logs archiveIRC Archive / Oftc / #tor / 2015 / October / 12 / 1
torQUES
the bandwidth management policies are strange...
likely someone bought all the speak-easies to grab all boozers and then convinced them to abandon alcohol ;-)
that's what I talking about ;-) http://www.docdroid.net/Mx0Bc7U/0292.pdf.html
jaskl
hi, I was reading an article about the directory authorities. I took a look at https://atlas.torproject.org/#search/flag:authority and noticed urras is missing. What happend to urras?
cacahuatl
Technical issues, there a few posts on the mailinglist about it.
jaskl
cacahuatl, ok found it. Thanks
untz
Is it possible to set a custom entrynodes @ my HS for exmaple HS > entrynodes > reley x4 > client ?
Chocolate_Chip
HS?
High School?
untz
hidden services
cacahuatl
I don't see why it wouldn't work but it doesn't seem like an especially good idea
ncl
untz: there's technically a way, but it wasn't intended, and is being phased out "soon"
         

untz
cacahuatl: ncl well the reason I want to use custom entryguard is to make it more diffuclt for an attacker to find out the true location
ryonaloli_
that won't make it more difficult
untz
explain ?
ncl
that would probably just make it easier to figure out the owner
untz
let me pm u
chie
do you want to host the entry by yourself?
untz
yeah
cacahuatl
It sounds like you're not really sure why you want to do it.
untz
ryonaloli_: ncl chie cacahuatl https://ghostbin.com/paste/363oh
cacahuatl
I would strongly recommend that you don't do it for that very reason.
And your paste is wrong
chie
I thought of that too but I don't know if it's a good idea
untz
wrong?
explain
cacahuatl
First of all "A guard node discovery attack"
Cite :)
Because I have a feeling you were in here the other day throwing a similarly weird term around extolling the virtues of some weird setup or another.
And you don't seem to have done much in the way of further research since then which makes me doubt how much was done in the first place.
untz
https://trac.torproject.org/projects/tor/ticket/9001
I'm here to discuess
cacahuatl
So the Sniper Attack?
Oh
You are the same person and you've still not done any further reading, just repeating the same thing.
I don't do PMs and especially not for support discussions on Tor, it's better than any advice or discussion is done in the open so that it is reviewable.
untz
cacahuatl: further reading about what?
I'm here to discuess possible countermessures about deanonymizing HS
cacahuatl
For one, the example you've cited both times was not part of a guard discovery attack (the doxbin http logs)
Infact there's some evidence to support a totally different deanonymization method that was the basis for most of the operation onymous seizures.
So it's unrelated to the paper in the ticket you linked.
as I believe was explained last time too?
untz
cacahuatl
Why do you think that doing a manual guard selection would at all help?
untz
"We've been
discussing various solutions to the guard discovery attack for the past many months but it's not an easy problem to fix properly. Help and feedback on the proposed designs is appreciated."
because if pick entryguards that u trust instead of a attachers one
they wont find out the location unless they control the entrynodes
I might be wrong, but yea do u have another idea to prevent this happend?
cacahuatl:
         

cacahuatl
That doesn't help against the kind of attacks you're talking about?
If you're talking about using resource exhaustion to knock out guards and confirm that when a guard drops, so does a hidden service, then "trusting" the guard does nothing for you. Trust never stopped a DDOS.
ryonaloli_
you have to have faith
if you have faith in your guard, it can do anything!
once i had a site of mine hit with a nasty ddos. i had faith it would stop, and what do you know, 4 days lter it stopped!
*later
untz
cacahuatl:u dont get my point
my point is they wont find out the real location of the HS
all they can find out is which entryguard i was using
or im wrong?
cacahuatl: browser > reley x 6 > HS
if the last relay in the chain is custom picked entrynodes, please explain for me how they will find out the true location of the HS
ryonaloli_
well technically there tends to be 7 releys, not 6 releys, because of the rondevous reley
*rendevous
i can't spell for sh*t, so i'm gonna go eat something. afk
thorazine
untz: compromise the trusted relay maybe? just ddos entry guards until the hidden service drops out and you know which one to compromise
untz: then issue a warrant to the ISP and get root on the entry guard
untz
yea
but then I will get heads up
thorazine
probably not if if they only ddos it for long enough to notice the HS responding slowly
and you've got like a minute or two to choose a new entry guard once they serve a warrant, because it doesn't take very long to compromise a server when you have physical access to it
cacahuatl
assuming the ISP doesn't log
thorazine
hell they don't even need to compromise the entry guard
once they know which one it is, just force the isp to log all incoming connections
then ddos the connection sources one by one until the HS lags again
if you're worried about entry guard security you might be better off just switching entry guards at random every 10 minutes
untz
well i can tell you there is some vpn releys out there
gl to force them to log
thorazine
vpn relay run in a country that does not have a mutual legal assistance treaty?
cacahuatl
Yeah, was it EarthVPN said they didn't log? And they didn't, but their upstream ISP did and someone went to jail.
thorazine
anyway using a single trusted entry guard sounds like it would make de-anonymization easier, not harder
untz
explain
thorazine
and vpn is only helpful if you trust that the vpn provider (and everyone upstream of them) doesn't log
cacahuatl
A better choice is to not widely publish your onion address and/or use authentication.
thorazine
untz: ddos relays one by one until the hidden service lags
eventually you'll find the entry guard that way
untz
I dont know about earthvpn and how they handle their servers
thorazine
once you know which entry guard to watch de-anonymization is just a matter of ddosing every tor client that uses it until the hs lags again
if you pick random entry guards, and switch entry guards frequently, the window for them to go from ddosing the guard to ddosing the clients is much shorter
generally it takes more than 10 minutes to issue and serve a warrant
and anyway, vpn only helps if (1) the vpn host's country does not have a mutual legal assistance treaty, and (2) nobody upstream of the vpn provider has one either
so maybe if your vpn was based in north korea or something you might get some benefit
cacahuatl
Yeah because traffic into and out of NK isn't a bottleneck that's occupied by intel agencies :P
thorazine
maybe a vpn in iran or something
who knows
untz
cacahuatl: thorazine https://pastie.se/c28bc278
thorazine
de-anonymization is a much harder problem than "tack on a few more layers"
untz: your ISP knows the address of the VPN's entry point
untz
dont make fun of me because the english
yes
« prev 1 2 3 next »