Thinking of Setting Up a Tor Node At Home? Don’t.

August 26th, 2014

Thinking of setting up a Tor node at home? Don’t.

I’ve been a privacy advocate for a long time; back in the mid-90s I’d wear my PGP ‘munition’ T-shirt while walking around the Boston common, both to support Phil Zimmerman’s defense fund and to enact my own small protest against government restrictions on free speech.

I’m also a big fan of Cory Doctorow’s writing, and a few months read both Little Brother and Homeland, his vision of not-too-distant future of a dystopian United States in which Homeland Security mounts an all-out offensive against freedom in the name of safety. The books are frightening in that it’s easy to see a path between where we are right now and the world he depicts. I stocked up on tin foil after finishing the books.

I resolved to do my part to help secure the basic human right of freedom of speech, even if in just a small way, by setting up a Tor relay on one of my servers. I run a small business and have ample bandwidth and compute cycles, and I felt that helping the Tor network grow was a great way to participate in the free-speech movement.

The Tor network architecture uses a three-hop graph. A user connects to the network via a bridge; the next hop is to a relay, and the final hop to an exit node which makes the final hop to the service the user wants to use. Bridges and relay nodes are equivalent in terms of how they are set up, and a bridge can be either public or hidden, the latter being used to help obscure the initial connection tor the Tor network in regimes where network traffic is heavily scrutinized or suppressed. You can read full details of the architecture at the Tor Project home page.

Exit nodes carry potential legal issues and so I decided to run a relay. It takes only a few minutes to set this up on a Linux distribution…a download and a few configuration file tweaks and you are up and running. I gave the node 1 MB/s of bandwidth so that it would have a good chance of being promoted to being a published entry point.

I set the node up on a Monday. The first sign of trouble was on Wednesday, when my wife asked why she couldn’t watch a show on Hulu. I took a look and saw an ominous message: “Based on your IP-address, we noticed that you are trying to access Hulu through an anonymous proxy tool…” The streaming ABC site displayed a similar message. The new Tor relay was an obvious source of the message, but I’d also recently been using a VPN to watch World Cup games that were blocked in the USA, and that could’ve been a trigger, too.

The next day I logged on to one of my banking sites. I was blocked. A second banking site had also blocked me. I needed to renew a domain at Network Solutions. Denied: “There’s something wrong with your credit card…”

What had happened?

A fundamental weakness of Tor is that in order to connect to the first node, you need to know the IP address of the first node. Tor handles this in two ways; a small set of bridge nodes are kept secret and distributed only by email…these are used by dissidents in China, for example, where Tor traffic is heavily censored. The large majority of bridges, though, are available in public lists, and many companies scrape these lists and blacklist any IP found on them. I’d been blacklisted for supporting free speech.

Some of the blocks were easy to fix. I called Hulu and the support technician manually removed my IP from their blacklist. Others (my banks, for example) cleared themselves automatically a few days after I disabled my Tor relay.

Some were not so easy to fix. Network Solutions is still blocking me, and just yesterday I tried to do an online transaction on my state government’s web site: “There is something wrong with your credit card…”

My solution to this nagging problem is the same one that I used to watch the blocked World Cup games…a VPN to a server somewhere else in the world. Since my IP is blacklisted, I just come in with a different IP.

My advice to anyone who wants to support free speech by running a Tor relay on their home or small business network is simple.

Don’t do it.

The Tor Project downplays or ignores the risk of running a Tor relay, focusing instead on exit nodes. Their goal is to grow the network, so I can’t fault them. However, it’s clear that many organizations are throwing a wide net around Tor traffic and putting all of it in the ‘evil-doer’ basket. Even if you are just trying to do your part as a citizen of the world to promote free speech, you will be slapped down. My IP presumably is now on watch lists that I don’t know about, both private and governmental. Is my traffic being collected? What tripwires did this trigger? What other ramifications are there? These are questions that I don’t know the answer to right now.

I still support Tor and what it stands for. The Tor Project is making a big push right now to encourage individuals to create Tor nodes in the Amazon cloud, and I’m all for that as long as you keep in mind that Amazon is a third party and subject to subpoena and to national security orders. It might well be that the AWS Tor nodes are currently under heavy scrutiny…we just don’t know. If you don’t physically own the entry node, there’s no guarantee that your traffic is not being de-anonymized. The Tor Browser Bundle can be useful in providing a layer of anonymity to your web browsing, but you should approach it with a dose of skepticism.

