I guess that is sort of true. All of the routers have the capability, it just isn't in the provided firmware. I've always updated my routers firmware to openwrt or dd-wrt which both always have support for vpn so I've never really had that issue.

Would if I could, but I can't. Either LQ has no PM facility or it has not been enabled for my account.

A bit of clarification might be neccessary: in the context of webforums, IMO, a PM is not an email sent to some mail server external to the forum server, but an internal "private message" visible, in theory, only to forum admins and/or moderators, sender, and recipient. And in practice, to anyone who snags unencrypted packets in transit to/from the browser of sender/recipient and the forum server. There are also some specific problems related to using Tor to participate in bulletin board discussions, leading to serious risks which some choose to accept as the lesser of several evils. Clarification of these points is apparently not possible at LQ, but IMO it is important to keep them in mind when participating in web forums like LQ.

In what follows, IMO, I am only elaborating on some hints Unspawn himself threw out, so I hope he and other moderators will not over-react.

IMO these should be separate discussions, because, to say the least, Tor is not just any daemon.

As Unspawn hinted in #14, one of the ways in which Tor is different is that some of the issues which arise are not technological, and these apparently cannot be discussed at LQ.

If you want to run a Tor relay, IMO that is laudable, but I urge you to read documentation/advice specific to running Tor nodes which is available at the Tor Project and the EFF. The Tor documentation/advice available at these two sites is extensive. (The Tor Project has close ties to the EFF.) I would offer links, but it seems that this might not be possible at LQ. However you should be able to find them yourself.

If you have concerns about specific potential technical vulnerabilities in Tor, these apparently cannot be discussed at LQ, but you can post a question to the Seul mailing list. These resources are not exhaustive but they should cover the basics.

I hope you will suffer no ill consequences for saying that out loud!

Different forums have different forum rules, presumably because they have historically experienced different kinds of suspected or actual abuses.

I think LQ can be a good venue for novice sysadmins seeking help on computer forensics after a suspected intrusion, but LQ is probably a poor venue for speculative discussions along the lines of "how can this scheme be broken?".

I hope I will suffer no ill consequences for saying that out loud.

And I hope I will suffer no ill consequences for hinting that LQ is not an appropriate forum for discussions of operating Tor nodes. Particularly since I recognize that LQ may have had past experiences I know nothing about which led to rules which appear to some to be incompatible with broad-ranging security-related discussions.

Unspawn himself hinted that you should seek out and study the excellent Tor documentation/advice offered at the Tor Project and EFF websites, and I agree with that advice. I think you will better understand why some of us are a bit surprised that you are surprised to learn that Tor is a particularly inflammatory subject in some circles. I don't think you can ask why at LQ, but you can... read a newspaper.

Unfortunately, this list does not exhaust the kinds of information which have drawn very strong negative reaction from LQ moderators in the past. Historically, links to websites like EFF which offer (good) information on extra-technological considerations related to running Tor nodes, and discussions of specific vulnerabilities in operating Tor nodes and how to avoid them, have proven inflammatory at LQ.

I would have put that in a PM to Unspawn, but it seems that I can't, so I beg the indulgence of the moderators. Again, I am not criticizing the LQ rules (I don't come here often enough to feel that I can appreciate why they read the way they do), I am just trying to get a stubborn user to understand that LQ is probably not a suitable forum for discussing the operation of a Tor node. It could be a a suitable forum for discussing how to operate less inflammatory daemons safely, however.

Neither. I think we will need to carry on an encrypted discussion in some other venue if you wish to understand better what safety concerns I have regarding your projected scheme for running a Tor relay. This is a very complex subject with many aspects which newbies are unlikely to have considered.

IMO, this comment could be misleading because it overlooks some not entirely technological points which are important for anyone planning to run a Tor relay from his place of business. I don't think I can be more specific at LQ, but a perceptive reader of the Tor related pages at EFF who is aware of the many tor node listings should be able to figure out what I have in mind.

Again, Tor is not just any daemon, and discussions of certain considerations (both technological and non-technological) which are crucial to running a Tor node "safely" have historically not been permitted at LQ, so I hope the moderators will not fire any Hellfire missiles at the suspected geolocation of LQ users who suggest that discussions of Tor are best carried on in other forums. There are several other forums which permit discussions of issues related to running a Tor node "safely". It seems to me that it is legitimate to suggest in LQ that for his own safety an LQ user should seek advice in forums better suited for obtaining good information about a topic which apparently cannot be discussed at LQ.

