[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Tor bug?: AllowInvalidNodes



Guys, I've set up another mailing list for future tor complaints from unhelpful/ungrateful users should go. All messages full indignation and presumption aimed at the people who have volunteered long hours for the tor project should be sent to kickme@xxxxxxxxxxxxxxxxxx The server (alias: MAILER-DAEMON) will respond with a message subject "Undelivered Mail Returned to Sender", which will confirm receipt and transmission of your message. This will ensure that your conceit will be most efficiently disseminated to the widest possible audience interested in reading your demands of the tor devs.

-Wes







crackedactor@xxxxxxxxxxx wrote:
----- Original Message -----

On Wed, Aug 16, 2006 at 08:59:12PM +0000, crackedactor@xxxxxxxxxxx wrote:
On Wed, Aug 16, 2006 Nick Mathewson wrote:
[...]
It works. It just doesn't mean what you thought.
You obviously didnt read Arrakistor 16 August 2006 00:44 Tor bug?:
AllowInvalidNodes
who wrote

"Roger, Nick, et al,

Tor *.23

AllowInvalidNodes seems to having a problem. We've tried a few
versions,
including the deprecated AllowUnverifiedNodes to no avail. However the
exit node of the circuit is still often invalid according to
http://serifos.eecs.harvard.edu/cgi-bin/ipaddr.pl?tor=1
See Roger's message, which you quote below:

   > The exit.pl script that Geoff wrote and runs on Serifos uses the
   > phrase "not a valid Tor server" to mean "not a Tor server as far
   > as I know".

This is the serifos script that Roger is talking about.  It lists IP
addresses as "invalid" if they are not the IP of a tor server it
knows.  Some "valid" (according to the directory authorities) Tor
servers exit on IPs that are not the same as the IP they listen on.
This means that the IP they exit on will not appear on serifos's list
of valid nodes.


Ok thats clear, thankyou.

[...]
Now I find out that it was never intended to work and that it was
never an "AllowUnverifiedNodes" replacement.
Sure it was.  "Unverified" and "Invalid" are the same concept:
'attested to as likely to be okay by the directory server.'  The only
that has changed is the name.

Did you read Roger Dingledine 16 Aug 2006 13:42:17 -0400 Re: Tor bug?:
AllowInvalidNodes
who wrote (short version):

"The fundamental confusion here is that the word 'invalid' means many
things to many people, but it means pretty much nothing to Tor. The
exit.pl script that Geoff wrote and runs on Serifos uses the phrase "not
a valid Tor server" to mean "not a Tor server as far as I know". The
word "valid" with respect to the AllowInvalidNodes config option is
simply defined as "not manually designed by the directory authorities
as invalid".

"

Are you argueing with this definition of INVALID as opposed to the
original "Unverified" definition? Or are you now informing us that
for some whole now the term "unverified" has always mbeen
meaningless? if so for how long has this been so?)
Hm?  No, they both meant "attested to as likely to be ok".  In the old
days, directory authorities attested to servers as ok when they admins
told them to, and the admins told them to as they got mail claiming to
be from server admins.  We thought that this was a bad idea and
created a false sense of security.  Now, directory authorities attest
to servers as ok when the servers seem to be running, and the admins
have not told them to consider the servers suspicious.


OK currently what Mr Dingledine is saying is that INVALID "means pretty much nothing to Tor".

The problem is when I started as a Tor op (2 or 3 years back) I remember (possibly the eff Tor site) seeing blurb about the "verified" operators. Even today for the new term invalid the eff site reads as follows:

"AllowInvalidNodes entry|exit|middle|introduction|rendezvous|... Allow routers that the dirserver operators consider invalid (not trustworthy or otherwise not working right) in only these positions in your circuits. The default is "middle,rendezvous", and other choices are not advised." I think most of us would read the word TRUSTWORTHY as implying some sort of security/verification.

I wonder how many like me assumed that this at least meant registering our server's nic.

