[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: relay tidbits...
On Mon, 2 Jun 2008 11:23:24 -0700 "Kyle Williams"
>On Sun, Jun 1, 2008 at 4:44 PM, <phobos@xxxxxxxxxxxxx> wrote:
>> On Sun, Jun 01, 2008 at 11:49:09PM +0100, luser456@xxxxxxxxxxxxxx wrote
>> 1.2K bytes in 29 lines about:
>> > another reason is to provide a list of POP accounts (pop server IP and
>> > username, no password is captured) being accessed via tor, just in case
>> > any admins/users of these servers/accounts find it odd that they are
>> > being accessed over tor.
>> If in the United States,
>> pertains to you.
>"Should I snoop on the plaintext that exits through my Tor
>*No.* You may be technically capable of modifying the Tor source code or
>installing additional software to monitor or log plaintext that exits your
>node. However, Tor relay operators in the U.S. can create legal and possibly
>even criminal liability for themselves under state or federal wiretap laws
>if they affirmatively monitor, log, or disclose Tor users' communications,
>while non-U.S. operators may be subject to similar laws. Do not examine the
>contents of anyone's communications without first talking to a lawyer.
>I just read that again, and I feel I must say a few words about this.
>First off, the facts. Anyone who willing and knowingly sends their traffic
>to some random routers on the Internet (encrypted traffic or not) just
>waived their right to privacy. It is assumed that their traffic is protected
>by encryption, which brings back their privacy, but even that (Debian SSL
>bug) can come into question. However, (s)he who uses Tor is still
>*INTENTIONALLY* sending what would be private to you and/or your ISP out to
>second and third parties. To expect privacy when you are doing this is
>retarded, unless everything you do is using SSL (again, not Debian's
>derivative of SSL). The best you are going to get is anonymity, but you
>gain anonymity by throwing away your privacy (in most cases, not all
>Second, I as a 'service provider', whether free to the public or not, do
>have the right to monitor what my service is being (ab)used for. By sharing
>my bandwidth, which I pay for (NOT YOU), I have the right to say what is
>allowed and what is blocked. As a Tor exit node, I get to choose which
That is true, as far as it goes in the U.S. The downside is that if you
examine and censor anything, then you become legally responsible for
*everything* that passes through your setup. That means you become
responsible not only for examining *all* of it, but also for any actions you
may take, such as censorship, w.r.t. each message/connection.
The generally accepted exception to the above is that a system
administrator is allowed in the case of error conditions to examine such
header information (e.g., SMTP message headers) and error messages to
determine the source of the problem and take corrective action. The system
administrator, however, is *not* permitted to examine the contents of the
message itself beyond those headers. In the case of SMTP mail, this is
essentially equivalent to U.S. postal regulations allowing the postmaster
or his/her deputies to examine the return and destination addresses on the
outside of the item (e.g., on an envelope or package), but not to open them
to view the contents. There are now (illegal, IMO) exceptions made in the
U.S. under the current, criminal regime, but prior to that regime's accession
to the throne, a warrant issued by a judge on affidavit or oath of probable
cause was the rule. There remains, too, the dim possibility that the old
rules will be restored once the current crime bosses are replaced.
>services (by port) I want to support. As a service provider (in the USA), I
>have the right to watch *EVERYTHING* that goes through my service. AT&T has
>done this, Comcast is hiring right now for people to do this, and the list
>goes on and on. Where AT&T should be getting in trouble is they gave the
>information to second and third parties, but I'm not going into that here.
Actually, they are in trouble, and the Bush crime department (a.k.a.
the DoJ and the courts) keeps having to take the heat off them by claiming
"national security" or "state secrets" to dismiss the lawsuits against the
illegal actions of those companies.
>The point is, as a service provider, you have the right to monitor your
>services to make sure that they are not being abused or used for anything
>which might be illegal.
Again, in the U.S. if you do that at all, you become responsible for
doing it to all traffic through those same services on your system.
>As for monitoring and logging my traffic, I have that right. Now if I
>distribute those logs to other parties, then I should be in trouble.
>Here is a very real example that has happened in Germany.
>If someone used my node to make a bomb threat to local police, and the
>police come to my house to take my computers, a couple of things could
>happen. But this is one possible take.
>If I told them "Wait a minute, I run this great anonymity software called
>Tor to help support people in oppressed countries, but I also logged
>everything just incase something like this happened. Since I like you guys
>(the cops) so much, I'll give you guys full copies of my logs that I have
>been keeping record of since I started my node. You do have a search
>warrent, right?" I'm willing to bet that the (stupid) cops would be elated
>by your cooperation, not threatening to throw you in jail. As it seems to
>be with all the data retention laws going into affect around the world, they
>would be very happy to have such a detailed level of co-operation.
Yes, Germany and France also have evil governments. So what?
>So to tell people that it "can create legal and possibly even criminal
>liability for themselves under state or federal wiretap laws if they
>affirmatively monitor, log, or disclose Tor users' communications" is a load
>of crap, in my opinion. The disclosure part is the only place I see that
>would be crossing the line that would probably get you in trouble.
Well, in the U.S. anyone thinking of taking your advice ought to read
the U.S. criminal code provisions resulting from the Electronic Computer
Privacy Act (or whatever it was called at the time).
>After last years PoC at DefCon and talking with the EFF and FBI about it, I
>have a much different take on this. The EFF attorney's were thinking worst
>case scenario, but the FBI agents laughed and basically said "be careful".
In most cases, they will take no action on their own initiative, but if
they receive a criminal complaint, they are required to investigate and
determine whether there is evidence of a crime having been committed.
>I'm not in jail, nor was I ever arrested. But at the same time, I didn't
>exposed people/groups/agencies/etc either.
That's an important distinction, but only in the context of assuming
the responsibility for all your traffic, as noted above.
>However the following weekend my house was broken into and someone obviously
>was looking for something I no longer had, but that's another story for
>another time. (If that person(s) ever reads this, thanks for not breaking
>all my stuff and leaving everything in more or less the way you found it,
>minus your obvious calling card, which was kinda creepy and cool at the same
Scott Bennett, Comm. ASMELG, CFIAG
* Internet: bennett at cs.niu.edu *
* "A well regulated and disciplined militia, is at all times a good *
* objection to the introduction of that bane of all free governments *
* -- a standing army." *
* -- Gov. John Hancock, New York Journal, 28 January 1790 *