@moderators:

I am trying to prevent an LQ user from self-harm, and also trying to stay well within the LQ rules, so please show mercy. If you don't like this post, just delete it, OK? (Again, I'd put that in a PM, but I can't.)

It is easy to take anyone's comments and make them look misleading when you neglect to post the full comment. There are plenty of opportunities even in your comments to do so. The full comment was:

This comment does two things, 1) it reflects on my personal experiences and the experiences from those around me who are very security oriented and who watch their boxes very closely and who use tor on a regular basis and simply states that we have not seen any unwanted activity from running a tor relay that wasn't an end node; and 2) cautions that like all other aspects of security just because it hasn't happened yet doesn't meant it can't.

@nomb:

No offense was intended. You are putting me in a difficult position here. My objection was not to what you actually wrote, but that your comment doesn't take into account certain considerations which are not purely technological. It seems that I can't be more specific at LQ.

@moderators:

I don't want to be accused of hijacking the thread. If I could offer a suggestion, it might help to segregate the question "how do I operate a Tor relay safely?", which appears to be problematic at LQ, from the question "is this scheme suitable for running generic daemons safely in a virtualized environment?".

Please don't over-react. I feel caught between trying to correct well-intentioned but arguably dangerous advice being offered to an LQ user, and staying well within the LQ rules. No offense intended to anyone.

Peufelon, while I can't speak for unSpawn and Win32sux, I believe that I can offer some guidance. I think it is apparent that the intent behind the rule is to prevent LQ from getting the reputation of being a site where one can learn techniques that can be used to harm someone else's system. In practice, navigating this can be a little bit tricky, but it comes down to intent and purpose as well as content. In other words, how you say something matters as much as what you are saying. To point out and discuss, specifics of a vulnerability, a past experience, or even better, how to defend against it, is far different than saying this is how you exploit something. The fact is, the knowledge of how to exploit is out there and pretending that it isn't by not discussing important subjects is not going to change that. As long as you keep your post factual and along the lines of "this is the perceived vulnerability - and this is how to combat it, or I would like to know if it is real and what can be done about it, I think that you will avoid incurring the wrath of the moderators.

I will also re-iterate that Tor, like most applications and tools, has legitimate uses as well as illegitimate ones. As I alluded to in my previous post, due to the needs of a business, my internet traffic is directly identifiable to me, by name, at my physical house address. While this doesn't bother me 99% of the time, there are times I would like to turn this feature off. Just because I desired privacy on issue does not mean it is for illegal purposes. The "if you have nothing to hide" argument doesn't hold water. For example, if I were to search for information on a medical condition, I don't want to worry that I will start receiving advertisements in the mail for treatment for said condition. Let me give you another example, a friend asked me to make an anonymous post on a funeral guest list on his behalf. I don't care or know why, but Tor allowed me to make such a post in a manner that the recipient can not tell from whom it originated, nor could they guess by looking at their Apache logs.

If you have specific thoughts, concerns, objections, worries, or whatever regarding Tor, please state them in an objective of a manner as you can. If they are problematic, the moderators will moderate them and I expect that they will explain why and in rational terms. This discussion in vague and veiled nuances, though, is giving me a headache.

1 members found this post helpful.

Agree, this discussion in vague and veiled nuances is giving me a headache too. Let's get this back on track.

After exploration of my original question (how to run a relay securely) in several venues and after much research, I propose a 'best practice' for running a Tor exit relay.
- Set up a virtual machine in VirtualBox and install Debian SELinux as guest OS.
- Set up and configure Shorewall on guest and host for iptables firewalling.
- Rather than bridging to the LAN (which would allow layer 2 attacks), set up a Host-Only interface for the guest and masquerade/NAT that to the outside using Shorewall. Also using Shorewall aim that NAT only at the router's IP so no other participants in the LAN can be probed.

This should be secure enough for all but State attacks, I say. Observations/ improvements welcomed.

