 
> My apologies for my unprovoked rudeness.  I like to think of free
> software as a darwinian meritocracy rather than a dictatorship, and
> would certainly hope that if Roger and I do a bad job as developers,
> the community will realize this, try to talk us info doing something
> sensible, fork Tor if we don't, and stop us from harming the world any
> further.
>

Well thats a marginally better approach, even if it is laced with poison.

And please refrain from advising us that you want to hear our opinions when its plain to see you'd prefer us to shut up unless we've got something nice to say about you or what you say. Images of a dictator surrounded by sycophants.

"Sorry", would have been enough, long winded expressions of "good" intention when not backed by action dont cut any ice with most people.

And really stop telling people to fork the code if they want - its really tiresome to see devs brandishing this like a gun. Of course you dont want the code forked, you just want to shut people up.

> 
> But seriously, we're trying to do our best here.
> 

Is that what you call your best ? .. to do what exactly?  No.. dont answer that, I am sure you have your reasons.

If you are serious just try keep out of the "denial" zone in future, mind your manners and dont play smart-ass games (because from the way I see it you are not bright enough to realise how dangerous such games can be - so take my advice - dont play with fire - sorry if this offends you but I'm sure you'll understand you had it coming after all you got up to).


Essentially, stop trying to win your arguement and then you wont have to keep on trying to put other authors down.

Dont:

Take what they've said out of context.
Pick on a trivial matter on the fringe of the subject and add this to the argument just win a point.
Make facetious/be-littleing/trivial remarks or play such games.
Address someone, you dont know personally, with personal epithets.
Attempt to move the arguement to safer ground away from the subject currently under discussion.
Discard items which you concede on before you have formally conceded the point (or at least ended the discussion of the point with an agree to differ).
Make use of personal information on someone on an open forum that you might be in a position of trust and privy to.
Preach standards/ideals you obviously dont keep - its insulting to your audience


Do:

Keep to the point and respect the other author.
Attempt to find common ground as a basis for further discussion - dont just stonewall people
Appologise/accept your mistakes or the correctness of others.
Make helpful suggestions
Take the subject to another forum for further discussion if need be. 


--------------
This is what I can remember from your posts to or-talk, to be honest I stopped reading most of your posts just a couple of months after I joined or-talk because of the manner of some of your replies to some people. 
 -------------


That my last on this - I wont reply anymore - if you want to, then open up a personal dialog for the personal stuff.

If you want to go forward with suggestions to put some "registration" and/or "verification" back into Tor then please do so, on or-talk or otherwise, otherwise I'll chalk it down to another wasted of effort, a lost cause.

I might just do that fork after all. Is there anyone out there who is up for a fork? Any devs? Any servers?.

Proposals for the fork...


Bring back - 

Level 1. Verification. - Personal visit to server with verification of isp/org

Add -

Level 2. Registration - Web page based registration, Nic, contact email, server id, proposed services desc, actual name and address verified by web page credit/debit card transaction. It'll cost you a dollar or two but that its.

Retain -

Level 3. Validation - as is - anyone who can muster a server

Retain - 

Level 4. - the rest


Would also be looking at adding:

1. User (client) configured and random varying path length - suck it and see basis - adding one node path freedom at a time. 

2. By country exit entry middle node exclude/include specification switch.

3. User friendly urls for Tor internal websites.

4. Free external (slowest) gateway nodes (no client required) into Torland. (hw.xxxxxxxx.tor)

5. Multi-level performance for tor servers. 

Other possibles: include packet random size padding node to node, random packet transit delay/position node to node, random packet multiplexing (between big pipe nodes only).

Long term might look at adding ENTROPY (the network) feature/plugin of fully distributed websites and services to Torland. 



 OK I EXPECT FLACK - fire away.. do your worst.. but keep this separate from comments to my original reply (above) please, thanks. This post is far too long already. 

 
>
> yrs,
> -- 
> Nick Mathewson
> 

-- 
Message sent with Supanet E-mail

Signup to supanet at https://signup.supanet.com/cgi-bin/signup?_origin=sigwebmail
Follow-Ups:
- Re: Tor bug?: AllowInvalidNodes
  - From: eric.jung
- Re: Tor bug?: AllowInvalidNodes
  - From: Fabian Keil
- Re: Tor bug?: AllowInvalidNodes
  - From: Roger Dingledine
- Re: Tor bug?: AllowInvalidNodes
  - From: Wesley Pegden
Prev by Author: Tor bug?: AllowInvalidNodes
Next by Author: Cavalry to the rescue
Previous by thread: Re: Tor bug?: AllowInvalidNodes
Next by thread: Re: Tor bug?: AllowInvalidNodes
Index(es):
- Author
- Thread