

Tor calls for help as its supply of bridges falters - obtino
http://arstechnica.com/information-technology/2013/04/tor-calls-for-help-as-its-supply-of-bridges-falters/

======
kalleboo
> For those who want to donate bridges to the Tor network, the easiest route
> is to use Tor Cloud, an Amazon Web Service Elastic Compute Cloud image
> created by the Tor Project that allows people to leverage Amazon's free
> usage tier to deploy a bridge.

What are the risks involved in doing this? Both in regards to legal
responsibility for traffic, and Amazon ToS.

~~~
krenoten
As long as you don't operate an exit node, there are no risks that I am aware
of (as a citizen of the USA or EU, YMMV otherwise). I've been running several
entry nodes with directory caching enabled on Amazon for a year or so with no
problems - nor do I expect any.

If you run an exit node on Amazon, you can expect to receive a C&D at some
point. I'm not sure if Amazon will intervene. There are some services
elsewhere that allow you to pay for the operation of exit nodes in bitcoin.

Tor is essentially just 2 proxies chained together such that the first proxy
(the entry node) doesn't know the final destination, the second one (the exit
node) doesn't know the source, and the final destination only knows the exit
node. If a malicious entity is operating either entry or exit nodes, it still
protects your identity as long as you did not expect the exit node to send
information that leaks information about yourself. If the same malicious
entity or cooperating ones get lucky and operate all of your nodes, then you
are unmasked. If you are afraid of this possibility, then you can configure
your client to make a circuit of more than 2 nodes.

In order to find out about all of the available public nodes that you can
connect to, the client queries a list of hardwired directory servers. Here,
you can get this yourself: <http://86.59.21.38/tor/status-
vote/current/consensus>

If you run a public server, your information will be distributed in this list.
You can also run a private bridge, which is not shared publicly. You will not
be used as an exit node unless you configure your server to allow exit
traffic. You can specify this by port ranges, so as to only allow certain
traffic. You can see this in the above consensus document in lines that start
with "p". "p reject 1-65535" means it is not an exit node.

If you want to help in other ways, you can also run a directory cache that
serves consensus information (as in the above link).

~~~
quasque
It's not just two proxies chained together - there is always at least one
middle node between entry and exit.

~~~
krenoten
The common implementation of tor does use 3, but as you can see on page 5 the
basic concept functions with 2:

[https://svn.torproject.org/svn/projects/design-paper/tor-
des...](https://svn.torproject.org/svn/projects/design-paper/tor-design.pdf)

It helps to simplify when explaining to others.

------
chrislomax
I know this is a little off topic but what in general are the risks of going
onto the Tor network?

Like I say, I know it is off topic but I can't find anything conclusive to how
risky it is?

I want to see what is on there but at the same time I hear of hackers at every
corner and child porn. I don't want to encounter either ever.

Is there a safe way of browsing it whilst taking a casual look around?

~~~
rst
In addition to what other have already noted, one other thing to keep in mind:

The Tor exit node that happens to handle any particular request gets to read
the relevant traffic (since it is handling the request to the actual end
server on your behalf). So, for instance, if you're logging into some bulletin
board via unencrypted http, the Tor exit node handling the login request gets
to see your username and password on that bulletin board in cleartext (as can
all the other net infrastructure between that exit node and the bboard
itself).

In one sense, this doesn't change your risk profile; if you're logging in over
unencrypted http directly, you're also at risk of sniffing. However, the risk
may be enhanced with Tor; there are persistent rumors of law enforcement and
intelligence agencies (and others with darker-colored hats) running exit nodes
which deliberately sniff the traffic they're proxying to see if something
interesting comes up. It also might be possible for such a hostile exit node
to mess with the content of unencrypted traffic, though I've personally heard
no rumors of that.

Note that if you're using Tor to proxy _encrypted_ traffic (https), the exit
node sees only the encrypted data stream, which is as secure as the encryption
you're using --- and the official Tor browser bundle includes the "HTTPS
everywhere" Firefox plugin to try to get you to use HTTPS where available.

Additionally, if you're using Tor, anyone monitoring the net segments between
you and the entry nodes you hit may be able to tell that you're using it
(though they won't be able to tell what you're using it for). If the local
secret (or other) police frown on that sort of thing in principle, it could be
trouble.

~~~
shubb
What worries me is that if you want to do government work (even quite
innocuous stuff), your job depends on getting security clearance.

Certainly in the UK, Europe general and probably in the US, your ISP retains a
list of all the IP addresses you connect to, and they supply this to the
government if they have national security grounds.

At least in the UK, security clearance is grounds to pull your internet
records, they say so on public government websites.

I think that in future, if your household connects to known TOR bridge nodes,
that might well impact if you can do government work, from IT at your local
tax office to army work.

Probably paranoia, but I'm staying away from TOR for this reason. Which is a
shame because what some ad networks do is really, really creepy.

------
ColinWright
See also: <https://news.ycombinator.com/item?id=5564358>

------
dmix
You can also donate to <http://www.torservers.net/about.html>

And sponsor a node. They are based in SF and accept BTC.

They list their exit node servers here: <http://www.torservers.net/exits.html>

------
andrewcooke
also <http://crypto.stanford.edu/flashproxy/> (which seems to work - i have
seen the colour of the image change on my pages; in fact one is in use right
now).

------
nkurz
In case others are also having trouble finding them, the instructions on how
to participate are in the email linked from the article:
[https://lists.torproject.org/pipermail/tor-
relays/2013-April...](https://lists.torproject.org/pipermail/tor-
relays/2013-April/002089.html)

I'm interested, but still trying to learn more. In particular, are there ways
to limit the traffic or prioritize other packets?

------
derrida
Quickest road to deploy on AWS <https://cloud.torproject.org/#get_started>

(Select Obfs3)

