logs archiveIRC Archive / Oftc / #tor / 2010 / June / 28 / 1
ilter
Quick question: What is AP which is written in source codes? Is it application?
arma
yeah. "application proxy" was the original name for it.
ilter
Thank you arma.
katmagic
What's happened to nsa?
mikeperry
atagar: I believe there is no event parsing for STATUS_SERVER
atagar: see TorCtl.EventSink and classes that inherit from it
specifically, TorCtl.EventHandler._decode1, _handle1, and _map1
atagar
mikeperry: Spiffy, thanks! Also, any hint on the other question (which is the fingerprint: idhash or orhash?)
mikeperry
the fingerprint is idhash, which torctl calls idhex (because we use the hex representation, not the base64 one)
orhash will change every 1mo or so, I believe (because the or key is rotated automatically)
atagar
katmagic: it got banished to the realm of #tor-bot
oops, #tor-bots
katmagic
324 relays came online between Friday and Saturday. Why?
http://metrics.torproject.org/graphs/networksize/networksize-30d.png
^ strangeness
         

wilma
i have noob problems
i was running a relay for a week and everything worked perfectly
Sebastian_
katmagic: it got moved to #tor-bots
sahal
katmagic: looks like the same thing happend last year around the same time http://metrics.torproject.org/consensus-graphs.html#networksize-2009
katmagic
That's really weird.
dr|z3d
Sounds like a targetted infosniff </speculation>
katmagic
So, is this an attack?
dr|z3d
katmagic: It definitely prima facie has all the makings of an attack. Can we know for sure? Hmm..
katmagic
There's a thread about this on OnionForum, but it's not very elucidating. http://l6nvqsqivhrunqvs.onion/?do=topic&id=11392
mikeperry
someone added a ton of nodes that claim to be from planetlab
no contact info
katmagic
Yeah. Are they all properly familied?
mikeperry
accepting irc ports on one of them
handful of ips do appear to be owned by universities
dr|z3d
Botnet?
mikeperry
probably actually what they claim to be
my guess is some researcher is testing some aspect of the tor network using planetlab
dr|z3d
It does seems odd that the same hike in numbers should occur at the same time of year, though.
katmagic
Very odd.
mikeperry
might be repeating an experiment
dr|z3d
Sure, could be.. doing a yearly analysis or somesuch.
katmagic
Do they have their family set, though?
mikeperry
they do not
depending on what they are testing, it may be not helpful for them to do so.. it is suspicious that they allow irc but nothing else
dr|z3d
I was going to mention.. there was a sustained attack this weekend on #debian, much of it using Tor.
         

katmagic
Well, even if they are researchers, if they're not setting MyFamily, they're in a position to carry out an attack on Tor.
mikeperry
yep
katmagic
Does NodeFamily propagate out from directory servers?
dr|z3d
So you have a whole bunch of brand new nodes, only exiting on IRC.. and not being up for very long.. that's starting to smell to me like some sort of anti-Tor circumvention attempt.
I wonder if freenode saw a spike in attacks.
katmagic
Why would there be a spike in attacks *from* Tor?
Anyway, the directories should put all the nodes that came online since Friday in one family.
dr|z3d
Well, if the nodes aren't up long enough to get into the network consensus, they'd be very useful in circumventing blocks on Tor, no?
katmagic
They've been up for a couple of days.
dr|z3d
Ok. And they're still up now?
katmagic
Yep.
dr|z3d
The plot thickens. ;)
katmagic
This is disturbing.
:-\
mikeperry
none of them allow anything but irc, all allow only irc
that would be a weird thing for an academic to do, unless they were surveilling irc exit traffic for botnets or something...
katmagic
Can they be blacklisted?
Who operates the directory authorities?
wanoskarnet
Need to press a "panic button".
mikeperry
there are 560 of them, btw
dr|z3d
So that's, what, a 20% boost in node numbers?
katmagic
Yeah, more joined since the last graph number was made.
Sebastian_
we went from ~1500 to ~2200
mikeperry
they were all added within about 5min of eachother
according to the consensus I have, their uptimes are all 130550-130800
Sebastian_
http://planetflow.planet-lab.org/#bquery not cool
katmagic
So, can these be kicked out of the consensus?
mikeperry
yes
sahal
i'm not getting any matches on tor ips (https://torstat.xenobite.eu/ip_list_all.php/Tor_ip_list_ALL.csv) and planetlab ips (http://comon.cs.princeton.edu/status/tabulator.cgi?limit=1000)
mikeperry
we can also just mark them as badexit
I've emailed all the dirauths and tor-assistants with a list
we'll see what happens
Sebastian_
I think just badexiting them isn't enough
in this case
but yeah, I'm not a dirauth op ;)
katmagic
Does NodeFamily propogate?
*propagate*
Sebastian_
propagate?
(No, it doesn't. How would it?)
katmagic
Yeah. If you set it on a directory authority, do all the clients fetching from the authority know that they're of the same family?
Sebastian_
nope
arma
they're still up, then?
Sebastian_
yes
arma
if we badexit them, people can still use them for first and second hop
if we invalid them, they won't get the Running flag, so they'll stick around but nobody will use them
in the past, not having the Valid flag meant you were still usable for the middle hop. that sounds great, but we have a bug where not-Valid means you lose the Running flag.
Sebastian_
I think in this case that means "too bad, so we are back at the relay number we had two days ago"
(In general, 500+ nodes controlled by the same entity? That's woah)
arma
yep. do they all have the same exit policy, then?
mikeperry
appears so
all allow 6660-6667 and nothing else, as far as I can tell
Sebastian_
I have 591 nodes with that policy
arma
128.112.139.18 planetlab01=E33BC84FBBFA76CF8D3793A780BABAED8D68FBE2 up: 130602
bandwidth 51200 51200 57077
interesting
so they're all crappy nodes, in addition to being irc exits
dr|z3d
Anyone doing "legit" research on this scale would surely forewarn someone? It beggars belief!