If your goal is anonymous network access, one approach would be to set up a private Tor entry point, one that you physically control, and obfuscate the traffic coming out of it. This would prevent your IP from being scraped off the list of public relays, and presumably would help prevent traffic analysis at your ISP from identifying your IP as being part of the Tor network. This approach doesn’t help the Tor project, really, but it will help anonymize your traffic. The Tor Project maintains a list of hidden entry nodes, but it’s trivial to build a list of them (they are distributed by email) and so you should assume that they have been compromised and just use your private bridge.

I still want to promote free speech. My focus is shifted away from Tor and I’m instead promoting the ‘encrypt everything’ movement. The idea is that if more people use encryption for everyday communication such as email and IM messages, the encrypted traffic becomes the norm rather than sticking out like a big flag. Unfortunately, 20 years after Zimmerman posted his PGP code, it’s still not easy for the average user to implement strong encryption. That’s where I’ll spend my effort…in making things simpler.

Perry Donham is president of KidPub Press, one of the world’s oldest websites (launched in 1995).

perryd security , ,

Infrastructure changes at KidPub

March 8th, 2013

KidPub just celebrated its 18th birthday…very few web sites can claim to have been around for as long as KidPub has.

We’ve made some significant changes at kidPub in the past few months that, while not really obvious to most, are setting us up for what should be significant growth in 2013.

The first is a change to the servers that run KidPub. We’ve moved from relatively old hardware to some very fast Intel Core-i7 rack-based servers. The old hardware was struggling a bit and some pages on kidpub.com were taking several seconds to load. With the new hardware the most heavily used pages load in just under 1/5th of a second (200ms). For our members and guests it means that pages are very fast…and the new servers should hold us for the next few years. KidPub is in the top 50,000 web sites (measured by Quantcast) and traffic is growing at about 30% per year.

The second big change is a migration from our old book royalty tracking software, Dashbook, to a new Filemaker system that was built in-house. The new system is much more efficient and automates a lot of the process that goes into publishing our books. We spent most of January building the software. Now everything about each book is in one spot, and tasks such as setting up a new book on Amazon, which used to take 20 to 30 minutes, can be accomplished at the click of a button. As we launch new advertising for KidPub Press and also our new Watergrass Hill imprint for adult authors this automation will let us focus on the books rather than the process.

The new Filemaker system and the retirement of Dashbook means that we are now 100% Mac in all the software used…Dashbook was the last Windows program in the mix. And yes, we’re still building Hackintoshes to run everything, though the web servers are running CentOS Linux.

2013 is going to be a big year for KidPub. We should see traffic grow to 3,000 visitors a day, and the new KidPub Press For Adults business is going to occupy a lot of our time. I still can’t believe that I’ve been doing this for 18 years now…time to start planning that 20-year celebration, eh?

perryd Uncategorized

So, Happy 18th Birthday KidPub

February 28th, 2013

[Note: This was originally posted on kidpub.com in February 2013]

Thanks to everyone for the birthday greetings! It’s been an amazing eighteen years…KidPub has grown from a small Linux computer in my living room with a few web pages on it to this incredible worldwide community of amazing young writers; from just a few visitors a week to over 3,000 visitors a day! I get email now from parents who were members back in the ’90s and have kids who have grown up with KidPub. How crazy is that?

For readers who don’t know the story of KidPub, here is the short version. Back in the mid 1990s I was working at a large computer company, Digital Equipment Corporation. One of my jobs was to do research on a brand new thing, something called the World Wide Web. I decided that the best way to figure out how it worked was to create my own web site. I had a friend whose daughter loved to write, and I made a little page to post her stories. Back then there were only 10,000 or so web sites in existence…now there are more than 200 million. I started receiving email from other kids who liked to write, asking if I would post -their- story, too. Pretty soon there were dozens, then hundreds, then THOUSANDS of stories posted from kids all over the world.

And it’s just kept growing.

Like Dr. Who, there have been several versions of KidPub. The original pages looked pretty comical…I hand-drew the logo, and I didn’t really know how to format a web page, so everything had a grey background. Stories were sent in by email, and I tried to format them as best I could before posting them. Around 2000 or so the entire site was rebuilt, and then again around 2008. There was a ‘notebook’ theme that we used for a couple of years, and finally what you see now was created.

KidMUD, by the way, appeared for the first time in 1996. The first version was destroyed by an evil player, and it was rebuilt several times. The current version was created in 2005.

