Tor Project Pilots Exit Nodes In Libraries

An anonymous reader writes: The Tor Project has announced a new initiative to open exit relays in public libraries. "This is an idea whose time has come; libraries are our most democratic public spaces, protecting our intellectual freedom, privacy, and unfettered access to information, and Tor Project creates software that allows all people to have these rights on the internet." They point out that this is both an excellent way to educate people on the value of private internet browsing while also being a practical way to expand the Tor network. A test for this initiative is underway at the Kilton Library in Lebanon, New Hampshire, which already has a computing environment full of GNU/Linux machines.

Library Filters

[EmperorArthur]

Here in the US any library that deals with children must have mandatory filtering software installed. Given the typical puritanical attitude, quite a few public libraries also have filters.

https://en.wikipedia.org/wiki/...

Re:Library Filters

[roninmagus]

Wow, that's news to me. When I worked IT for a local government which managed the public libraries, we were barred from filtering anything. We had to install polarizing screen covers and put computers in weird places for all the pervs. Granted, this was 13 years ago.

Re:Library Filters

That only applies if you take certain federal funds AND only on the computer that children use AND only during the time they use it.

Re:Library Filters

[Bing+Tsher+E]

I found I couldn't download a component of the Android SDK in our local public library on their wifi. Not on a library machine, it was my laptop. The URL linked from within Eclipse raised a flag with something in the filter at the library. It was rather shocking.

Re:Library Filters

I work in IT for a large library system in the US. We routinely turn down federal funding in order to avoid the CIPA filtering requirements. It varies from state to state, but many other libraries do the same.

Re:Library Filters

No longer true... some states (Kansas) have mandated filtering all machines all the time to keep kids safe. :(

http://kslib.info/427/Kansas-Childrens-Internet-Protection-Act

Newsflash: Libraries get blacklisted

Most admins block TOR exit nodes at the router and many other places because they are the source of many attacks. All this means is that libraries wind up on IP blacklists.

most libraries are run by local government

[ozduo]

how many are willing to risk their benefactor's wrath (federal government) by supplying an anti government spying device?

Re:most libraries are run by local government

They'll probably follow the policy of it's easier to ask forgiveness than permission. And rip out all the Tor stuff the instant someone higher up starts making some noise about it.

Librarians

[manu0601]

It is astonishing how mindset about computing can vary among librarians. On one hand we have the one that set up TOR exit nodes to save our privacy, and on the other hand we have the one that purchase strongly vendor-locked and opaque proprietary library softwares.

Re:Librarians

Free/libre software != privacy. There are very different forces driving these two movements: there just happens to be a lot of overlap since most intelligent and educated people support both, and a lot of the privacy tools are opensource (they kinda need to be).

Re:Librarians

Free/libre software != privacy. There are very different forces driving these two movements

Well, just look at the ideological difference between GPL advocates and BSD.
Asking one of them to use the other license is retarded, it just goes against everything they stand for.
Grouping them together under the same name seems futile.

Why would libraries allow it?

Why would public libraries allow the use of their bandwidth to be exit nodes? Why would the government pay for something beyond the policy behind libraries? Libraries are places for people to read and get information, which they can do with a web browser. An exit node just makes the library a feeder tube to other places.

Re:Why would libraries allow it?

[sjames]

Because primarily, libraries and librarians are about free access to information for the public.

Besides, it's not hard to set it up so the exit node only gets to use otherwise unused bandwidth.

I2p?

Why not i2p nodes https://geti2p.net/en/comparison/tor

CBQ and traffic shaping?

Firewalls can prioritize traffic already. As long as the bandwidth is a flat fee and not per bit, seems pretty harmless. A waste would be to let an underutilized network sit idle.

No-oooo!

[Demonoid-Penguin]

Don't be giving the government yet another reason to cut funding to public libraries.

Re:Newsflash: Libraries get blacklisted

I think that is why the requirements seem to imply that the exit node needs to have its own IP address.

