It's much more fun to run an exit node and inspect the traffic using tools like the dsniff suite and Suricata.
Back in the day, 90% of the traffic I would see was just people trying to brute force Hotmail accounts via POP3, but occasionally I'd sniff the credentials for an IRC-based C2 for a botnet, and I'd log in and wreck the thing.
Well, it's fun to do this and learn from that, however in an exit node it's not something I'd want to do. People use Tor to surf the web anonymously (mostly) and have some privacy. There are certainly exit nodes that do this, and it has been proven by blog posts in the past, however the more nodes that don't engage in such activities, the better for the network overall.
> however the more nodes that don't engage in such activities, the better for the network overall.
I'd argue that it is quite the opposite.
The more people are aware that plaintext over Tor is a really, really bad idea [1], the more people will use end-to-end encryption. In particular, they will insist that more websites switch to HTTPS. Which is actually better for the network overall, and would render most of these attacks useless.
I wonder whether the Tor browser bundle should disable plain HTTP completely, only to be enabled through some obscure config setting for the seldom use cases where this is actually needed.
[1] Tor is by definition a system of man-in-the-middle through man-in-the-middle. Why would anybody want to use that without end-to-end encryption?
> The more people are aware that plaintext over Tor is a really, really bad idea [1], the more people will use end-to-end encryption.
Yes, but how does your collecting logs impact overall awareness?
Even if it did (say, you make the logs available through some snazzy web interface, it gets mass media attention), how does that balance out with the users who traffic you exposed?
I didn't mean that more exit nodes should collect and share their logs. That would indeed weaken the Tor network, by facilitating traffic correlation.
I meant inspecting/manipulating the traffic if it is unencrypted. As a political statement, this should of course never actually attack the client, but instead try to raise attention by e.g. injecting a message along the lines:
Hi, I'm a stranger and it was trivial for me to
inject this message. Please use HTTPS to prevent
me from doing this.
Thinking more about that, however, this may be a bad idea. People could perceive this to be a security hole in the Tor network itself, rather than HTTP itself, which could damage the reputation of Tor.
Last I heard, there was basically one guy handling all reports of malicious exit nodes, and I couldn't even get him to do anything about the ones very obviously intercepting traffic to Bitcoin wallets and injecting code that stole people's money
This has been done in the past: researchers visited a uniquely generated URL from Tor and then recorded which Exit Nodes visited it again. You can find their work if you google it..
"Chloe" visited unique web pages for a month last year, and also used unique credentials to log into a custom honeypot. Of the over 137,000 exit nodes tested, 15 attempted to use the credentials, 650 visited the unique websites.
Less than half of a percent, but definitely happening regularly enough to be an issue.
Not really you can always mirror the wan/uplink port and do the capture on another box so even some time based / performance analysis won't show anything.
Port mirroring means you can only be a passive eavesdropper. Attacks like SSL mitm wouldn't work because you actually have to intercept and modify the traffic
SSL MITM still won't work unless you want it to be very noticeable or you have very substantial resources.
Port mirroring is enough to capture SSL traffic and to break weak SSL keys or if you have compromised the key of the destination services (w/ some caveats like no forward secrecy etc.)
And it doesn't prevents you from executing MITM attacks from upstream or just doing specific MITM attacks from within the TOR exit node later on.
But overall there is nothing you can do to ensure that your TOR exit node, your VPN gateway or even your ISP isn't reading your traffic other than to use encrypted tunnels everywhere and even then you are for the most part only moving the problem upstream.
Exactly. Ethics is just the wrong way to think about it.
It's like the people emptying weak brainwallets. Is it unethical to empty the brainwallet for "password123"? Is it unethical to pick up a quarter lying on the sidewalk? No and no.
Saying that strangers on the internet are bound by ethics is unrealistic.
Instead, we should build systems that are resilient.
For example:
* A brainwallet generator should estimate passphrase complexity and warn if it's too low
* Tor Browser should show a red lock icon for plain HTTP and warn users clearly that their traffic may be read
Blame the program, not the person. Calling the inevitable attacker "unethical" just isn't useful. Saying the user is dumb or Doing It Wrong isn't useful either.
Good crypto software should be resistant to both misuse (by Adam) and abuse (by Eve)
You seem to be completely misunderstanding ethics. Just because you 'can' do something does not mean it should be done or is ethical to do so. You 'can' break into your neighbor's house and steal <whatever>. Just because you have that capacity does not make it suddenly ethical to do so, even if they leave their doors unlocked.
GP didn't say that strangers on the internet are bound by ethics. Ethics are not a thing we are 'bound' by. They are a value judgment we make based on whatever social contract we think we have with those around us.