For many years, KidPub was just a hobby. In 2008 I decided to devote my efforts full-time to it and the new KidPub Press book publishing company. Now we have a small staff, and the little computer in my living room has been replaced by a rack of servers in a datacenter in Los Angeles. We’ve become the largest publisher of books by kids with over 300 titles in print, and KidPub was featured last April in a front-page New York Times story on kids and publishing. By the end of this year we’re projecting growth to 5,000 visitors each day at kidpub.com and 450 book titles in print.

It’s been an incredible ride for the past 18 years and I can’t wait to write the post for our 20th anniversary. And our 25th. And our 40th.

Through all those years, the one thing that has been constant is you, our members and visitors. I simply love reading all your stories, comments, arguments, posts, and everything else. I am incredibly proud of our members. Frankly, you just amaze me with your writing and the way you create KidPub in your own image. My philosophy is that kids are good people, and what I do is give you the tools to express yourself and then just step back to see what happens. It’s a big, ever-changing family and every morning I wake up excited to see what you’ve come up with.

Thank you so much for making KidPub something special. All of you.

Perry

perryd Uncategorized

Thank you, NASA

March 7th, 2011

About an hour and a half ago my wife and I sat on our back porch and watched a spectacular overhead pass by the International Space Station (ISS), chased by the Space Shuttle Discovery. This is Discovery’s last flight, the end of NASA’s shuttle program, and it was the last opportunity for us and all of humanity to see those two bright stars chase each other across the sky.

The night was perfect: Chilly and windy but ’severe clear’. The kind of night where you can count all of the Pleiades and a few extras for good measure. A thin crescent moon was just setting, and the pair of spacecraft lit up on the northwest horizon right on time: 6:58pm EST. This was a nearly overhead pass, 83 degrees, and the two were as bright as I had ever seen them, as if they knew that this was their finale. Just as they passed overhead at their zenith a third satellite crossed their path perpendicularly, icing n the cake.

I remember watching the very first shuttle launch, unable to leave the television set for hours. And now I’ve seen the last pass. It’s been a good run. A lot of incredible science has been accomplished, but there was always time for the astronauts to just sit back ad enjoy the ride.

Godspeed, Discovery. I’m sorry the ride is over.

perryd Uncategorized

Enter the Hackintosh

February 15th, 2011

Why did it take me so long to drink the Mac Kool Aid? KidPub Press has recently started to produce ebooks for Kindle and Nook, and I wanted to also offer them on iBooks. Well, guess what? The only road to iBook publishing is through an iTunes plugin, and it has to be running on Mac OS/X.

Fine. We had a Lenovo T60p sitting unused in a corner, and it turns out the building an OS/X system on the laptop is relatively painless. A day of reading and loading and -voila- we now have the equivalent of a MacBook Pro. I’m writing on it right now.

For some reason I never fully grasped that MacOS is basically UNIX and a windowing system. Now I’ve been a Linux fan since 1994 and have had countless Linux boxes. There are two or three in the house right now, and the KidPub servers all run Red Hat Linux. It took about a minute of playing with the new HackBook before I realized that I was right at home. i suppose at some level I knew that MacOS had roots in BeOS and NextStep, both UNIX variants, but to be honest the entry price of a retail Mac had been a barrier to my even powering a Mac up.

Now that Apple has moved away from the PowerPC and embraced the intel platform it’s much simpler to get OS/X running on a variety of PC-purposed hardware. The T60p is really quite a nice platform…fast, crisp graphics, lightweight…I think it runs better under Snow Leopard than it does Windows.

I’m pretty heavily invested in the Windows platform for business software but I keep reaching for the T60p HackBook Pro. I have a lighter laptop for traveling but I have the feeling that this is the machine that I’l be using for research, browsing, email, and the like. And when it comes time for a technology upgrade at KidPub Press…

perryd Uncategorized

SOS Backup - Thank You

February 15th, 2011

A quick thank you to the folks at SOS backup for not hassling me when I asked for a refund.

You might have noticed a trend in my posts…I seem to be obsessed with backup software. The latest saga started with the purchase of a pair of Buffalo Linkstation NAS boxes. I love these things…they run Linux, have click-and-configure RAID 1 mirroring, and are fast enough that I can use them for my daily work instead of a local drive. The configuration in each is a pair of 500G drives in a RAID 1 array. To feed my backup paranoia there’s a job that runs nightly to back up each box to the other.