And surely, if you did change the meaning of verified/valid then there was a duty upon those who made this change to ensure that  tor users and operators were informed with something approaching "A VERY IMPORTANT ANNOUNCEMENT",  prominantly displayed, if neccessary, on the eff site.

The version 2 directory specification came into use during the Tor
0.1.1.x series, says:

    "Valid" -- a router is 'Valid' if it seems to have been running
    well for a while, and is running a version of Tor not known to be
    broken, and the directory authority has not blacklisted it as
    suspicious.


Well the "verified" version statement was still in my torcc file, so I suppose you could say updates fail to update the torrcc file and so fail to alert the user of the change. What you seem to be saying is that when we upgrade we all have to be terribly aware of "unannouncedchanges" and have to read the tor specification for each update. Thats a huge amount of work.

Hardly what you would call user informative, safe and user friendly approach to software distribution.

Once again this smacks of trying to hide (sweep under the carpet) an issue that users should have been informed about.

[...]
Because "Verified" was a stupid name.  It implied that we had a good
way to go out and tell whether a node's operator was honest, upright,
and competent, and whether the node was physically secure and
non-eavesdropped.

It implied you at least knew who they said they were (not that you
knew they were what they said).
Though that's what it meant in practice, that's not the interpretation
of "verified" that I'd have made.  Moreover, it's not IMO a useful
property to have.  Knowing who the adversary claims to be is only
effective against an adversary who can't or won't lie about who they
are.


But it was better than NOTHING.

Today you have absolutely NO safeguards whatsoever. ANY country can flood their tor entry/exit server lists with high bandwidth snoops which will guarantee tor is pretty much useless. But the users will never be alerted to that fact and believe they are protected. No attempt is now being made to disadvantage these snoops, even by a simple registration process.

And it would appear you dont care either, which is odd (??) considering you are making claims of having:

"
Tor: An anonymous Internet communication system
"


[...]
If you know a way to do this, please let us know. We're all ears.
Please keep in mind that we haven't got much cash to do this with, and
what cash we do have, we'd rather spend on rent and food and)
developing Tor.
You poor penniless, overworked person. Why dont you ask all the
VERIFIED TOR operators to VERIFY the new TOR operators, within say
50-100miles (100-200km) of them (or closest one).

I'll do 100mile radius (UK) of Portsmouth UK - but only if you "veryify"
me.

It's not a bad idea.  Time permitting, a web-of-trust kind of system
might be neat to do.  Of course, we'd need think about what effect
this will have on route-based partitioning, and on possibly
discouraging operators from running servers if they need to meet other
operators face-to-face to do so.  And how hard is it really to foil a
face-to-face meeting?  These are neat questions.


Well of course there's an old trueism - "Where there's a WILL there's a WAY".

Now if you want someone to draft a document for such a system then you need to ask people - but you dont ask that one do you?

Instead you tell then to branch the software. Why do that?


(Please forgive us if someday we eventually start doing this, and pick
trust seeds in the UK from among people we already know and trust.
I'm sure you would do the same.)


Oh.. a schoolboy snub.. grow up will you darling.

 "I'm not playing with you" / "You cant join my gang" games are inappropriate in software development/engineering. Do you do this for a living?

Please foregive me (us ?? - no ! - I've only one personality) for saying that.

[...]
If some "unverifiednode" exit server adversary has set themselves up
in business of monitoring TOR users then isnt it because
"AllowUnverifiedNodes" was removed (effectively).
Right, you're confirming that we were right to change "Verified" to
"Valid".  Apparently, you *did* think that "verified" was a magicial
stamp of good intentions.

Well darling that is what it said... no?
Sorry, I don't think it ever said it was a magical stamp of good
intentions.  If we said that, that was a stupid thing for us to say,
and I'm glad we changed it.

OK I've already made it clear above.

[...]
Personally, I think its irrelevant today, that at one time persons
had to be known personally to run a verified server. Quaint but
irrelevant. But hey, I dont mind having someone round to my place
from the UK to verify me. Why not have 3 levels of security - level
2 - Registered - just what we have now. Level 1 - Verified - visit
their setup. Level 3 - unregistered & unverified. And give us a
config statement to use these levels or not.
Dude, we're not going to impose a worldwide server auditing system.
We're not going to visit server operators' houses.   Even if it did,
what would it prove?  Any organization could set up servers in a bunch
of its members' houses.  Are we supposed to do background checks?

