[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Tor server "nami" taken by the German Police

On Wed, Sep 30, 2009 at 12:34 AM, John Case <case@xxxxxxxxxxxxxxxx> wrote:
> No, no - I understand what the behavior in meatspace is like - I wonder what
> the behavior looks like on the network.
> Take carding ... presumably that all takes place on 443, as carders use
> online merchants to either test or use the cards.  I'm guessing meta-carding
> (forums for trading, etc.) also take place on 443.
> Spam is on 25.  System intrusion could be anywhere, I guess.
> I assume that the child pornography is either in the same places as the
> piracy (bittorrent on well known ports and usenet ?) or also on 443 ...
> And round it out with DoS and other foolishness on 6666/6667 (irc).
> Are these fair generalizations, and thus I could start to guess about a
> "safer" exit node configuration ... perhaps 22 and 80 ?  I would think an
> SSH based BBS for trading pirated/illegal content must be very rare, if not
> non-existent, and nobody would be doing serious lawbreaking on plain old
> port 80 ?
> In reality, I run more open than just 22 and 80, but I'd like to know if
> this line of thought is going in the right direction at all ... can we even
> make generalizations about TCP traffic policy decisions that will minimize
> police contact ?

One way to achieve a "safer exit" is not so much to exit to particular
ports but to particular destinations.  For example, read only sites
and quasi read only site (i.e. news, search engines, archive.org,
wikipedia), places unlikely to generate complaint, sites that that are
aware of tor and would tell people demanding IPs "It's a tor exit—
don't bother".    Though if many people did this it would bloat the
directories and look suspicious. (An exit only good for some
destinations looks like a snooping attempt).

I was under the impression that at least some of this seizure activity
is triggered by access to childporn honeypots, if so a destination
limited exist list should be pretty effective at avoiding them while a
port based one wouldn't be.

I don't think you have anything to worry about SSH warez sites— though
I'm sure they exist they aren't likely to ever be found by anyone!
(and thus there is little reason to run them over tor, except perhaps
as a hidden service)... exiting to ssh might, unfortunately, bring you
some unwanted attention for cracking attempts but since there are so
many zombie systems doing that I doubt anyone would knock on your door
about it.

As I think I've said before:  Keeping your exit node out of your
residence is a good idea; when the powers that be discover that their
trouble IP is in a datacenter it will cause them to reconsider their
assumptions... they might learn about TOR and give up on that
approach. Even if they do not, you're more likely to hear from them in
a business like manner, rather than in the form of officers raiding
your home hoping to find something incriminating.
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/