What I REALLY wanted, though, was cloud backup of the Linkstations. Guess what? Nobody is doing that right now. It might LOOK as though folks like Norton and SOS are doing it, but when the bits hit the wire it just isn’t happening. SOS Backup said thy could, and I believed them enough to pony up $80 for a license. After a week of trying everything in my bag of tricks, I just couldn’t get the software to work. Best I can tell there are issues with NAS drives and Windows 7 64-bit.

To their credit, tere was no hesitation in issuing a refund. I explained the problem, asked for a refund, and the next day it had been processed. Thank you!

Their exit interview / poll asked why i was leaving. I explained, as I’ve done to other companies, that there must be not even a glimmer of doubt in backup software. It needs to work the first time, the second time…every time, the same way, with no errors or tricks to get it working. Bottom line is that I just didn’t trust the software.

The cloud backup company I trust the most these days is Mozy, but even they aren’t offering backups for NAS drives.

So, what’s the solution? Fortunately it’s trivial to ‘jailbreak’ the Buffalo Linkstation to get a root shell, and I’ve simply set up a nightly cron job that uses rsync to backup my work files to a remote Linux server. Knock wood, with two sets of mirrored files and a remote backup I can sleep at night. At some point Mozy will offer NAS backups, and all will be well again.

perryd Uncategorized

Acronis Fails Again With True Image Home 2011

October 14th, 2010

Last year around this time I was searching for a robust backup solution for KidPub Press. You might recall that I’d narrowed my evaluation down to Acronis True Image Home 2010, which I purchased and installed, then uninstalled after it failed to meet even basic backup requirements.

Fast-forward a year. I’ve just set up a RAID array for backups here in the office and am revisiting the backup strategy. Despite the earlier problems with Acronis 2010, I read through the data sheet for True Image Home 2011 and it sounded like they had produced a solid product this time around.

Wrong!

I bought the upgrade and installed. The installation had a few glitches, which should have been a red flag…there should be absolutely no surprises when installing software that is designed to give you peace of mind. The initial file-based backup went well and took less time than I thought it would, and subsequent incremental backups appeared to run just fine, too.

Not so much for email. I set up a scheduled email backup for every two hours. The first one failed. The second one failed. The third one failed. I did a quick search on the Acronis site for the issue. Guess what? They know about the problem…basically, you can’t backup your email files when Outlook is running.  The solution? Close Outlook before running the scheduled backup job.

Excuse me? I though you just said that I should stop what I’m doing every two hours, close Outlook, and wait for Acronis to back up the PST files.

What a sorry piece of junk. But it gets better…a search on the Acronis knowledge base shows that Acronis True Image Home 2010, last year’s version, had the same problem.

How can a software team, producing a product that should be rock-solid, introduce the same critical bug two versions in a row and not catch it in testing before releasing the product? It’s just mind-bogglingly pathetic.

So, that’s all for Acronis. I’ve uninstalled the thing and will never think about them again.

I wonder what Acronis employees use to back up their machines? Mozy?

perryd Uncategorized

TSA: Can We All Please Acknowledge That It’s Ineffective and Move On?

February 15th, 2010

I was out in several of our nation’s major airports again this past week, and was once again struck by just how pathetic TSA’s so-called security procedures are. I really think that it’s time for Americans to acknowledge the massive failure that is the TSA and demand that we stop wasting taxpayer dollars on such an ineffective bureaucracy. Bruce Schneier is spot-on: The TSA and its procedures are strictly security theater, put in place to lull the traveling public into believing that their security is being somehow improved.

Consider that long line you stood in at the TSA checkpoint, waiting to show a TSA agent your photo ID and boarding pass. It seems very official, with badges and magnifying glasses and ultraviolet lights. We can take comfort that any of the million-plus individuals on the governments No Fly list would be stopped dead in their tracks by such scrutiny.

In reality, it is trivial to board a plane if you are on the No Fly list. Think about it. The agent at the checkpoint is relying on an ID and a document that you yourself hand to them. Also, what is being checked? Is your name being entered into a terminal to see if it matches a name on the list of know or suspected terrorists? Is there a paper copy? Has the agent memorized the million names on the list?

No, what’s being so diligently checked is whether the name on the ID matches the name on a piece of paper that you have produced. Same number of letters? Spelled the same, or at least close? You’re good to go. That TSA agent, front line defender of our flying safety, is little more than a uniformed elementary teacher checking spelling.