Chikita, you really must put your thinking cap on and stop ignoring
the obvious. I said..
ITYM "chiquita", but I am not a little girl.


Upset..? Well dont use personal epithets in future then. I meant what I wrote darling dont be so presumptious. Why not look at Peter Palfraders list of ops, or did you do that already?


Level 2 - registered - eg those that register their server name,
provide their real name and address. Do a web credit check - simple
and cheap. Get them to donate a COUPLE OF DOLLARS FOR THAT. Just
send them a registration code in the post to their credit card
address - the one they donated with and the address they gave for
it. Of course they can still forge this - but would they? With lots
of servers?

Level 1 - verified - eg a visit from a VERIFIED operator after
provision (copies) of household bills, local tax statement, or
identification of company or org if an org, isp verification. Once
again, of course they can still forge this darling - but would they?
With lots of servers?

You could even sub-level the Levels with a safety value.
Wow.  In my opinion, this would be tons of effort, would not pay for
itself, would turn operators away, would create a risk of information
leakage leading to identity theft, and would still be easy for
governments and nefarious organizations to subvert.  (Your security
model above seems based on the idea that the attacker can do things,
but wouldn't think it was worth the resources.  I worry that the
resource cost on server operators would also discourage them from
running good nodes.)

I realize that I could be wrong here; I'm just pointing out that this
is not a trivial idea, and it's not an obviously unalloyed win.


Well of course you are wrong and it doesnt take a mathmatician to tell you that if you cant afford a condom (sheath/rubber) then a bit of cling film is better than nothing.

On a related issue, I have attempted to the "ExcludeNodes" config
and it doesnt seem to work. I am sure that of the dozens of nodes
I've tried to exclude (and failed to exclude - test only) ALL of
them cannot be my "guard" nodes. Ok this might only be winOS,
perhaps everyone should check it out for themselves. Just to be
sure. I've noticed others have seen similar. Re-check.
ExcludeNodes *is* supposed to work. If it doesn't, submit a bug
report. Warning! You will need to describe *exactly* what you did,
and *exactly* what Tor did in response. Logs will help. This is too
hard for many people.
Well hey thankyou for the advice. Without Vidalia working on Win2k
i'm stuffed, buit then you knew that didnt you.
No, I'm afraid I didn't know that; I genuinely would like this feature
to work.  If vidalia isn't working for you, you could possibly try
editing your torrc?  No pressure; I don't mean for this to be any kind
of accusation or anything.  Just... if you want us to fix something
that seems to work for us, we need information on how it's broken.


Amazing isnt it... one moment you' re an expert, the next your a dummy..all very convenient.

I tell you I tested this out (implying, obviously even to the intellectualy challenged, that I edited my torcc file - without vidalia!) and you just get it all wrong. Did you say this on purpose, out of spite, just to humiliate me (are you freemor?)? or are you serious?

If you are serious then I'm afraid for the future of the whole Tor concept.

Here's how it looks from the users point of view... here's a man (I take it you are male - from your name) who has loads to write on reasons for doing nothing or explaining why some protection was taken out. To the point of being darn right rude.

And yet he cant follow or come up with any ideas himself to combat or make it more tortuous for an adversary to perform a blantant flood snooping attack on the Tor network.

And when someone suggests any strategy he just is full of ideas for why that wont work.



Are you beginning to get a handle on the problem ?.. because, IMO, its not a million miles away from where you are sitting.



Now everyone out here knows just how good this Tor network could be.. it just needs a few tweaks to make it so. But for some reason there's enormous enertia to make this happen. Indeed, at the moment, it looks like it might be getting less safe.

I'm giving it to you straight. I'm not one of your sycophant types who'll rustle you up a sick note even when you dead wrong.

frustratedly yrs,
I believe you. Its always frustrating when people start asking
questions about subjects you would really like swept under the
carpet and forgotten.

