Re: Is "gatereloaded" a Bad Exit?

[John Case <case@xxxxxxxxxxxxxxxx>]

Hello Gregory,

On Fri, 11 Feb 2011, Gregory Maxwell wrote:

> As far as I can tell this is a completely spurious strawman argument.
>
> Where is this person with a legitimate reason why they can allow :80
> and not :443? What is their reason?


I am trying to suggest two things here:

1) We cannot know the answer to this (what is their reason, what is their 
scenario, what is their threat model)

2) There are uses of ToR, and roles that ToR plays, that are very, very 
different than the official, accepted use model.

So let me back up one step here and state some things that I am sorry are 
not obvious:

- you have no idea what kind of things run over ports like 21, 23, 80, and 
110.  I know what _I_ use them for, and you know what _you_ use them for, 
and we know what's in /etc/services, but you are forgetting that anything 
can run over a TCP port.

- you have no idea what particular network activity, or services provided, 
is considered suspicious in a particular setting.  _I_ can run services on 
arbitrary ports and so can you, and so can most anybody, but you are 
forgetting that there are threat models wherein this is not the case.

- you have no idea what type of overall architecture someone has fit their 
ToR use into.  _I_ use ToR in the typical, accepted fashion, and so does 
most everyone else, but perhaps ToR is used as simply one component, and 
maybe not even the most important component, of a larger network 
architecture.

- you have no idea what the overall goal of sending and receiving traffic 
on the ToR network is for a person or group.  _I_ use it like you do, to 
perform normal Internet functions anonymously - but others may have very 
different needs, ranging from simple traffic generation to plausible 
deniability.

What frustrates me so much about this whole conversation is that the above 
items (and we could all come up with many more) are true in general, but 
are never more true than they are related to ToR.  Further, since we're 
all technical people here, it should be second nature to us that the POWER 
of an open system are the arbitrary combinations that arise from a simple, 
unrestrictive ruleset.  There are a small number of easily identifiable 
"cons" to letting an exit run like this, and there are an unlimited number 
of unknown "pros" to letting an exit run like this.  You should know this.


> If anyone was showing up expressing this as a serious constraint with
> a legitimate cause, then it might be reasonable to reconsider.
> Certainly if there were many of them.


I am suggesting fringe, and possibly temporary use cases that imply actors 
that probably aren't going to pop in to talk shop.  I'll say it again:

There are a small number of easily identifiable "cons" to letting an exit 
run like this, and there are an unlimited number of unknown "pros" to 
letting an exit run like this.  You should know this.


> Tor already has a great many tweaks and heuristics. Why are you not
> complaining about the exit load-balancing heuristic that denies the
> exit flag to nodes which don't exit to at least a /8 of several
> important ports?  It impacts a great many more nodes.  Or why not
> complain about the countermeasures against one hop usage that make
> nodes seizure targets and takes an unfair share of the bandwidth?


Forgive me, but this is a near-perfect example of a straw man logical 
fallacy.  My not protesting these other items (which I may or may not 
support) does not suggest that my above argument is faulty.


> Will this contingent next be advocating not blacklisting exits known
> to insert malware or advertisements in the traffic because without
> this activity the exit operator can not afford to keep their exit
> going?
>
> If running an exit is somehow so imposing on someone that they feel
> the need to impose bizarre (even inexplicable) restrictions on its
> behaviour then they really should be helping the tor network in some
> other way â by running a bridge or a regular middle node. Or finding
> something else to do with their scarce resources.  Tor needs people's
> help, sure, but it doesn't demand their blood. Why not let the "rich
> white people in the north" that you seem to have so much disdain for
> take a larger part of the exit burden?


Again, you are limiting your view to "free people who are donating 
resources for the world".  Yes, that is how I am involved in ToR, and how 
you are involved in ToR, but you completely discount the people running 
ToR nodes on the other side of the sword, so to speak.  They're not in it 
for you and me, and they're not in it for the EFF - they have an immediate 
communications need that has both purpose and constraints that you and I 
cannot imagine.



> I personally run a node with an oddball exit policy (well, it's down
> at the moment due to a hardware failure). I wouldn't have any issue
> explaining the exit policy to someone who asked. (basically I have a
> node that exists to a collection of hand selected 'read only'
> websites, plus tcp dns to some dns servers, and a number of other
> assorted things that I know should will be free of complaint
> generating outcomes)


Ok - how about if we were all speaking Hebrew here, and you had only 
temporary access to trusted computing hardware, and the node in question 
was something you risked your life to dead-drop into your local CO ?

You'd have no problem doing a quick chat with us about your exit policy ?

I'm sorry - I really mean to be constructive and cordial here, but you're 
stuck in a worldview that not only views /etc/services as a set of hard, 
physical laws, but further cannot abstract farther out than your own, very 
lucky and very limited use of ToR.



Disclosure:  My bet is that gatereloaded is a "bad" exit and is doing 
something nasty.  I just don't think this small set of known dangers is 
worth throwing out an UNLIMITED set of unknown benefits for.