On 12/15/06, Eugen Leitl <eugen@leitl.org> wrote:
On Fri, Dec 15, 2006 at 06:43:55AM -0500, Tyler Durden wrote:
OK, more dumb questions about hiding a Tor node.
Not dumb at all, it's just the Tor designers went for a public approach. However, as persecution seems to have started tightening thumbscrews on Tor operators, a slide into illegality (and a redesign towards more resilience) might be soon required. Of course, that's the whole idea behind harassing Tor operators -- move them into a dark niche, where they will be insigificant as providers of anonymity for the masses.
see http://tor.eff.org/svn/trunk/doc/design-paper/blocking.pdf
I would be very surprised to learn that no TLAs are running nodes, or at least tap nodes (when you run a colo, you don't have a lot of control about physical security, so you have no idea whether there's a rootkit after it comes up after a yet another "outage").
there are effective ways to manage this risk. i'm not keen on posting details here but perhaps off the record or at a later date. you do need to be willing to drop a suspect host, so mitigation is mainly centered on secure initialization and subsequent vigilant monitoring to decide when to cut out. there are probably a thousand more significant risks from host and application security angles, but physical security is indeed tricky/severely limited in a remote dedicate server scenario.
A much better idea is to make Tor a payload for a worm vector.
heheh, curious yellow raises its head again... this has always been a favorite for censorship resistance and plausible deniability.
Btw, there's a Tor package for OpenWRT -- I have not verified it's working as adverized however -- the hardware *is* a bit tight. It would a perfect disposable node, meshable, and with no wires to trace.
it works ok; the processor struggles with the crypto (read: latency and constant max load) but otherwise tolerable. i've thought about making a "Tor spot" configuration for access points, where transparent http/tcp and dns proxy through Tor is provided for all associated clients. how useful would such a thing be? (perhaps personaltelco-free / personaltelco-anon dual service?)
You'd need a redesign where servers with only partical network knowledge can randomly redirect packets, while still unable to gnaw off all the onion layers. Topologically, routing in random high-N spaces is not difficult. However, the network better be of considerable size. Enter the worm.
the trade-off's and design constraints are more complicated and context dependant. read the draft blocking resistant Tor design paper, it covers all these topics and provides a mostly reasonable approach (the devil is in the details, as always...)