Just remember to answer them with politeness and integrity. And you
wont go far wrong. If not you might be mistaken for a dictatorial
pleb with an axe to grind.
My apologies for my unprovoked rudeness.  I like to think of free
software as a darwinian meritocracy rather than a dictatorship, and
would certainly hope that if Roger and I do a bad job as developers,
the community will realize this, try to talk us info doing something
sensible, fork Tor if we don't, and stop us from harming the world any
further.


Well thats a marginally better approach, even if it is laced with poison.

And please refrain from advising us that you want to hear our opinions when its plain to see you'd prefer us to shut up unless we've got something nice to say about you or what you say. Images of a dictator surrounded by sycophants.

"Sorry", would have been enough, long winded expressions of "good" intention when not backed by action dont cut any ice with most people.

And really stop telling people to fork the code if they want - its really tiresome to see devs brandishing this like a gun. Of course you dont want the code forked, you just want to shut people up.

But seriously, we're trying to do our best here.


Is that what you call your best ? .. to do what exactly? No.. dont answer that, I am sure you have your reasons.

If you are serious just try keep out of the "denial" zone in future, mind your manners and dont play smart-ass games (because from the way I see it you are not bright enough to realise how dangerous such games can be - so take my advice - dont play with fire - sorry if this offends you but I'm sure you'll understand you had it coming after all you got up to).


Essentially, stop trying to win your arguement and then you wont have to keep on trying to put other authors down.

Dont:

Take what they've said out of context.
Pick on a trivial matter on the fringe of the subject and add this to the argument just win a point.
Make facetious/be-littleing/trivial remarks or play such games.
Address someone, you dont know personally, with personal epithets.
Attempt to move the arguement to safer ground away from the subject currently under discussion.
Discard items which you concede on before you have formally conceded the point (or at least ended the discussion of the point with an agree to differ).
Make use of personal information on someone on an open forum that you might be in a position of trust and privy to.
Preach standards/ideals you obviously dont keep - its insulting to your audience


Do:

Keep to the point and respect the other author.
Attempt to find common ground as a basis for further discussion - dont just stonewall people
Appologise/accept your mistakes or the correctness of others.
Make helpful suggestions
Take the subject to another forum for further discussion if need be.



--------------
This is what I can remember from your posts to or-talk, to be honest I stopped reading most of your posts just a couple of months after I joined or-talk because of the manner of some of your replies to some people. -------------



That my last on this - I wont reply anymore - if you want to, then open up a personal dialog for the personal stuff.

If you want to go forward with suggestions to put some "registration" and/or "verification" back into Tor then please do so, on or-talk or otherwise, otherwise I'll chalk it down to another wasted of effort, a lost cause.

I might just do that fork after all. Is there anyone out there who is up for a fork? Any devs? Any servers?.

Proposals for the fork...


Bring back -


Level 1. Verification. - Personal visit to server with verification of isp/org

Add -

Level 2. Registration - Web page based registration, Nic, contact email, server id, proposed services desc, actual name and address verified by web page credit/debit card transaction. It'll cost you a dollar or two but that its.

Retain -

Level 3. Validation - as is - anyone who can muster a server

Retain -

Level 4. - the rest


Would also be looking at adding:

1. User (client) configured and random varying path length - suck it and see basis - adding one node path freedom at a time.

2. By country exit entry middle node exclude/include specification switch.

3. User friendly urls for Tor internal websites.

4. Free external (slowest) gateway nodes (no client required) into Torland. (hw.xxxxxxxx.tor)

5. Multi-level performance for tor servers.

Other possibles: include packet random size padding node to node, random packet transit delay/position node to node, random packet multiplexing (between big pipe nodes only).

Long term might look at adding ENTROPY (the network) feature/plugin of fully distributed websites and services to Torland.



OK I EXPECT FLACK - fire away.. do your worst.. but keep this separate from comments to my original reply (above) please, thanks. This post is far too long already.

yrs,
--
Nick Mathewson