Balance TOR's costs against the benefits.

[dweller_below]

When we set up TOR infrastructure at USU, we looked at the costs and benefits.

There are definite costs to running TOR infrastructure. You have to be aware of them. Some of the costs can be mitigated, but some can't. At the end, you have to be able to show that the benefits outweigh the costs.

First we examined the benefit. We made a clear statement of the benefit. It is:

USU has many researchers and students who deal in sensitive subjects such as Climate Change, Reproductive Issues, Political Systems, Animal Research, etc.. These students and researchers frequently need privacy and security to advance the goals of USU.

Then we discussed the various costs and methods of mitigating the costs. Afterwards, we decided that the costs could be made acceptable, if we were careful.

• Our cost mitigation strategy had several parts:
• 1) We arranged for the TOR infrastructure to have an academic sponsor. The USU CS department agreed to sponsor the TOR project. This gave us an existing structure for providing IT support. And, frankly, TOR is easier to support than some of the other academic projects.
• 2) Most of the direct costs of creating and administering the TOR infrastructure are born by the USU CS department. It really helps that their admin is a diligent and responsible admin. It has been a joy to work with him.
• 3) We have tried to put all the TOR infrastructure on a small CIDR. If people need to block TOR, we try to make it easy for them to block it without effecting other things. That said, if I had to do it again, I think I would continue to have the TOR entry nodes and intermediate relays on a small USU CIDR. I think I would ask USU's ISP (UEN) for a small /28 and hook it up external to USU's normal security perimeter. Then I would put the TOR exit nodes on that external CIDR. This makes it easier to set routing and firewall policy. It also enables entering the TOR switching network internal to USU.
• 4) We examined the TOR traffic and tried to minimize the abusive bits. In our case, we found that most of the TOR web browsing looked non-abusive. However, the majority of the SSH and RDP traffic looked abusive. So, we asked the TOR admin to limit those protocols.
• 5) We clearly documented our TOR setup and use. The TOR nodes have meaningful hostnames. The systems have are well defined roles and responsibilities. We have strongly discouraged the TOR admin from using those systems for anything else.
• 6) We created processes for dealing with the abuse reports.

Here is our standard response to an abuse report against USU's TOR infrastructure:

=BEGIN ABUSE RESPONSE=
The activity that you have reported is being emitted by a TOR exit node:

------------
$ host 129.123.7.6 6.7.123.129.in-addr.arpa domain name pointer tor-exit-node.cs.usu.edu.

$ host 129.123.7.7
7.7.123.129.in-addr.arpa domain name pointer tor-exit-node-2.cs.usu.edu.
------------

This TOR node is a project of USU's CS department. USU has many researchers and students who deal in sensitive subjects such as Climate Change, Reproductive Issues, Political Systems, Animal Research, etc.. These students and researchers frequently need privacy and security to advance the goals of USU.

Almost all TOR traffic is generated by innocent people who are attempting to escape the shadow of a totalitarian government. But, unfortunately, sometimes criminals attempt to use TOR to attack others.

We are in discussion with our TOR admins to try to find ways to limit the attack activity. Of course, this rapidly becomes a sticky issue. If we start inspecting and censoring some of the TOR activity, then we have less of a defense when we get pressure to inspect and block the rest. And, even starting down this path may make us legally liable for ALL the TOR traffic. Our best action may be to keep our hands off and observe strict network neutrality.

We are still pondering our options.

Please accept our apologies in the mean time.

USU IT Security
=END ABUSE RESPONSE=

Re:Balance TOR's costs against the benefits.

[circletimessquare]

this is an interesting, informative, and comprehensive post

mod +6

Re:Balance TOR's costs against the benefits.

[westlake]

Our cost mitigation strategy had several parts

I would replace the work "cost" with "risk."

As in exposure to a hostile legal, political and social environment.

I don't see many public libraries having the resources to implement your plan.

