[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tor-talk] SIGAINT email service targeted by 70 bad exit nodes



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

nusenu wrote:
>> On Thu, Apr 23, 2015 at 07:30:57PM +0000, nusenu wrote:
>>>> Almost all of them were younger than one month and they seem
>>>>  to have joined the network in small batches.  I uploaded 
>>>> Onionoo's JSON-formatted relay descriptors, so everybody can
>>>>  have a look: 
>>>> <http://www.nymity.ch/badexit/bad_descriptors_2015-04-23.zip>
>>>
>>>
>>>>
>>>> 
I compared your list (71 FPs) with my list (55 FPs) from
>>> 2015-04-05 [1], we have an overlap of (only) 30 relays. An 
>>> overlap of around ~50 would be better.
> 
>> Yes, I remember your list.  Thanks a lot for sharing it, it's 
>> really helpful!
> 
>> The relays that are in your, but not in my list indeed look
>> quite similar to the rest.  They don't have a BadExit flag
>> because nobody has caught them doing something nasty yet.
> 
> So you do not think that they are controlled by the same 
> (malicious) entity? (even though some declare their MyFamily 
> accordingly*)

This makes for an interesting counter-example: if the MyFamily
declaration was used as reason for setting BadExit on related exits, a
malicious adversary could set their MyFamily to the same as a good
exit cluster, and then intentionally behave badly, in order to get the
good cluster flagged as BadExit.

My point is, the MyFamily declaration is completely unauthenticated,
and cannot be relied upon for anything more than providing contact
information. There is a newer iteration being discussed that would
prevent relays from joining families without permission, but then a
malicious exit provider would have even less motivation to set it up.

str4d

> 
> Or is the requirement to flag them as badexit to catch them red 
> handed?
> 
> The case that one took over legit relays is unlikely since many are
> rather 'fresh' ones.
> 
> Or: Are they still on the network so we can see what they are 
> after? ;) (rather hard given the amount of potential targets)
> 
> Did you (or anyone else?) try to reach out to them via their 
> ISP(s)?
> 
> 
> *) Why would a malicious entity start to declare a MyFamily at all?
> I guess due to my email from 
> https://lists.torproject.org/pipermail/tor-talk/2015-April/037384.ht
>
>
> 
ml and it does not actually hurt their malicious activities because
> the little groups are in the same /16 anyway. (They do not put all
>  their relays in a family)
> 
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJVPNsWAAoJEBO17ljAn7PguRUP/jN56vlN5NpCmclzXe+iRxD7
2vdjyqQZ7lcxEMAn116H/0RB5E4KPUx7X/tnBYgBflff092UVBkypyrY03K3br+f
SABseTVbTMgIR51k517valVwAMoaWCuJonNgth7015sRAL75gnHWAeAYiBfp2jxr
y+RDvo37tUqmREg2fr4WoM1mzR9Cq0D87eNxlVKZ2opgdsE4eKKvycIPn5dPmVlO
UIzSO6XNYS22oFFPFp4mmotoP/wE1MDefOQd3gHd1IesCSbnrg5BoZbQLwHqzNrr
pzW5otyhK8b9JQCovd3Rq0/hTdRsGA5o7L8JRqyaW4zuYzOBlrXEpfhzQ95UoV93
VDvE3uYrD3OvWcJHHljlmflaH7td++9BW88tvUSKOLMu0LUlPVF7eXfMecpqIVMG
gMMMiszdzwnEUm5ScYFI3uARY4rQju4TEbAWXpmPw93wWeiW3vhbUxA5Q+DrDb0H
qmT8PUTU39wBHW0lKa8wbRPH29IuQdfzd1nI5g+X48z3gK2Ge3R9Cb06fkxU+6G3
VU01DFGCx6LdD+v+Ov6cl3PNmrToYsDw9NTr4dXHnn8+4lyFZchNaJ7kDbEa5yEh
KvxuWKabuL6o+ybete3d2IvTs/QTN16VuSQR1CqXLXWEUF5/wE3rQ2cG/UaDcAkX
1tlFmgmj84WH6GM8RQwX
=Vjj5
-----END PGP SIGNATURE-----
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk