Re: Filtering traffic from your node - for exit points

["Kyle Williams" <kyle.kwilliams@xxxxxxxxx>]

On 9/10/07, phobos@xxxxxxxxxx <phobos@xxxxxxxxxx> wrote:

On Mon, Sep 10, 2007 at 04:43:17PM -0700, torified00@xxxxxxxxx wrote 16K bytes in 169 lines about:
: Up to now I thought it was impossible to filter out what tor users do from our tor exit nodes. A little experimentation later I've found a way how to limit what users can or cannot do. Please do check if filtering content is legal according to the laws of your country. Personally I have decided that I'd rather be investigated because of filtering illegal materials than to be investigated because I was helping a criminal. Do whatever you wish with the information provided. You may not like the filtering - but every exitpoint operator can decide for himself what he wants to do.

I am not a lawyer, but I believe by doing this you're actually opening
yourself up to more liability than you'll ever correct.
https://tor.eff.org/eff/tor-legal-faq.html.en#ExitSnooping is
effectively what you're doing.

This topic has been visited, re-visited, and most recently,
re-re-visited.  http://archives.seul.org/or/talk/Mar-2007/msg00082.html
is the latest round of visits.

--
Andrew

I spoke with several attorneys and a couple of FBI agents at DefCon this year about this.  I'll try and summerize what I was told.  Keep in mind, this is in the US.  It may vary in your country or state.

As a Tor node operator, you are providing a free "service".  As a "service" provider, you are entitled to monitor your traffic for suspicious activity, bandwidth usage, and/or attacks against you or your "customers" (Tor users).  Basically you get some of the rights, if not all, that an ISP does since you are providing a free internet "service".  Just because it's free to everyone else doesn't make it less of a internet service; in fact, if you are paying for your connection to your ISP (which everyone is) then upi have a "invested interest".  Most people want to, and have the right to know what is going on with their investments.

"Monitoring" traffic that comes in or out of your connection can consist of many things.  
If you are a "monitoring" bandwidth usage, packets are still being looked at, but only the size and total number of packets in a given period is what is being "monitored".  
There is Intrusion Detection Systems, or IDS, that does packet inspection to "monitor" if there is malicious content in the packet/s.  In this case, the entire packet is being looked over by a piece of software for anything it might consider malicious.

I put it this way to the FBI agents I spoke with (who were really cool btw).  I told them that I operated a Tor exit node and I used iptraf and driftnet to monitor what my connection was being used for.  (They just grinned when I said this.)  I asked them if this was wrong or illegal of me to do.  They said no, and that I have rights (mentioned above) as a "service" provider to protect my "invested" interest. 

Because there was so much porn, nasty porn at that, I decided to shutdown my exit node.  I for one welcome the idea of filtering out porn on my exit node.  I'm paying for my connection, not Tor users, so as far as I am concerned, I have the right to say what goes into and out of my node.  IF you disagree, then take a look at your torrc file, and if you are blocking ANY port and not allowing ALL traffic to leave your node, then you too are filtering traffic.

So really, what's the difference between blocking websites and blocking ports?  
Nothing, they both are considered filtering.