nusenu · September 23, 2017 22:57
diff --git a/hackerfactor-blog-comment-nusenu.txt b/hackerfactor-blog-comment-nusenu.txt
 This was meant as a comment for 
 https://www.hackerfactor.com/blog/index.php?/archives/776-A-little-honey-goes-a-long-way.html
 but tor users cannot comment there.

 Hi Neal,

 you are linking to the page "https://nusenu.github.io/OrNetStats/" with the link 
 named "undocumented families". This might lead readers to think that all groups 
 (there are multiple) on that page are "undocumented" (bad) families - which is not the case. 

 A better URL would be:

 https://hackernoon.com/some-tor-relays-you-might-want-to-avoid-5901597ad821
 or
 https://nusenu.github.io/OrNetStats/endtoend-correlation-groups

 Would be great if you could update the URL to clarify that and to avoid potential misinterpretations.

 > Because the IP address changed, I cannot help but wonder if this is some 
 > kind of man-in-the-middle relay at the exit node.

 The ORPort IP address - the one found in tor's consensus that the tor client uses - does not need 
 to match the outbound exiting IP address that the final destination sees as the source IP.
 torrc option: https://www.torproject.org/docs/tor-manual.html.en#OutboundBindAddressExit
 There are even scanner to detect them and if detected these IPs are included in onionoo.torproject.org data.
 Currently there are about 38 relays using that feature or are behind some other NAT.

 > However, in addition to hosting a Tor node, they also runs a web server that serves up the web page.

 According to their server header one is running Apache but to your readers:
 You can run a relay and serve a html page on it without running an additonal webserver, 
 tor can to it for you: 
 torrc option: https://www.torproject.org/docs/tor-manual.html.en#DirPortFrontPage

 (Btw, you can suggest better wordings in that html via a
 ticket on trac.torproject.org the content comes from:
 https://gitweb.torproject.org/tor.git/tree/contrib/operator-tools/tor-exit-notice.html
 )

 Are you suggesting that there is anything wrong with the "tor-relays.net" relays? 
 (besides not running a recommended tor version) 
 If so you might want to get in touch with the operator - teor - he is a tor developer.
 https://www.torproject.org/about/corepeople.html.en#teor

 Does your HS denanonymization attack also apply to next-generation onion services?

 > As far as I can tell, a significant number of Tor nodes are being provided by hostile actors

 Providing a list of relays fingerprints + a reason for why you consider them hostile would be more useful
 than a vague "a significant number of Tor nodes". 
 Would you mind providing that list of hostile relays with a short description of what makes them hostile?

 > I can't speak for the NSA or GCHQ. And I can't tell you whether their opinion has changed in 
 > the nearly 3 years since Speigel acquired that PDF document through a FOIA request. 

 FOIA request? I doubt that, the slides even say:
 "This information is exempt from disclosure under the Freedom of Information Act 2000 [...]"
 This was from the Snowden documents:
 http://www.spiegel.de/international/germany/inside-the-nsa-s-war-on-internet-security-a-1010361.html

 > Speigel got it in December 2014, and the EFF distributed it in January 2015. However, there's not date telling 
 > when it was originally authored. 

 http://www.spiegel.de/media/media-35540.pdf 
 with similar statements on page 27, 46 and 49 is dated 2011 (and yes that is old in that context).

 regards,
 nusenu
	This was meant as a comment for
	https://www.hackerfactor.com/blog/index.php?/archives/776-A-little-honey-goes-a-long-way.html
	but tor users cannot comment there.

	Hi Neal,

	you are linking to the page "https://nusenu.github.io/OrNetStats/" with the link
	named "undocumented families". This might lead readers to think that all groups
	(there are multiple) on that page are "undocumented" (bad) families - which is not the case.

	A better URL would be:

	https://hackernoon.com/some-tor-relays-you-might-want-to-avoid-5901597ad821
	or
	https://nusenu.github.io/OrNetStats/endtoend-correlation-groups

	Would be great if you could update the URL to clarify that and to avoid potential misinterpretations.

	> Because the IP address changed, I cannot help but wonder if this is some
	> kind of man-in-the-middle relay at the exit node.

	The ORPort IP address - the one found in tor's consensus that the tor client uses - does not need
	to match the outbound exiting IP address that the final destination sees as the source IP.
	torrc option: https://www.torproject.org/docs/tor-manual.html.en#OutboundBindAddressExit
	There are even scanner to detect them and if detected these IPs are included in onionoo.torproject.org data.
	Currently there are about 38 relays using that feature or are behind some other NAT.

	> However, in addition to hosting a Tor node, they also runs a web server that serves up the web page.

	According to their server header one is running Apache but to your readers:
	You can run a relay and serve a html page on it without running an additonal webserver,
	tor can to it for you:
	torrc option: https://www.torproject.org/docs/tor-manual.html.en#DirPortFrontPage

	(Btw, you can suggest better wordings in that html via a
	ticket on trac.torproject.org the content comes from:
	https://gitweb.torproject.org/tor.git/tree/contrib/operator-tools/tor-exit-notice.html
	)

	Are you suggesting that there is anything wrong with the "tor-relays.net" relays?
	(besides not running a recommended tor version)
	If so you might want to get in touch with the operator - teor - he is a tor developer.
	https://www.torproject.org/about/corepeople.html.en#teor

	Does your HS denanonymization attack also apply to next-generation onion services?

	> As far as I can tell, a significant number of Tor nodes are being provided by hostile actors

	Providing a list of relays fingerprints + a reason for why you consider them hostile would be more useful
	than a vague "a significant number of Tor nodes".
	Would you mind providing that list of hostile relays with a short description of what makes them hostile?

	> I can't speak for the NSA or GCHQ. And I can't tell you whether their opinion has changed in
	> the nearly 3 years since Speigel acquired that PDF document through a FOIA request.

	FOIA request? I doubt that, the slides even say:
	"This information is exempt from disclosure under the Freedom of Information Act 2000 [...]"
	This was from the Snowden documents:
	http://www.spiegel.de/international/germany/inside-the-nsa-s-war-on-internet-security-a-1010361.html

	> Speigel got it in December 2014, and the EFF distributed it in January 2015. However, there's not date telling
	> when it was originally authored.

	http://www.spiegel.de/media/media-35540.pdf
	with similar statements on page 27, 46 and 49 is dated 2011 (and yes that is old in that context).

	regards,
	nusenu
No results found