Just to add to the list of things to consider when running a TOR exit node: the EFF had a list or recommendations that anyone considering running an exit node should consider. The fact is that if you run an exit node, at some point, someone will use it for illegal purposes and there is good chance that at some point you will receive a complaint about such activity. One of the top suggestions on that list was to not run the exit node from your home network. Instead you should run it from a hosted provider only. The reason being is that if law enforcement does take action on the complaint that they may try to seize the hardware in question and it would be better that this not be at your residence. The other suggestions included things like use this node only for TOR activity, don't use it for your personal work. Inform the ISP that you are running this as a TOR node, have the DNS records show you, rather than the ISP as the responsible party so that any complaints are sent to your attention, not the ISP, and put a disclaimer on the system's web site saying that this is a dedicated TOR node.

@Noway2:

Thanks for your offer of moral support, but I've been down this path before and have no desire to repeat the experience by attempting to provide links or to discuss specific issues in detail.

@Quantumstate:

Glad to see my delphic warnings have not detered you from operating a Tor relay, and even happier to see from your other thread that you are reading what the EFF has to say!

The only thing I would add to what I said earlier is this (I'll leave it to you to fill in the blanks):

Don't underestimate either the prospect of encountering the most sophisticated state-sponsored stealth attacks or your ability to defeat even the most inimical state actors.

I don't feel that "ordinary malware" is the main issue when it comes to operating a Tor node. Whether or not you are inclined to view using privacy-enhancing software such as Tor or personal cryptography as engaging in a global military struggle, the world's leading powers have recently thrown out some strong hints that they are inclined to view it that way. This certainly puts a new twist upon the old concept of "strategic bombing" explicitly targeting civilians wherever they may be found. Repressive governments whose strategic national interests are otherwise widely divergent have expressed a common interest in crushing Tor, but they also suffer from a common inherent strategic weakness. Bearing this in mind, I suggest that you define your strategy before you plan your tactics.

It will be known that you are operating a Tor relay, and from my reading of the tea leaves, I believe there is good reason to expect that aggressive action against the Tor network by state sponsored actors operating on behalf of a number of repressive governments is imminent. So I recommend a more wary approach to designing, building, and operating both a dedicated and maximally hardened Tor relay and also, if possible, a dedicated robust IDS capable of detecting stealth attacks. Both under your physical control, but if possible on a separate LAN.

The prospective attackers are sophisticated and mighty, but they also confront a crippling strategic dilemma which you can leverage to deter them from using their latest weapons against your relay, which forces them to confront a second strategic dilemma. As I would put it: in the global struggle between repressive governments and private citizens, might is on their side, but right is on ours, and by manuevering them into dropping the mask of benevolence and revealing their true nature to the watching world, we can perhaps defeat their ambition of global repression of any viewpoint which diverges from the party line.

Peufelon I've seen some fear about operating an exit relay. In fact recently an exit node was confiscated by the police in Austria, as apparently someone downloaded some kind of porn. (you know the kind) But numerous people came to this person's defense (including the EFF), and it turns out that rather than proving every website he visited and every email he sent, all he had to do is provide a sworn statement that he was running a Tor exit node from {date} to {date} with {IP} registered with the Tor network as {node}. The more data you provide, the more screwed you are, as prosecutors love data. There have been several instances over the past couple of years where police have arrived to ask questions or take equipment, and none has resulted in any legal action when a Tor node is in question.

I doubt that any state authority is plotting to kill Tor nodes, as they know that would cause an explosion of new ones. Distributed is beautiful. And I have it from several long-time exit node operators that they have never been subject to a cracking attack, even though they take few precautions. On the Tor list I discovered that my explorations of security had never occurred to any who responded. This to me is reassuring.

Noway setting up a co-lo specifically for Tor is a non-starter for most. I'm just happy that there are as many relays as there are. I believe that I have determined a good and secure solution, although this has nothing to do with the setup I intend to implement as my situation is unusual. I have a NanoBridge reaching across the lake to a friend's router, so I'll be setting up Tor on the NanoBridge and port-forwarding it securely through his router. (with permission)

You allude to what I think is one of the absolute marvels of modern, "public key" type encryption. By putting the encryption magic in the hands of the end users and not in the application or in the algorithm, there is no magic back door. By making the applications open source, public domain, there is no corporation or group of individuals to leverage. The same can't even be said about web page SSL, which uses third party verification.

edit: I agree. It would be a major expense. Perhaps if I won the lottery I might feel generous enough to do so, but otherwise forget it. It was, however, one of the top suggestions by the EFF to avoid equipment confiscation.

My strategic analysis suggests that the greater the variety of technical approaches which private citizens use in building "secure" Tor nodes, the better. This potential variety is another strategic advantage enjoyed by the common man (or at least, the technogeek subspecies).

