[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] EFF Tor Challenge

Thus spake CACook@xxxxxxxxxxxxxxx (CACook@xxxxxxxxxxxxxxx):

> On Friday 3 June, 2011 07:16:03 Eugen Leitl wrote:
> > I've personally see Linux vserver patch prevent privilege
> > escalation and preventing hosts becoming compromised from
> > within its guests. There's, of course, GRSEC and other 
> > patches available to lock down the machine further.
> > 
> > Are you sure you're in IT business? You sound a bit clueless.
> Yes, gratuitous insult your way too Eugen.
> No, I am not in the IT business.  As I've said before I am in real
> estate, but I'm breaking ground that apparently no one else here has
> thought of.  Thankless work though so I'll withdraw now.  Life's too
> short.

I commend your efforts to jump into something new. Diversity in our
community and especially our relay pool is extremely important. Please
don't be discouraged.

That said, I think you're over-engineering this. Exploits are a numbers
game.  If you are concerned about being popped by random, untargeted
malware, your odds are honestly much higher through the web browser
(actually its plugins) than through the Tor relay component, as others
have alluded to earlier in this thread. There are too few Tor relays to
make them attractive targets for someone's botnet or for harvesting bank
account passwords.

However, targeted attacks are much more of a concern. In these cases,
the adversary is either targeting the Tor network to deanonymize users,
or targeting you personally.

If they are targeting Tor, the thing you need to be worried about is
attempts to extract your relay keys from your harddisk or otherwise
analyze tor traffic underneath the relay-to-relay crypto. For this
reason, best practices are using an encrypted loopback volume that
only gets mounted while Tor is running, and/or rekeying your relays
after mysterious unexplained/unexpected downtimes. It probably also
means running on bare hardware (as opposed to a VPS) because of the
threat from an unknown host OS and possibily even malicious guests.

Isolating and hardening the system against the Tor daemon doesn't make a
whole lot of sense from a cost/benefit risk-analysis point of view. The
adversary who is after Tor only wants 'tor' and not much else. Isolation
doesn't change their capabilities in this regard.

If you believe the target is you personally, then the recommendation is
to rent bare hardware in a colo, have it imaged with something standard
("Ubuntu LTS" and CentOS are decent choices for keeping modern yet
remaining supported and providing decent hardening mechanisms for
everything else), use it only for tor, keep it far away from your
personal equipment, and run it out of a distinct legal
entity/corporation (to dissuade legal attacks against your person).

Good luck!

P.S. If you have any more specific questions about relay operation,
join us on tor-relays:

Mike Perry
Mad Computer Scientist
fscked.org evil labs

Attachment: pgpXwrrzRZaMB.pgp
Description: PGP signature

tor-talk mailing list