[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Is "gatereloaded" a Bad Exit?

Hello Gregory,

On Fri, 11 Feb 2011, Gregory Maxwell wrote:

As far as I can tell this is a completely spurious strawman argument.

Where is this person with a legitimate reason why they can allow :80
and not :443? What is their reason?

I am trying to suggest two things here:

1) We cannot know the answer to this (what is their reason, what is their scenario, what is their threat model)

2) There are uses of ToR, and roles that ToR plays, that are very, very different than the official, accepted use model.

So let me back up one step here and state some things that I am sorry are not obvious:

- you have no idea what kind of things run over ports like 21, 23, 80, and 110. I know what _I_ use them for, and you know what _you_ use them for, and we know what's in /etc/services, but you are forgetting that anything can run over a TCP port.

- you have no idea what particular network activity, or services provided, is considered suspicious in a particular setting. _I_ can run services on arbitrary ports and so can you, and so can most anybody, but you are forgetting that there are threat models wherein this is not the case.

- you have no idea what type of overall architecture someone has fit their ToR use into. _I_ use ToR in the typical, accepted fashion, and so does most everyone else, but perhaps ToR is used as simply one component, and maybe not even the most important component, of a larger network architecture.

- you have no idea what the overall goal of sending and receiving traffic on the ToR network is for a person or group. _I_ use it like you do, to perform normal Internet functions anonymously - but others may have very different needs, ranging from simple traffic generation to plausible deniability.

What frustrates me so much about this whole conversation is that the above items (and we could all come up with many more) are true in general, but are never more true than they are related to ToR. Further, since we're all technical people here, it should be second nature to us that the POWER of an open system are the arbitrary combinations that arise from a simple, unrestrictive ruleset. There are a small number of easily identifiable "cons" to letting an exit run like this, and there are an unlimited number of unknown "pros" to letting an exit run like this. You should know this.

If anyone was showing up expressing this as a serious constraint with
a legitimate cause, then it might be reasonable to reconsider.
Certainly if there were many of them.

I am suggesting fringe, and possibly temporary use cases that imply actors that probably aren't going to pop in to talk shop. I'll say it again:

There are a small number of easily identifiable "cons" to letting an exit run like this, and there are an unlimited number of unknown "pros" to letting an exit run like this. You should know this.

Tor already has a great many tweaks and heuristics. Why are you not
complaining about the exit load-balancing heuristic that denies the
exit flag to nodes which don't exit to at least a /8 of several
important ports?  It impacts a great many more nodes.  Or why not
complain about the countermeasures against one hop usage that make
nodes seizure targets and takes an unfair share of the bandwidth?

Forgive me, but this is a near-perfect example of a straw man logical fallacy. My not protesting these other items (which I may or may not support) does not suggest that my above argument is faulty.

Will this contingent next be advocating not blacklisting exits known
to insert malware or advertisements in the traffic because without
this activity the exit operator can not afford to keep their exit

If running an exit is somehow so imposing on someone that they feel
the need to impose bizarre (even inexplicable) restrictions on its
behaviour then they really should be helping the tor network in some
other way â by running a bridge or a regular middle node. Or finding
something else to do with their scarce resources.  Tor needs people's
help, sure, but it doesn't demand their blood. Why not let the "rich
white people in the north" that you seem to have so much disdain for
take a larger part of the exit burden?

Again, you are limiting your view to "free people who are donating resources for the world". Yes, that is how I am involved in ToR, and how you are involved in ToR, but you completely discount the people running ToR nodes on the other side of the sword, so to speak. They're not in it for you and me, and they're not in it for the EFF - they have an immediate communications need that has both purpose and constraints that you and I cannot imagine.

I personally run a node with an oddball exit policy (well, it's down
at the moment due to a hardware failure). I wouldn't have any issue
explaining the exit policy to someone who asked. (basically I have a
node that exists to a collection of hand selected 'read only'
websites, plus tcp dns to some dns servers, and a number of other
assorted things that I know should will be free of complaint
generating outcomes)

Ok - how about if we were all speaking Hebrew here, and you had only temporary access to trusted computing hardware, and the node in question was something you risked your life to dead-drop into your local CO ?

You'd have no problem doing a quick chat with us about your exit policy ?

I'm sorry - I really mean to be constructive and cordial here, but you're stuck in a worldview that not only views /etc/services as a set of hard, physical laws, but further cannot abstract farther out than your own, very lucky and very limited use of ToR.

Disclosure: My bet is that gatereloaded is a "bad" exit and is doing something nasty. I just don't think this small set of known dangers is worth throwing out an UNLIMITED set of unknown benefits for.