If passphrase complexity is "too low", that's also a judgment. There are no universal truths about what is adequate complexity. What you think is adequate today will not be adequate tomorrow. If someone's passphrase was inadequate and was cracked, was it ethical for the cracker to take advantage of it? If the passphrase passed a certain complexity, did it suddenly become unethical?
I think in the case of brainwallets, the actual contract with the network is that anyone who knows the password has authority to transfer the funds. When you send funds to a password-based address that is literally what you are declaring. There is no additional "off-book" requirements for accessing the funds like, you must know the password and also be a specific person.
There are similar scenarios but they are also different in important ways. A properly generated private key would have to be first stolen. An improperly generated private key, or an improperly generated signature that reveals the key are technological faults which expose the funds.
But when it comes to so-called brain-wallets, if you know the password then I think you have the right to move the funds.
Without the law, the actual "contract" you have re ownership of anything is that you can prevent anyone else from owning those things. If someone else can manage to "steal" your thing, they own it now.
I think that's not a world anyone wants to live in aside from an-caps.
I'm not speaking of lawlessness, I mean the actual lawful contract of who owns or can transfer or take possession of the data. Bitcoin introduces all sorts of novel ways to store and assign ownership of the Satoshi. Flags like ANYONE_CAN_PAY and scripts which equate to ANYONE_CAN_SPEND, or in this case a script which equates to SPEND_WITH_PWD.
The vast majority of people have zero understanding of the underlying crypto contract they are entering when they use Bitcoin. But there are experts who can explain what these scripts actually mean and who in turn can access the funds and under what conditions. Like buying other commodities electronically, it is best to consult an expert if you don't know what you're doing. That doesn't change the terms of the underlying contract.
Back in the real world, contracts have a lot to do with intent. Generally, if you didn't intend to give money to whoever picks it up first, a court would rule that nobody but the intended recipient has the right to pick up the money.
Even if you leave a duffel bag full of money beside a motorway, it's not legally the property of whoever picks it up first. That would be a perfectly reasonable legal argument. In order to give it away to whoever picks it up first, you need to create clear intent - a posting in plain English, for example. Making it easy to pick up isn't intent to allow anyone to pick it up.
Code isn't contract, and behaviour isn't contract either.
> In order to give it away to whoever picks it up first, you need to create clear intent - a posting in plain English, for example.
So we have someone who takes that proverbial duffel bag full of money, lays it down on the information superhighway, and puts a sign on it which says, 'SPEND_WITH_PASSWORD'. So Malory picks up the bag, opens it up with the password, and spends the money. They didn't "intend" for that to happen, but they signed a contract which says exactly that. The best example I've heard where this is not a valid defense is the life insurance policy written by Aviva France which allowed retroactive trading (a.k.a printing money) and where the policy could now be worth billions of dollars. [1]
Can code ever be a contract? I think so. What if the code functions exactly as designed, and exactly as advertised, is it then a contract? A world where you don't have the freedom to follow clear and obvious labels does not function very well. If someone puts a water fountain on a public way, and then sues people for drinking from it claiming they stole the water, I would hope those claims would be thrown out and the claimant censured.
The right answer is, of course, no one should be laying their money down with a sign on it that says 'SPEND_WITH_PASSWORD' if that's not what they want to have happen -- because trying to recover that money after the fact when someone picks it up is going to be challenging, to say the least. But I do think it's an interesting argument to say that the person who did pick it up with the right password actually did nothing legally wrong, and even ethically or morally wrong.
Even more-so, I find arguments that 'SPEND_WITH_PASSWORD' should actually mean 'SPEND_WITH_PASSWORD_AND_CONSENT' to be highly problematic for a decentralized blockchain which can trade smart assets. A crypto-currency should be expected to do what it says on the label, and users should be expected to read the label before using it. See, for example, the many cases of inadvertently large transaction fees, and even that's a more clear cut example of programming error, or human error, than 'SPENT_WITH_PASSWORD' which does exactly what it says.
A machine flag on a data record which doesn't even say SPEND_WITH_PASSWORD, but is instead a set of machine instructions, to be interpreted by a machine that nobody really fully understands, is not human-readable English, and can reasonably be set without intent to allow anyone to spend it - it's easy to mess up and make it less secure than you intended.
Therefore, it's not a contract, by definition, no matter what a subset of the population would like to think. Also - what if there's a crypto bug somewhere in Bitcoin, or a popular key/password generator? If it turned out all SPEND_WITH_PASSWORD transactions are far weaker than expected, does that mean it would be perfectly legal for anyone to steal money from all such transactions? I can't see a court saying "yes" to that, any more than they'd say that if your computer wasn't secure enough it'd be legal to access your bank account details and steal all your money from your bank. Or you could also bring up the argument that you'd get your money back if you'd sent money to the wrong person by PayPal/Faster Payments/whatever and had to take it to court, and the term "smart contract" doesn't actually change what's almost the same action.