Sebastian_
yes
arma
dr|z3d: yep. my guess is that somebody tried to set up a private internal tor network, and screwed up
but then, i'm always an optimist. could be a real attacker.
mikeperry:
!invalid DAAF 7995 1150 32B8 5D3A 3263 B8CF 0F62 7E87 8750
that's the format we want to use
dr|z3d
arma: Yes, but why would anyont want to set up a private network simply to facilitate IRC? Doesn't quite ring true.
sahal
planetlab has used private tor networks before
according to the tor blog
dr|z3d
And if it's all "crappy nodes", that does smell suspciously like a botnet type invasion.
mikeperry
arma: do I have to split it every quad?
arma
checking that
sahal
how do you get a list of tor nodes?
dr|z3d
Vidalia, online consensus..
torstatus,blutmagie.de et al.
Sebastian_
sahal: via the cached-consensus file in your Tor client's data directory
arma
mikeperry: i think the spaces between the quads are optional.
sahal
Sebastian_: thanks
dr|z3d: i tried torstats but i think the list is stale
arma
mikeperry: confirmed
fingerprint = tor_strdup(fp);
tor_strstrip(fingerprint, " ");
katmagic
http://www.cse.ohio-state.edu/~tengj/project_description.html
mikeperry
arma: where does !invalid go?
katmagic
^ planet-lab.com lists that as the page associated with their Tor experiment
mikeperry
I have a bunch of !reject lines in approved-routers
from the debian thing
arma
mikeperry: in your approved-routers file
yep. just snuggle them in with the !reject lines
katmagic
Jim Teng ... Phone: (614)-247-5420(O)
mikeperry
katmagic: how do we know its the same experiment?
lots of people have used planetlab with tor
arma
planet-lab.com doesn't resolve for me. url?
katmagic
Err, .org
https://www.planet-lab.org/db/pub/slices.php
Oh, you're right.
There *are* multiple Tor projects.
mikeperry
"Malware monitoring system"
arma
"We will set up a closed Tor environment on PlanetLab."
sahal
arma
katmagic
Yep.
Maybe someone duped Planet Lab?
arma
this xinwen fu guy does all sorts of sketchy stuff actually
mikeperry: the end of your invalid list has a bogus line in it. fyi :)
mikeperry
yes
I just realized
err I mean, just trying to keep everyone on their toes ;)
arma
ok, i'm responding to the thread with better directions for people
katmagic
http://www.cs.uml.edu/~xinwenfu/PubList.html
arma
let us also hope mike isn't the adversary, sneaking a few hundred extra fingerprints in there to get blacklisted ;)
katmagic
I think Dr. Xinwen Fu wants to get in something more publicized than IEEE journals.
arma
he did a black hat dc talk last year that was total bunk
well, not total bunk. well-known stuff. claiming it as novel was bunk.
dr|z3d
Any evidence to support the theory he might be a govt stooge?
</conspiracy>
carnivore
Fill me in on what this Dr. Fow is doing specifically
mikeperry
arma: we need at least 4 dirauths to include this file now right?
badexit would only need what, the two of us?
arma
badexit would need a majority of the people who vote on badexit
those people are moria1, tor26, ides
so yes, the two of us
dr|z3d: no. but then, why do you think the government is your worst adversary?
carnivore: https://blog.torproject.org/blog/one-cell-enough
dr|z3d
arma: I don't, necessarily. I was idly speculating that Mr Fu might have a (Chinese) govt. mandate to "do stuff". Idly being the operative word. :)
sahal
i think in chinese the last name goes first
so its mr xinwen
dr|z3d
Ah, ok. Thanks for the insight.
katmagic
So, shouldn't someone call Dr. Xinwen Fu?
Sebastian_
at 2am?
katmagic
Good point.
carnivore
So I take it that this research is "unethical" since he is using the public Tor network to do it?
arma
nobody even knows this is the guy
there are lots of people who use planetlab for stuff
i doubt they all register their plans beforehand
and no, just because you're using the public tor network doesn't make your research unethical. depends what exactly you're doing
carnivore: you might like "A Case Study on Measuring Statistical Data in the Tor Anonymity Network"
http://metrics.torproject.org/papers.html
sahal: as for reversing the names, the problem is that sometimes people pre-reverse the names so you don't have to reverse them. i believe this is prof fu.
dr|z3d
Ironic name, in any event. :)
carnivore
Prof Foobar has FUBAR'ed us all!
sahal
arma: i think you're right. two character last names are rare.
arma: plus the gif image on his site's header shows fu xinwen
arma
but that could be pre-reversed, just for you
sahal
he would reverse the chinese characters too?
vegard
hm, what's the story here?
sahal
http://www.cs.uml.edu/~xinwenfu/Default_files/namefu.GIF
i'm pretty sure that says fu xinwen
katmagic
Is or-assistants archived somewhere like or-talk?
Sebastian_
no; it is not a public list
clover
hi
anybody got a suggestion on a good method for me to share a mod to a control script?
... will be useful to some people
Sebastian_
clover: you mean to get it included in Tor's source?
clover
not really...
Sebastian_
juste pastebin it for now?
clover
its not that good... i just finished some tweaking of torctl so that it will work with openbsd in a chroot... was frustrating that it wouldn't work properly so i made i work well enough for me but it isn't polished
will the pastebin expire? never used it before
Sebastian_
some do, some don't
you could also put it up on the wiki
katmagic
You could send a patch to or-talk.
clover
i've tried to post on the wiki before but it apparently doesn't like tor users :-(
« prev 1 2 next »