
FBI Special Agent visit Thursday August 8th - GuiA
https://www.noisebridge.net/pipermail/noisebridge-discuss/2013-August/038824.html
======
simoncion
BTW, this visit isn't a special or unique thing. The Feds periodically stop
by, asking about traffic that came through Noisetor. There's even a procedure
in place for handling the situation:

[https://www.noisebridge.net/wiki/Noisebridge_Tor/FBI](https://www.noisebridge.net/wiki/Noisebridge_Tor/FBI)

------
dictum
>I tensed up as he began to tell me that the Chinese have been utilizing the
Noisebridge TOR exit node. He made it seem as if it was a very real threat

>“There are times when they slip back into Cold War thinking and Cold War
mentality,” Obama said on air Tuesday evening. “What I continually say to them
and to President Putin, that’s the past.”

[http://www.washingtonpost.com/blogs/post-
politics/wp/2013/08...](http://www.washingtonpost.com/blogs/post-
politics/wp/2013/08/06/obama-frustrated-by-russias-decision-to-grant-snowden-
asylum/)

------
rdl
I wonder if you get more interesting government contacts for running a Tor
exit node vs. a mixmaster mail anonymizer now.

I certainly got a lot of interesting contacts when running a remailer. It was
awesome being able to talk to them as a relative peer (since I was doing
defense contracting), and explain calmly why remailers are good, what level of
monitoring is possible, what security assumptions the whole network operates
under, how you would defeat it, and why it wouldn't be worth the effort.

------
teawithcarl
Why do our taxes in part support this invasion of privacy by NSA/FBI on
American citizens ?

~~~
pionar
How is walking into a public space and having a conversation with someone an
invasion of privacy?

~~~
lukejduncan
It's not public in the sense that applies to law enforcement. By that I mean,
Noisebridge is a private community that happens to be rather open in terms of
membership. "Public space" is more like the sidewalk or a government building.

Note: I'm not a lawyer, but that's my understanding

~~~
aroch
By similar logic then, you're saying that what Weev did should be punished
under CFAA. The AT&T site was "open" in terms of access but it was "private"
because AT&T said it was. Picking and choosing what you think is "public" or
"private" on an unsecured, open access server/network is a slippery
slope...See Weev's prosecution.

Running a Tor node means you're running a public service. Full stop.

~~~
Amadou
Didn't Weev have a legitimate AT&T account? Isn't that how he discovered the
vulnerability in the first place? Seems to me that would make him part of the
"AT&T community" to whom the site was open to.

But ignoring all that, the definition of what is open to the general citizenry
and what is open to the people representing the government are two distinct
things.

This is a very recent example where the law is pretty explicit about what the
cops can do versus what the public at large can do:

[http://inthesetimes.com/working/entry/15419/exclusive_activi...](http://inthesetimes.com/working/entry/15419/exclusive_activists_identify_dc_cop_who_infiltrated_bangladesh_protesters/)

------
dmix
Non-broken PDF links:
[http://intelreport.mandiant.com/](http://intelreport.mandiant.com/)

For anyone not aware Noisebridge runs TOR exit nodes out of SF.
[https://www.noisebridge.net/](https://www.noisebridge.net/)

I'm curious if their FBI policy is to say "I don't know anyone who runs Tor
nodes".

~~~
simoncion
It's not.

See:
[https://www.noisebridge.net/wiki/Noisebridge_Tor/FBI](https://www.noisebridge.net/wiki/Noisebridge_Tor/FBI)

------
gcb0
Isn't the top reason people do run TOR exit nodes to help people behind gov
firewalls?

So the "chinese" using it would be one of the purposes, wouldn't it?

Why instead the FBI don't do their work and say which sites that exit node
should deny access to and be done with?

~~~
otakucode
Given my understanding of how Tor operates (please correct me if I'm wrong,
I've never actually used Tor, though the recent government hardon against it
has me tempted), it would not be possible to block specific people from using
your exit node. Or are you referring to, say, blocking all people coming from
that exit node from connecting to some site on the regular Internet? I suppose
that should be possible, though justifying it would be hard and the traffic
should just route through a different exit node, right?

I'd want to know what makes the FBI think they've identified someone coming
through the Tor network. And how.

------
jmh42
I may be completely wrong here, but I thought TOR doesn't work in China.
Something about them blocking the relays or their traffic only supporting TCP
and no UDP...

(Sorry for lack of support here.)

------
tzs
> I tensed up as he began to tell me that the Chinese have been utilizing the
> Noisebridge TOR exit node

I don't know if there is anything sneaky going on in China to justify FBI
interest, but I HAVE seen some pretty weird traffic from China. I wonder if
anyone else here has noticed anything similar. Here's what I've been seeing.

The products we sell where I work that are available for download are only
sold to US and European markets (we have nothing against the rest of the world
--we just don't have the resources to support more regions or to handle
payments from other regions). The product is not very useful if you do not
have a subscription to the accompanying service.

The product is also not very well known (I doubt we are even in the top 100 in
our market), and there aren't many links out their pointing to our download
page.

So, when I check the logs of downloads, what I expect to see is mostly US
addresses, and a few European addresses (most of our customers are in the US).

For downloads that complete in one HTTP requests, what I see is 69% from the
US, 12% from China, 14% from the rest of the world, and 5% unknown. So already
China is higher than I would expect.

It gets even weirder when I look at partial downloads. First of all, 3 times
as many IP addresses hit our site in a given time period and do partial
downloads than do complete downloads.

Of the IP addresses doing partial downloads, 85% are from China, 7% from the
US, 6% from the rest of the world (and most of those are Asian countries), and
2% unknown. 92% of those Chinese IP addresses doing partial downloads do not
download enough total data from all the requests from that IP address to have
received the full download.

Overall, if I don't distinguish between partial and full downloads, and count
an IP address has having downloaded if it has received a total number of bytes
large enough to contain our file, what I have is this: 59% of the IP addresses
are Chinese addresses that do not download enough, 20% are US that do download
enough, 8% are Chinese that do download enough, 5% are from the rest of the
world and download enough.

None of these things identify themselves as bots. They all identify as a
normal looking mix of Windows and Mac browsers.

I've looked at a few of the Chinese addresses to see what is nearby, and many
seem to be in class C blocks that belong to hosting providers, not end user
ISPs, and when I've been able to find some host names mapping to those blocks,
they have tended to be things like allshemales.net or dirtyracialporn.com (not
sure I remembered the exact names--the general idea is right).

In contrast, when I do the same for a few randomly chosen US downloaders, I
get blocks that seem to clearly be consumer ISP ranges they use for their
customers.

Some of the access patterns are interesting. I saw one that would come, do two
concurrent requests, get 60 KB, and go away for exactly 3600 seconds. It did
this until it grabbed the whole download (or at least enough data for it to
have the whole download). I might guess some kind of download manager, but
I've never seen one that is so slow.

So, what the devil is going on? I can't even come up with a plausible sounding
theory that would explain this much Chinese activity on our site, let along
explain why so much of it is just partial downloads, and why it seems to be
coming from sites at data centers (which I assume indicates some kind of
commercial source). Anyone else seeing this kind of thing?

I have no reason to suspect anything sinister is going on. I just can't figure
out any reason at ALL for this to be going on.

~~~
Ecio78
I hope I am wrong, but could it be that one of your download host has been
compromised and it is been used for some sort of command-and-control server of
a small botnet?

~~~
tzs
The downloads are hosted on Rackspace's CDN. I think if that were compromised,
it would have been noticed.

~~~
Ecio78
So maybe the chinese bots are trying to download random url to check if they
find something interesting?