=BEGIN ABUSE RESPONSE=
We are still pondering our options.
Please accept our apologies in the mean time.
=END ABUSE RESPONSE=

When the shit hits the fan, "thinking it over" and "hoping for the best" is no longer an option. In the end, you have to make a decision or one will be made for you.

Re:Balance TOR's costs against the benefits.

Did you consult with a lawyer? That does not seem like a good abuse response and could make you liable. The EFF has a better one you could use at eff.org .

Re:Balance TOR's costs against the benefits.

[DamonHD]

4) We examined the TOR traffic and tried to minimize the abusive bits. In our case, we found that most of the TOR web browsing looked non-abusive. However, the majority of the SSH and RDP traffic looked abusive. So, we asked the TOR admin to limit those protocols.

I am interested to understand what level of inspection you could and did perform to decide "abusiveness". Especially for the secure traffic.

Rgds

Damon

Re:Balance TOR's costs against the benefits.

[dweller_below]

Thanks Westlake,

I would replace the work "cost" with "risk."

As in exposure to a hostile legal, political and social environment.

We had risk in there earlier. But we later changed it to cost. USU is weird. I suspect all universities are weird. USU is a top tier research university. USU is not run by accountants and MBAs. It is run by researchers and teachers. We are shielded from most legal issues. We are constrained by funding. If we can fund it, we can invest in long term experiments. This is one of them.

I don't see many public libraries having the resources to implement your plan.

This is an extremely significant point. In order to understand the TOR issues and implement TOR properly, an institution has to have a significant investment in IT. Not a problem for universities, and large metropolitan libraries. But, most smaller libraries will not have the expertise to even understand the issues and how to mitigate them.

When the shit hits the fan, "thinking it over" and "hoping for the best" is no longer an option. In the end, you have to make a decision or one will be made for you.

True. We may need to clarify that abuse response message to make the following points more clear:

• We have made our decision.
• Here is our rationale.
• When things change, we may change.

I expect we will change our decision to implement TOR sometime in the next 5 years for one of the following reasons:

• TOR is replaced by something better. (Quite likely.)
• TOR is infiltrated by the NSA and discredited. (Somewhat likely.)
• The majority (greater than 80%) of TOR browsing traffic becomes abusive. (Somewhat likely.)
• USU decides to get serious about privacy and implements an interior solution that uses NAT and non-logging proxies to obscure to external inspection, who is doing what. (Somewhat likely.)

Re:Balance TOR's costs against the benefits.

[dweller_below]

Thanks DamonHD,

I am interested to understand what level of inspection you could and did perform to decide "abusiveness". Especially for the secure traffic.

Rgds

Damon

We did traffic analysis using net flow information of a few days of traffic on a preliminary TOR exit node. In this situation, traffic analysis is very powerful. We did not try to determine who was talking. But, we have spent years deciphering the nature of connections using flow analysis. We are very successful in determining the nature of the various connections. Encryption does not change the underlying size, flow and pace of the connection. The TOR structure does little to obscure the ultimate timing of request and response. It does nothing to conceal the size of the requests and responses leaving the exit node. We can easily distinguish:

• * Password guessing.
• * Port scanning.
• * Automated vulnerability assessment tools.
• * Automated attack tools.
• * Human driven web browsing.

When we tallied all the traffic for browsing, almost all of it was human driven. When we tallied all the traffic destined to a SSH or RDP port, over 90% of it was abusive.

Re:Balance TOR's costs against the benefits.

[DamonHD]

Thanks, very interesting. I imagined that it might be a little like that. Certainly I can see how scanning for vulnerabilities can stand out!

Rgds

Damon

Re:Balance TOR's costs against the benefits.

Inaction is itself an action.

Why would they want to deal with that?

TOR exit nodes are nothing but trouble.