There’s nothing complicated about boarding a plane if you are on the No Fly list. Simply pick up a prepaid debit card at your local convenience store (while you are there you might as well pay cash for a prepaid cell phone in case you need to make an untraceable phone call). Go home, open up a browser, and purchase a ticket using your debit card. Use a name that you know isn’t on the list. When the day comes to fly, check in online and print the boarding pass with the false name on it. While you’re there, save the page…it’s a PDF file. Open the PDF file with Acrobat and edit the name on the boarding pass to match the one on your real ID. Print the second pass and head for the airport.

At the airport, hand your real ID and the matching boarding pass to the TSA agent. As long as you didn’t typo your own name, you’ll walk right through.

At the gate, hand the gate agent the boarding pass with the false name on it. They check the name against ticketed passengers. It matches, so you are free to get on the plane.

Incidentally, if you aren’t flying but just want to meet someone at the gate, or maybe shop at the duty free store, you can print your own boarding pass for any flight that you wish and just walk through the TSA security with it using the same technique.

This ridiculous system is costing taxpayers billions of dollars every year. Although it has its critics, the system in place in Israel seems to be much more effective and much less intrusive. It’s real security, not security theater. Tell your congressional representative that you are tired of wasting money and ask for a thorough review of the TSA and its ineffective policies and procedures. If you don’t know who your representatives are, visit congress.org to find out.

perryd Uncategorized

Cobian Backup Steps Up When Acronis Fails

November 11th, 2009

Ever think about how much you trust your software? For most of the things we do on a PC, there’s really very little trust involved. We expect Word to display text as we type it, or our calculator to return accurate numbers, but for the most part we accept the little idiosyncrasies and shortcomings of our applications and work around them, if we even notice them.

When it comes to backup software, though, the story is a little different. There’s no room for mistakes. In an earlier post I wrote about selecting a backup solution for our Linux servers, and part of that process included whether or not I got a good feeling when running the application. Any little glitch, unexpected response, or slow refresh meant that I’d cross that package off of the list.

I did the same thing when choosing a Windows backup solution for my daily work desktop.  Ghost was ok, but a bit slow, and I’d read that there were issues running it under then-beta Windows 7. I did some research and found that Acronis had a popular solution in their True Image Home product. It includes an innovative ‘continuous’ backup feature that does an incremental backup every five minutes which I found attractive. It retails for about $50, a bargain for some peace of mind.

Acronis worked reasonably well under Windows 7 RC. It was a bit of a resource hog and would slow the machine to a crawl on power-up as it rechecked every file on the system, but I got used to it. I ost and recovered a file or two over the month that I used it and was happy with the result.

Then came the installation of the production version of Windows 7. I’ll cut to the chase: Acronis completely failed. It wouldn’t run a backup, instead displaying a blank alert box: Ok? I don’t think so. Worse, I was not able to open ANY of the backed up files from the prior installation. Instead of simply refreshing directories on my base Windows 7 install, I had to dig up backup DVDs of those files and rebuild the machine manually.

Acronis’ answer to the high-severity bug ticket I filed? We know it’s a problem and we’ll get back to you. That was several weeks ago, and from the chatter on the Acronis user forum it’s clear that it wasn’t just me seeing this problem.

This kind of failure in a backup product is simply inexcusable. Fortunately I had backups of my Acronis backups, and I feel truly sorry for those who didn’t. Granted, rolling back to Windows 7 RC is a temporary fix, but Acronis has lost the single most important feature of their product: Trust. They have lost me as a customer for life, and probably anyone who asks me what I use for backup.

I replaced Acronis with Cobian, an open source solution that works extremely well. Unlike Acronis, which saves files in a proprietary format, Cobian stores files in standard format, so even if Cobian won’t start I can still get to my files. It does everything you’d expect it to, and does it efficiently. It offers features that Windows 7 backups doesn’t, and best of all it’s free.

perryd Uncategorized

When Speaking of the Devil, Whisper…

September 1st, 2009

Just a few weeks after my post evaluating backup and recovery solutions for Linux, we had a hard failure on one of the machines that we use for daily editing work. It holds most of the master files for active books. It was one of those failures that ends up being cheaper to replace the machine rather than repair it.

On the plus side, it was an excuse to pick up one of the quad-core Intel machines that Gateway and others are deep-discounting right now. And it was a perfect lesson in the value of regular backups. Since we Ghost the machine daily (sometimes more often, using Ghost’s triggers), we were able to recover our data with just a few hours of lost work. It takes about ten minutes to set  up automated backup tasks in Ghost and other backup software, and then you just forget about it until you need it (and you WILL need it!).

On the minus side, I’m now starting to be obsessed with data protection…a rack of RAID is just what we need right now…

perryd Uncategorized, tools