The credible fear that repressive governments will seize the equipment of persons residing in territory under their control would appear to be a weakness. Which suggests devising a strategy which turns apparent weaknesses into strengths. Even repressive governments often have laws on the books which in principle can restrain their powers of mass arrest. If they can be shown to violate their own laws, they look bad.

Few precautions? The really important question is: how capable is their IDS of detecting the most sophisticated stealth attacks?

Or are you referring to unsophisticated and easily detected attacks?

Until you remember the concept of a self-selected subpopulation!

Agreed, the bad guys enjoy an advantage here. Which does not contradict my support for an important EFF initiative which I hope LQ will heed, say no more, say no more
Use it or lose it. (See a current and still murky proposal by the US DOJ which would apparently force American ISPs to implement and insert backdoors into personal cryptography. Urge your ISP, local journalists, local government to offer public keys for secure communication with customers/sources/constituencies. The more people use strong personal cryptography, the harder it will be for the security services to claim that there will be no significant negative consequences of banning it.)

This thread is starting to go off the original topic, but is still in the realm of computer security. It would be better, however, to turn it back towards technical aspects and things that we, as individuals can do, to operate our systems safely and securely.

Peufelon, if you haven't read it yet, you might find this quite interesting: http://www.schneier.com/blog/archive..._report_t.html. Specifically, look at the May 9th entry titled Status Report: The Dishonest Minority This blog is relevant to the discussion in multiple ways. Quoting a small portion from the blog: The above blog is theoretical, but directly effects our needs and desires in terms of computer security. In essence, we are using technical systems such as encryption, and IDS programs, to defend against the "parasitic minority" as well as the corrupt majority. The function of programs like TOR is to allow us to throw off of the trace of our online activity. In essence, it allows us all to put on a Guy Fawkes mask. I do think this is important and will come a day when it is necessary. In my opinion it is a modern equivalent to the 2nd amendment of the US constitution, which I am certain was an attempt to build a reset switch into the system. Undoubtedly, when (not if) the next reset happens, it will start digitally and spread across the Internet. Whether this trace was built into current networking by design or not is a question. Regardless, organizations of all sorts have decided that they can and are willing to make use of this information and as a consequence it is up to us to determine if we are willing to allow this to happen and to weigh the risks of alternatives. This is a much bigger concern to me than the government: simple greed on the part of businesses that also lack morality and will use any and all information in the pursuit of money.

I for one, am not terribly concerned about reprisal from repressive governments. Nor am I particularly concerned that my actions are going to cause the authorities to show up on my doorstep. I would be more concerned about this if I were to run something like a TOR exit node. Unfortunately, the legal system in most countries, including the USA, has failed miserably at keeping up with technology. This is not surprising since these systems were designed to be slow and inefficient in essence to limit the power of an absolute monarch. I do believe in taking reasonable precautions, so I do run an IDS on my computer systems. I am aware of the "general hum" of the system and if there is a change in the patterns and characteristics, where something "feels" wrong, these systems give me an early, but often accurate warning. Again, I do not equate such situations with "attack" by a repressive organization. There is usually a much more mundane cause, though I do investigate them.

I also don't believe that the answer is to run encryption, or https, on everything, or to use services like TOR for all of my traffic. I do think it is a good idea for everyone to use them at least periodically. To use a less than original example that I read: if everyone sent the mail on post cards and you put yours in an envelope, yours stands out. Also, I have been around the Internet long enough to remember the days of export restriction on "high grade" encryption. I think the reason for these restrictions is obvious, but about as futile as gun control laws. In the end, organizations outside of the USA developed "high grade" encryption and made it available to the entire world. We are becoming a global society, which is both a good thing and inevitable and we are seeing some parts of the world starting to catch up.

As I said, one of the real advantages in public key encryption is that there is no built in back door. However, not all that long ago, I worked with a guy who told me the following: he has a friend who works for a certain agency that I will not name. This friend claimed that he could decrypt a secure connection and asked my former co-worker to log into his bank account, which he did. After the co-worker logged out, his friend showed him a screen of his banking information: he had in fact intercepted the traffic and decoded it. The effort was pulled off with a simple laptop PC, not a super computer running cracking algorithms to break a 4096 bit RSA key. He wouldn't say, how, but I suspect a form of mitm using a "back door" / counterfeit certificate. In my mind, https is only secure against the "common" criminal and the already honest and as I said, the 3rd party verification is a weakness, as is an agency like a bank. I have more confidence, though not 100%, in public key encryption where you generate the keys; or should I say I have more faith in the cryptographers and mathematicians who's analysis says that with today's processing capability it would on average take X-computing years to decipher encrypted code.\

As far as use it or lose it goes: I think even if PKI were to be "banned" it would still be used and I for one would still use it.

