[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: relay tidbits...





On Mon, Jun 2, 2008 at 11:23 AM, Kyle Williams <kyle.kwilliams@xxxxxxxxx> wrote:


On Sun, Jun 1, 2008 at 4:44 PM, <phobos@xxxxxxxxxxxxx> wrote:
On Sun, Jun 01, 2008 at 11:49:09PM +0100, luser456@xxxxxxxxxxxxxx wrote 1.2K bytes in 29 lines about:
> another reason is to provide a list of POP accounts (pop server IP and
> username, no password is captured) being accessed via tor, just in case
> any admins/users of these servers/accounts find it odd that they are
> being accessed over tor.

If in the United States,
https://www.torproject.org/eff/tor-legal-faq.html.en#ExitSnooping
pertains to you.

"Should I snoop on the plaintext that exits through my Tor relay?

No. You may be technically capable of modifying the Tor source code or installing additional software to monitor or log plaintext that exits your node. However, Tor relay operators in the U.S. can create legal and possibly even criminal liability for themselves under state or federal wiretap laws if they affirmatively monitor, log, or disclose Tor users' communications, while non-U.S. operators may be subject to similar laws. Do not examine the contents of anyone's communications without first talking to a lawyer.

"

I just read that again, and I feel I must say a few words about this.

First off, the facts.  Anyone who willing and knowingly sends their traffic to some random routers on the Internet (encrypted traffic or not) just waived their right to privacy. It is assumed that their traffic is protected by encryption, which brings back their privacy, but even that (Debian SSL bug) can come into question.  However, (s)he who uses Tor is still *INTENTIONALLY* sending what would be private to you and/or your ISP out to second and third parties.  To expect privacy when you are doing this is retarded, unless everything you do is using SSL (again, not Debian's derivative of SSL).  The best you are going to get is anonymity, but you gain anonymity by throwing away your privacy (in most cases, not all though). 

Second, I as a 'service provider', whether free to the public or not, do have the right to monitor what my service is being (ab)used for.  By sharing my bandwidth, which I pay for (NOT YOU), I have the right to say what is allowed and what is blocked.  As a Tor exit node, I get to choose which services (by port) I want to support.  As a service provider (in the USA), I have the right to watch *EVERYTHING* that goes through my service.  AT&T has done this, Comcast is hiring right now for people to do this, and the list goes on and on.  Where AT&T should be getting in trouble is they gave the information to second and third parties, but I'm not going into that here.  The point is, as a service provider, you have the right to monitor your services to make sure that they are not being abused or used for anything which might be illegal. 

As for monitoring and logging my traffic, I have that right.  Now if I distribute those logs to other parties, then I should be in trouble.
Here is a very real example that has happened in Germany. 
If someone used my node to make a bomb threat to local police, and the police come to my house to take my computers, a couple of things could happen.  But this is one possible take. 
If I told them "Wait a minute, I run this great anonymity software called Tor to help support people in oppressed countries, but I also logged everything just incase something like this happened.  Since I like you guys (the cops) so much, I'll give you guys full copies of my logs that I have been keeping record of since I started my node.  You do have a search warrent, right?"  I'm willing to bet that the (stupid) cops would be elated by your cooperation, not threatening to throw you in jail.  As it seems to be with all the data retention laws going into affect around the world, they would be very happy to have such a detailed level of co-operation. 

So to tell people that it "can create legal and possibly even criminal liability for themselves under state or federal wiretap laws if they affirmatively monitor, log, or disclose Tor users' communications" is a load of crap, in my opinion.  The disclosure part is the only place I see that would be crossing the line that would probably get you in trouble.

After last years PoC at DefCon and talking with the EFF and FBI about it, I have a much different take on this.  The EFF attorney's were thinking worst case scenario, but the FBI agents laughed and basically said "be careful".
I'm not in jail, nor was I ever arrested.  But at the same time, I didn't exposed people/groups/agencies/etc either.

However the following weekend my house was broken into and someone obviously was looking for something I no longer had, but that's another story for another time.  (If that person(s) ever reads this, thanks for not breaking all my stuff and leaving everything in more or less the way you found it, minus your obvious calling card, which was kinda creepy and cool at the same time.)

- Kyle

And just for the record, I choose not to run a Tor exit node because I have seen first hand what types of filth it was being used for, and I don't support that shit.
Seriously about %25 percent of my HTTP traffic was for porn...kiddy porn at that....so I said "fuck that" and shut down my node a long, long time ago.

- Kyle