~~~
slacka
This literally took me less than 5 minutes to setup. The defaults are perfect
for those with a free AWS setup. Below are the default settings from the
included torrc file.

# Start Tor as a bridge.

# Run obfsproxy

# Never send or receive more than 10GB of data per week.

# Running a bridge relay just passes data to and from the Tor network. so it
shouldn't expose the operator to abuse complaints.

------
machrider
This seems like a fatal flaw for one of Tor's stated use cases: helping
political dissidents living with highly repressive governments. How do you
publicize a service and at the same time not allow the relevant authorities to
discover it? What they're doing seems to make it _harder_ , but in principle
it will always be detectable. This would make me think twice if my life
depended on my connection not being detected.

------
icelancer
I tried helping out Tor. I installed their software that was supposed to make
it one-click to set up a relay. Didn't work. Then I fumbled around a bit and
Googled the error messages I was getting. No luck. Reboot a few times and try
again. Nope.

Sorry. They need to make it way easier to get involved.

~~~
andrewcooke
Worked fine for me, but I built from source (I guess that sounds harder; it
was actually trivial if you're used to this kind of thing - just the usual
./configure; make; sudo make install) (note that this is for use only as a
bridge - if you want to use it yourself, you should use a bundle with
browser).

Instructions on setting up a service on OpenSuse at
<http://www.acooke.org/cute/StartingTO0.html> (anyone know how to make systemd
switch to a different user?)

~~~
icelancer
That response is like someone on HN who said it was easy to install third-
party stuff on the Windows tablets. All you have to do is simply side-load the
stuff like this...

If TOR wants widespread support, they need to create a simple tutorial with a
FAQ that covers all the basic problems when you do a one-click install on
Windows. If malware can be written to be easily installed and configured, then
it shouldn't throw errors when you do a basic install using their Windows
package that you need to Google and diagnose. If a software developer gets
pissed off at their installers, what will average users think?

~~~
andrewcooke
sorry, wasn't meant as criticism, although i do think tor try quite hard to
package things - it's certainly improved over the years. perhaps posting a bug
report with your issue is the best way to get them to improve?
<https://trac.torproject.org/projects/tor>

~~~
icelancer
Didn't take it personally. I support TOR. I just don't like them complaining
about network congestion/overloading when they don't do enough (IMO) to make
it easy to expand the network.

------
aray
Has Tor tried to do anything to reduce potentially unnecessary use of their
bridges? Maybe I'm being naive, but I think some teenager using Tor to pirate
stacks of blue-ray movies should have to wait in line behind a Chinese civil
rights blogger.

~~~
dublinben
Tor is unbearably slow for large downloads, so almost anyone is discouraged
from doing so. There's also no reason whatsoever for a teenage pirate to need
a bridge server, since their access to the standard servers is unimpeded.

------
vxNsr
I'm signing up as we speak.. it's taking Amazon a while to confirm my
subscription

------
gesman
Well, the problem is that if bridge is discovered by child pornographers and
used by them - police will get knocking to bridge owner's door.

No one needs that, hence the supply is low.

~~~
dbbolton
IIRC there was a man in (I believe) Austria who recently got arrested for this
exact reason and he was trying to scrounge up enough in donations to pay for
his legal fees.

Edit: [http://arstechnica.com/tech-policy/2012/11/tor-operator-
char...](http://arstechnica.com/tech-policy/2012/11/tor-operator-charged-for-
child-porn-transmitted-over-his-servers/)

~~~
pyre
You're missing the architecture:

    
    
      +-----+
      | You |
      +-----+
             \ <= encrypted           _
         +----------------+            | T
         | Tor Entry Node |            | O
         +----------------+            | R
                \ <= encrypted         |
           +------------------------+  | N
           | Tor Bridge/Relay Nodes |  | E
           +------------------------+  | T
                    \  <= encrypted    | W
                +---------------+      | O
                | Tor Exit Node |      | R
                +---------------+     _| K
        unencrypted => \
                     +----------+
                     | Internet |
                     +----------+
    

The exit node is the only one that the wider Internet sees. All other traffic
within the network is encrypted.

~~~
pc86
It's that first step I don't get. How is the traffic between you and the entry
node encrypted? Can't someone monitoring traffic know that you're on Tor (even
if they can't know what you're doing on it)?

~~~
286c8cb04bda
The box labeled "You" is not just a web browser. It should include a local (as
in local to the machine running the browser) Tor proxy like Vidalia. See
<https://www.torproject.org/projects/torbrowser.html.en> for an example.

