From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from sog-mx-1.v43.ch3.sourceforge.com ([172.29.43.191] helo=mx.sourceforge.net) by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1XBfYu-0003X3-Rg for bitcoin-development@lists.sourceforge.net; Mon, 28 Jul 2014 07:41:36 +0000 Received-SPF: pass (sog-mx-1.v43.ch3.sourceforge.com: domain of zikula.org designates 74.125.82.46 as permitted sender) client-ip=74.125.82.46; envelope-from=drak@zikula.org; helo=mail-wg0-f46.google.com; Received: from mail-wg0-f46.google.com ([74.125.82.46]) by sog-mx-1.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1XBfYt-0000nP-DD for bitcoin-development@lists.sourceforge.net; Mon, 28 Jul 2014 07:41:36 +0000 Received: by mail-wg0-f46.google.com with SMTP id m15so6898697wgh.5 for ; Mon, 28 Jul 2014 00:41:29 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=uGqEpysU0Y3llof4N8a2UCYcZAoBbGUbZ1eTTvkG2XI=; b=HAWCFl7WZbfGmhIj3U2DR5WV7ZdciRcpC70/txaG0nxSWBkEVezc0xJ7HILQFfS5V+ O1dFmNLxV+z2a6ILy92fcDfxY9aXCBSgj05mvzKJLkc8hTp5y8Ag0/hls2DJ3DSJR7a4 LSAdplud1Dn+DtVrLhEa4kFWukij30/rTRwR0hm6cpgFSDmlKlh2SxGvyOthHxSeDz1n Kdp654rsYXxYWj3WV6cu0RprrE39mmyrxLw5ZZb+5uQ1YIjWBQ8gmCOJOBBy7Syo+f39 mK9xbUs9Q/F0ffUnrK7cJLlwTtswhrCXzv8Z/vxwIklBybL98XMIfQwAwEIF+Lf0qU4h CvWw== X-Gm-Message-State: ALoCoQmXqtI8wK7QNpxlpLwLa8+2wv5DKA/eGdz9msbr+nnrY1lcDm8W7td0j7seY/F+DVGktzTu MIME-Version: 1.0 X-Received: by 10.180.104.42 with SMTP id gb10mr27961409wib.65.1406533288923; Mon, 28 Jul 2014 00:41:28 -0700 (PDT) Received: by 10.194.87.70 with HTTP; Mon, 28 Jul 2014 00:41:28 -0700 (PDT) Received: by 10.194.87.70 with HTTP; Mon, 28 Jul 2014 00:41:28 -0700 (PDT) In-Reply-To: References: <20140728024030.GA17724@savin> <53D5BB5F.2060200@bitwatch.co> Date: Mon, 28 Jul 2014 08:41:28 +0100 Message-ID: From: Drak To: Greg Maxwell Content-Type: multipart/alternative; boundary=f46d041826f60d361d04ff3c0dbc X-Spam-Score: -0.5 (/) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain -0.0 SPF_PASS SPF: sender matches SPF record 1.0 HTML_MESSAGE BODY: HTML included in message X-Headers-End: 1XBfYt-0000nP-DD Cc: Bitcoin Dev Subject: Re: [Bitcoin-development] Abnormally Large Tor node accepting only Bitcoin traffic X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jul 2014 07:41:37 -0000 --f46d041826f60d361d04ff3c0dbc Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Related to Russia's Tor bounty? http://www.theguardian.com/world/2014/jul/25/russia-research-identify-users= -tor On 28 Jul 2014 04:45, "Gregory Maxwell" wrote: > On Sun, Jul 27, 2014 at 7:54 PM, mbde@bitwatch.co > wrote: > > These website list Tor nodes by bandwidth: > > > > http://torstatus.blutmagie.de/index.php > > https://torstatus.rueckgr.at/index.php?SR=3DBandwidth&SO=3DDesc > > > > And the details reveal it's a port 8333 only exit node: > > > http://torstatus.blutmagie.de/router_detail.php?FP=3D0d6d2caafbb32ba85ee5= 162395f610ae42930124 > > As I pointed out above, =E2=80=94 it isn't really. Without the exit flag= , I > believe no tor node will select it to exit 8333 unless manually > configured. (someone following tor more closely than I could correct > if I'm wrong here) > > > > blockchain.info has some records about the related IP going back to the > > end of this May: > > > > https://blockchain.info/ip-address/5.9.93.101?offset=3D300 > > dsnrk and mr_burdell on freenode show that the bitnodes crawler showed > it accepting _inbound_ bitcoin connections 2-3 weeks ago, though it > doesn't now. > > Fits a pattern of someone running a bitcoin node widely connecting to > everyone it can on IPv4 in order to try to deanonymize people, and > also running a tor exit (and locally intercepting 8333 there), but I > suspect the tor exit part is not actually working=E2=80=94 though they're > trying to get it working by accepting huge amounts of relay bandwidth. > > I'm trying to manually exit through it so I can see if its > intercepting the connections, but I seem to not be able. > > Some other data from the hosts its connecting out to proves that its > lying about what software its running (I'm hesitant to just say how I > can be sure of that, since doing so just tells someone how to do a > more faithful emulation; so that that for whatever its worth). > > > -------------------------------------------------------------------------= ----- > Infragistics Professional > Build stunning WinForms apps today! > Reboot your WinForms applications with our WinForms controls. > Build a bridge from your legacy apps to the future. > > http://pubads.g.doubleclick.net/gampad/clk?id=3D153845071&iu=3D/4140/ostg= .clktrk > _______________________________________________ > Bitcoin-development mailing list > Bitcoin-development@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/bitcoin-development > --f46d041826f60d361d04ff3c0dbc Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

