See also:

Lucy Wayland's death: leaked Coroner report reflects Debian abuse culture

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Tor exit nodes

Russell Coker <[email protected]> writes:

> On Thu, 13 Apr 2017 07:20:00 PM Jonathan Dowland wrote:
>> On Tue, Apr 11, 2017 at 08:44:42PM +1000, Russell Coker wrote:
>> > I think it would be best if DDs don't run Tor exit nodes from the same
>> > location as the machine holding their GPG keys etc.  If anything goes
>> > wrong we don't want systems that can compromise Debian security being
>> > collected by the police.  As this has apparently happened more than once
>> > it seems that it's something we need to discuss here.
>> > 
>> > While the police could subvert Debian without a lot of effort if they
>> > intended to I think it's still good to avoid them accidentally
>> > collecting keys to Debian resources and handing them over to whoever
>> > investigates IT security issues.
>> 
>> The police in this case (and seemingly routine in most countries)
>> confiscated *all* his computers. Even air-gapping the Tor exit node from a
>> Debian development machine would not help.
>
> Yes.  They even go to the home of someone who paid a DC bill and take all 
> computers there.  They also generally don't care who owns the systems in 
> question (otherwise every suspect would say "but I don't own any PCs, they are 
> all owned by someone else").  If you share a house with someone who runs a Tor 
> exit node in the same country then your PCs are at risk.

I know someone running a tor exit node in Kentucky, on his home DSL
connection. He occasionally has his internet shut off, but he just
reminds them that it is a Tor Exit, and they turn it back on.

I don't say that to try and counter the argument, just to balance it a
little. I would not recommend running an exit at home, its potentially
dangerous and disruptive.

However, characterizing the way you have is a bit over the top. I've
been running tor exit nodes in data centers for years, and know several
people who do that. None of them have had the police do what you have
described.

There are ways you can increase the safety, and there is quite a few
resources out there that help you navigate these risks in a clear
way. Rather than speculating on debian-private about these things, I
think its better for people who want to discuss these details to do some
research on the subject, and discuss it on the relevant tor lists. This
isn't -private material.

When it comes to Dmitry, I'm hoping we can all come together and support
him in whatever way makes the most sense. Dmitry is a fellow debian
developer, maybe he was planning on attending a BSP this weekend to help
stretch release, but cannot. Every day he sits in jail, the project
suffers without him being free. Whatever form it takes, whatever
strategy makes the most sense considering the surrounding issues, if it
is individually, or as a project, it seems like we all agree that we
must support Dimitry and show some solidarity with his situation. Lets
focus on how we can do that, and leave the technical discussions about
tor to the public lists.

micah