This doesn't necessarily mean the blockchain needs to include some sort of "revoke transaction" functionality, but it is something that you can take to court if you find out who stole your money. New tech doesn't mean that courts suddenly break every rule that's been developed over hundreds of years. Courts are very used to dealing with "irrevocable" transactions.
To talk about ethics completely independent of ability is to divorce philosophy from reality.
If I can brute force a password with a TI-83, then that should be a different conversation than if I can do so with a few hundred million dollars, a backbone tap, and a government cluster.
To argue otherwise is navel-gazing about whether the red I see is the same red you see. Maybe? But more importantly, what does it matter?
So if you murder someone with an assault rifle, you're a monster, but if you did it with your bare hands, your methods should be applauded and studied?
I'm not even going for reductio ad absurdum here, this seems to literally be what you're saying.
Did I at any point make a value judgement, as you did?
I simply said, as did dcposch, that to talk about ethics independent of ability is useless from a functional perspective. And to go farther, that applying anything other than amorality to internet actors is without functional value.
A rebuttal, if you feel otherwise, would take the form of "No, I believe pure ethical evaluation is still useful because..."
This is totally preposterous logic. It's very easy to commit many very serious crimes, like murder and rape. Ability to carry out an act has nothing to do with its morality.
I can see how you got to the conclusion you did but I think you're making the wrong analogies like the gp.
The penny you pick up on the street, despite any argument to the contrary, hasn't been put there for safekeeping. It's lost and it's value is so low that it's immaterial if you return it or not. Actually the loss in productivity and the impossibility of the task is such returning it, unless you saw the person who dropped it, is probably a negative thing.
Now if that was $65000 then you might keep it because you can and it benefits you, but the ethical thing to do is to attempt to return it to its owner.
Compare that to a weak password though, as far as you know it isn't even lost. You're just assuming that it will be stolen so it might as well be you. Do you feel the same way about the contents of other peoples houses? Pretty much anyone who wants has the ability to enter your home, we don't do that because of ethics.
You or I don't enter others' homes because of ethics, but I think lock companies bear out my point. There are a lot of technically questionable lock products out there, but people still buy them and companies produce them.
Because most people feel even a bad lock changes the ethical calculus. Because ease of transgression has a direct bearing on the actually realised ethical result.
The issue with the original "that's not ethnical" comment was not "Yes it is" but rather "You're right, but how is that relevant to this discussion?"
Tell that to all those ISPs doing DPI and injecting crap and ads in unencrypted http. Or hotels running captive portals. Or your employer doing org-wise TLS MITM and logging.
Unethical? Most certainly! A crime? Could be depending on what was done and in what jurisdiction, but far from certain.
Honestly, it is arguable that the user actually agreed to monitoring and in-flow data modification knowingly, and therefore it might constitute an Unconscionable Contract due to an Unfair Surprise (again, depending on jurisdiction).
That is assuming the user did actually agree to anything.
Now what if the exit operator put up a ToS themselves stating users of their exit node will be monitored and/or data flowing through their services might be modified on route even? Because, after all, it is the TOR users using their services, not the other way round.
"You hereby grant Tor Exit Operator Ltd, A Nigerian Prince/Russian Business Network joint venture, the right to monitor, log, modify all data you transmit to our service and an irrevocable, unlimited license to use any data you transmit for any purpose".
Tor noob here: How are exit nodes actually assigned to end-users though? So far my understanding was that the assignment happens automatically without any conscious descision by the end-user. If that's true, construing an "agreement" would be pretty hard - if the user isn't even aware they're using your service.
Same reason shady companies still at least need to make it look like they asked your agreement and can't just state "by looking into our general direction you transfer ownership of all your worldly possessions to us"
The whole point is that these things aren't illegal on you own network if you disclose it to the user. Network monitoring and traffic modification aren't illegal in and of themselves.
Consider this. If I just take your car from your driveway, that's stealing. But if you first sign a contract transferring ownership of your car to me, it's very obviously not stealing.
If by "to agree" you mean "clicking something away that nobody ever reads in order to be able to use something for which you've already paid" or "silently assuming that some hotel's house regulations that nobody ever reads does not contain a clause that allows them to tap into your private communications", then I guess you're technically right. Somewhat.
Nice one :) I do the same to IRC botnets, but mainly phishers, I must admit. The botnets I see always seem to use that one Perl script, the "servidor" one, written in Portugese.
Back in the day, 90% of the traffic I would see was just people trying to brute force Hotmail accounts via POP3, but occasionally I'd sniff the credentials for an IRC-based C2 for a botnet, and I'd log in and wreck the thing.