Related to Russia's Tor bounty? http://= www.theguardian.com/world/2014/jul/25/russia-research-identify-users-tor

On 28 Jul 2014 04:45, "Gregory Maxwell"= ; <gmaxwell@gmail.com> wrot= e:
On Sun, Jul 27, 2014 at 7:54 PM, mbde@b= itwatch.co <mbde@bitwatch.co= > wrote:
> These website list Tor nodes by bandwidth:
>
> = http://torstatus.blutmagie.de/index.php
> https://torstatus.rueckgr.at/index.php?SR=3DBan= dwidth&SO=3DDesc
>
> And the details reveal it's a port 8333 only exit node:
> http://torstatus.blut= magie.de/router_detail.php?FP=3D0d6d2caafbb32ba85ee5162395f610ae42930124

As I pointed out above, =E2=80=94 it isn't really. =C2=A0Without the ex= it flag, I
believe no tor node will select it to exit 8333 unless manually
configured. (someone following tor more closely than I could correct
if I'm wrong here)


>
blockchain.info has some records about the related IP going back to the
> end of this May:
>
>
https://blockchain.info/ip-address/5.9.93.101?offset=3D3= 00

dsnrk and mr_burdell on freenode show that the bitnodes crawler showed
it accepting _inbound_ bitcoin connections 2-3 weeks ago, though it
doesn't now.

Fits a pattern of someone running a bitcoin node widely connecting to
everyone it can on IPv4 in order to try to deanonymize people, and
also running a tor exit (and locally intercepting 8333 there), =C2=A0but I<= br> suspect the tor exit part is not actually working=E2=80=94 though they'= re
trying to get it working by accepting huge amounts of relay bandwidth.

I'm trying to manually exit through it so I can see if its
intercepting the connections, but I seem to not be able.

Some other data from the hosts its connecting out to proves that its
lying about what software its running (I'm hesitant to just say how I can be sure of that, since doing so just tells someone how to do a
more faithful emulation; so that that for whatever its worth).

---------------------------------------------------------------------------= ---
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls.
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gam= pad/clk?id=3D153845071&iu=3D/4140/ostg.clktrk
_______________________________________________
Bitcoin-development mailing list
Bitcoin-develo= pment@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bitcoin-de= velopment
--f46d041826f60d361d04ff3c0dbc--