1 members found this post helpful.

Well said Noway. The only thing I disagree with is:
I think that encryption should be run on everything. It's none of anybody's business except the parties involved. If I stand out by blocking ports 25/110 and only ever using 465/995 and occasionally gpg, so be it. Everyone should. BTW if you use secure mail, do not use TLS, as it leaks certain header information in the clear. Use SSL for mail.

Agree that it was a man-in-the-middle.

Which IDS do you use? I've tried to set these up before, and they were never mature enough to actually work without alot of troubleshooting stupid things. Right now I run only Snort.

As far as using SSL goes, I think there are some things where it isn't necessary. This forum for example where what you say and what you read are already freely available. Granted, it is nobody else's business where I go, but if I frequently post to this forum, it is pretty obvious. For most personal stuff, and regular email correspondence, yes. In fact I wish it would become more popular but I think the installation curve and in-convenience factors curb this. For example, I get my email on by Blackberry, which encryption is a bit of a problem on. PGP offers it for big business but it is cost prohibitive for the individual. I have been considering trying Atomichelix ($50 USD / year), but I haven't been inconvenienced enough to do so. Instead, I just pop the USB key in a PC, mount the encrypted volume with my private keys with Truecrypt, and decode the message. I think Hushmail offers something, but I haven't looked at it seriously.

When you say TLS leaks certain header information, is this perchance related to the SNI - server name indication? Actually, I do use TLS for my primary mail (Potfix + Dovecot) which supports TLS over standard ports. I am not sure whether or not it supports SSL, do you know?

If the scenario I outlined was in fact a man-in-the-middle, this means that at least the big US banks have either been compromised or complicit (more likely) in giving Uncle Sam the keys to your account information. No surprise there, but the difference being that they can access information without due legal process. And to think the "Patriot" Act was just renewed will great fanfare support. Kind of makes you wonder why every so often you get weird certificate warnings with them, eh? This is the same bank that keeps nagging me to give them my email address to send me "alerts". Never mind the fact that recently they had to eat a lot of crow because this system had been hijacked for phishing (reference). I refused to give them an email unless they guaranteed that all communication would be via PGP/GPG email. They simply acknowledged my position and re-iterated, please give us your email address. The answer is no.

As far as IDS goes, I use snort. I use a Cisco Catalyst switch set up with a span port to mirror all my traffic. I then monitor it with a ghost NIC (not configured) on one of the machines. Snort is a little resource hungry, but I have been able to run a fairly high number of rules on it without dropping packets. I also use OSSEC to monitor the status of the servers. I really like the fact that it alerts me, usually within seconds, of any changes as well as of unusual activity like a high number of warnings in the log files.

If you're using TLS rather than SSL, even though the majority of your connection is encrypted, the welcome banner and your initial HELO are transmitted in the clear. Most mailservers support SSL on the two ports I enumerated, and I always block the standard ports as rootkits like to send their mail through standard ports. I block every port in and out that I don't absolutely need with the wonderful Shorewall. If you set all failure levels to INFO, block actions show up in dmesg.

Yahoo is about to kick me because in a couple weeks they will no longer allow my browser of choice. (Konqueror) So I did a good bit of research and chose FastMail.fm for my throwaway email, as it's what Julian Assange uses.

{hehe} I do them even worse; I give them a fake one like billg@aol.com, and of course always, always a fake phone number. It's their own fault for selling to telemarketeers. Of course when there's an account problem they have to write me a letter, but it's worth it to me. Done this for years.

As far as IDS I tried to use LIDS and some other academic one that starts starts with a 'T', but when they are pretty busted at the beginning it portends nothing but headaches. Besides, I'm under layers of routers and bridges; I'd really need to put an IDS on my NanoBridge to get the real picture. OSSEC looks interesting. For Snort you just have to disable COMMUNITY SIP TCP/IP (/etc/snort/rules/community-sip.rules); useless.