Re: eliminating bogus port 43 exits

To: or-talk@xxxxxxxxxxxxx

Subject: Re: eliminating bogus port 43 exits

From: Kyle Williams <kyle.kwilliams@xxxxxxxxx>

Date: Fri, 12 Jun 2009 15:51:25 -0700

Delivered-to: archiver@xxxxxxxx

Delivered-to: or-talk-outgoing@xxxxxxxx

Delivered-to: or-talk@xxxxxxxx

Delivery-date: Fri, 12 Jun 2009 18:51:27 -0400

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type; bh=htbdCsg4tWr4PhYSwBuiBR3Ea/LAu77sYWV7uL34whc=; b=WtOKfoBovs1KvvKBQffYSQU/YH/FpU2V3btxohkDalJrOscQTPaMkPdxxvlb5XBozm 01LqE+g0ROFVnXMtXRbx7WJkfKzoZUQSgM55jSGgmE3g6GmIUfPPKVmqBMr9TFk9qx8I gzFhEC+c1UeeOQ0IIRpPG5vvucyhFMiczTL2A=

Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=FeqcWqXZjYK989t+W2G9hvEKr1gkCfwOUabcrkgqI6eIIoghMxotmBuTQMKATyV96a 9oEIzW4ymvHHm75cFZd81isUDLKHf3QBz6fpgjtEDTfm9eGcR8sdHZRvtUIduUXYsdhs OdntP6M0qitRyhznuGuHQzPIeO2sX5hTSChQk=

In-reply-to: <4A32D67F.1040707@xxxxxxxxxxxxxx>

References: <200906120729.n5C7Tg1c026281@xxxxxxxxxxxxx> <4A32420F.1050509@xxxxxxxxxxx> <d2e731a10906121224p17f8f52dtdf8032443b36ebb@xxxxxxxxxxxxxx> <4A32D67F.1040707@xxxxxxxxxxxxxx>

Reply-to: or-talk@xxxxxxxxxxxxx

Sender: owner-or-talk@xxxxxxxxxxxxx

On Fri, Jun 12, 2009 at 3:28 PM, Andrew Lewman <andrew@xxxxxxxxxxxxxx> wrote:

grarpamp wrote:
> 3 - Further, there needs to be an understanding of what the traffic
> ACTUALLY IS. Operators should be using tools such as wireshark,
> tcpdump, bro, etc to determine the content. And if it turns out to
> be encrypted to destinations and services unknown, NO such determination
> can be made. The only thing left to go on is impact as in #2 above.

I wasn't going to comment on this thread in general because I have
nothing new to add to the conversation.

However, I feel compelled to mention this #3 is possibly very bad advice
for those in the USA. Our Legal FAQ clearly states this is probably
illegal; https://www.torproject.org/eff/tor-legal-faq.html.en#ExitSnooping.

Until such a case determines it legal or not, some very savvy lawyers
recommend against doing exactly what you suggest. If your lawyer
suggests otherwise, we're happy to talk to them.

"Should I snoop on the plaintext that exits through my Tor relay?

No. You may be technically capable of modifying the Tor source code or
installing additional software to monitor or log plaintext that exits
your node. However, Tor relay operators in the U.S. can create legal and
possibly even criminal liability for themselves under state or federal
wiretap laws if they affirmatively monitor, log, or disclose Tor users'
communications, while non-U.S. operators may be subject to similar laws.
Do not examine the contents of anyone's communications without first
talking to a lawyer."

--
Andrew Lewman
The Tor Project
pgp 0x31B0974B

Website: https://torproject.org/
Blog: https://blog.torproject.org/
Identica/Twitter: torproject

I think "snooping" and "statistical information" should be treated differently. Take Scott's case here. He is making a claim that by using the exit policy outlined above, it would reduce the amount of traffic on tor by 70% or whatever. What I would like to see proof of is that the IP addresses that are now being blocked are NOT running a WHOIS services. How do we know for sure that they are not in fact a valid WHOIS service?

So, Andrew, would running 'iptraf' on a exit node to see the amount of bandwidth that is being used or what IP/ports are being connected be considered "wire tapping"?

I'm not trying to start an argument, I'm just trying to figure out how a researcher can do his/her work, get real answers, without crossing the line of "wire tapping". That's all.

Best regards,

Kyle