I knew someone who maintained one from 2003 to 2008. It was neat at first, but watching him get worn down by the relentless pestering from his ISP and the police (later the FBI as well) was not cool. Then they raided his house one night (which I'll never forget, mostly because everyone landed up crashing at my place for two days) and took nearly every single piece of technology that plugged into a wall, ripping apart mostly everything else in the process while presumably looking for hidden data storage devices.

He had another exit node working within a week, much to the dismay of nearly everybody who knew him. That was when the feds showed up. I'm told they were extremely polite about the whole thing and only stayed for a couple of hours, but beyond that I have no idea what they said to him. A day later he dragged the exit node out into his backyard and took a sledgehammer to it. That same year he took his family on a once in a lifetime vacation over Christmas, and hasn't spoken about TOR since. The few times I've tried to jostle a few details out of him have only been met with "You know I can't talk about that".

There were rumours that the company he founded was looking to eject him after the raid, and I think at one point someone else was trying to threaten him with criminal charges (though I can't imagine they would have stuck). I can only assume that it got to the point where that idiot exit node was literally threatening his livelihood, and his wife finally convinced him that enough was enough and that was it.

In any case, I have upmost respect for the exit node operators who can deal with that kind of abuse, but damn. It really says something about both the society we live in (and how privacy is slowly being eroded away), but also the general state of the TOR network. I suppose you can't have anonymity without the usual whack jobs running around, but it just seems like the amount of illegal shit flying around TOR severely outweighs any legitimate use the network offers.

So for that reason, I'm not sure why you'd want to run an exit node these days, unless you're looking for trouble and the challenge of dealing with that.

Re:Why would they want to deal with that?

[dweller_below]

TOR exit nodes are nothing but trouble.

I think this is an issue where some are more equal than others.

If an individual runs a TOR exit node, they can be easily intimidated and hassled. There is very little cost to law enforcement for engaging in the intimidation.

At the other end of the spectrum, a large public institution is not susceptible to this kind of intimidation. And, there is a very large cost if law enforcement attempts the intimidation. For example, at the institution I support, if the local cops or low level FBI attempted this kind of intimidation, they would be met by the institution's police force, the institution's lawyers and the institution's journalists. Everything would be recorded in multiple ways. Heck, we even have a state assistant DA permanently assigned to USU. He participated in the process that created the policy and procedures approving the TOR infrastructure.

At this point, if a major university's CS group is not investigating TOR, they should probably give back the funding and become a trade tech. The issues surrounding TOR are critical to our society. A university should not turn it's back to these issues.

Given all that, a law enforcement attempt at intimidation would be ineffective. And, it would likely result in the kind of bad publicity that can cause law enforcement to lose budget.

However you have a good point, libraries are widely distributed in the gap between your unfortunate friend and USU. The smaller ones would be easily intimidated. The larger ones, not so much.

Re:Newsflash: Libraries get blacklisted

[ron_ivi]

Most admins

That's not true.

A few Admins, perhaps.

Not most.

Re:Newsflash: Libraries get blacklisted

Akamai optionally (optional to the Akamai customer) blocks Tor exit nodes AND relay nodes that have no exits whatsoever. I made it through several levels of support (up to executive support) to nothing but deaf ears.

I'm not even sure how they figure out relays without port-scanning clients (like open HTTP proxy scans from IRC servers of yore) but it essentially shut down my high-bandwidth Tor relay. I'd run an IPv6-only Tor relay because, well, if you have IPv6 you have plenty of addresses to burn, but Tor doesn't support that yet.

Re:Newsflash: Libraries get blacklisted

I'm not even sure how they figure out relays without port-scanning clients

A full list of relays is available from any directory authority (except bridges -- which are not the same as non-exit nodes*)

From torrc:

Bridge relays (or "bridges") are Tor relays that aren't listed in the
main directory. Since there is no complete public list of them, even an
ISP that filters connections to all the known Tor relays probably
won't be able to block all the bridges. Also, websites won't treat you
differently because they won't know you're running Tor. If you can
be a real relay, please do; but if not, be a bridge!