Received: from sog-mx-1.v43.ch3.sourceforge.com ([172.29.43.191]
	helo=mx.sourceforge.net)
	by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
	(envelope-from <drak@zikula.org>) id 1XBfYu-0003X3-Rg
	for bitcoin-development@lists.sourceforge.net;
	Mon, 28 Jul 2014 07:41:36 +0000
Received-SPF: pass (sog-mx-1.v43.ch3.sourceforge.com: domain of zikula.org
	designates 74.125.82.46 as permitted sender)
	client-ip=74.125.82.46; envelope-from=drak@zikula.org;
	helo=mail-wg0-f46.google.com; 
Received: from mail-wg0-f46.google.com ([74.125.82.46])
	by sog-mx-1.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128)
	(Exim 4.76) id 1XBfYt-0000nP-DD
	for bitcoin-development@lists.sourceforge.net;
	Mon, 28 Jul 2014 07:41:36 +0000
Received: by mail-wg0-f46.google.com with SMTP id m15so6898697wgh.5
	for <bitcoin-development@lists.sourceforge.net>;
	Mon, 28 Jul 2014 00:41:29 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:mime-version:in-reply-to:references:date
	:message-id:subject:from:to:cc:content-type;
	bh=uGqEpysU0Y3llof4N8a2UCYcZAoBbGUbZ1eTTvkG2XI=;
	b=HAWCFl7WZbfGmhIj3U2DR5WV7ZdciRcpC70/txaG0nxSWBkEVezc0xJ7HILQFfS5V+
	O1dFmNLxV+z2a6ILy92fcDfxY9aXCBSgj05mvzKJLkc8hTp5y8Ag0/hls2DJ3DSJR7a4
	LSAdplud1Dn+DtVrLhEa4kFWukij30/rTRwR0hm6cpgFSDmlKlh2SxGvyOthHxSeDz1n
	Kdp654rsYXxYWj3WV6cu0RprrE39mmyrxLw5ZZb+5uQ1YIjWBQ8gmCOJOBBy7Syo+f39
	mK9xbUs9Q/F0ffUnrK7cJLlwTtswhrCXzv8Z/vxwIklBybL98XMIfQwAwEIF+Lf0qU4h
	CvWw==
X-Gm-Message-State: ALoCoQmXqtI8wK7QNpxlpLwLa8+2wv5DKA/eGdz9msbr+nnrY1lcDm8W7td0j7seY/F+DVGktzTu
MIME-Version: 1.0
X-Received: by 10.180.104.42 with SMTP id gb10mr27961409wib.65.1406533288923; 
	Mon, 28 Jul 2014 00:41:28 -0700 (PDT)
Received: by 10.194.87.70 with HTTP; Mon, 28 Jul 2014 00:41:28 -0700 (PDT)
Received: by 10.194.87.70 with HTTP; Mon, 28 Jul 2014 00:41:28 -0700 (PDT)
In-Reply-To: <CAAS2fgRVUbEM=7KQt-Haue=+sgAFu=HrfDdS0hhatNawci_eZQ@mail.gmail.com>
References: <CAD5xwhhKKooGBfSY3nZzMmS=3WD=EdX9FQ7mZtQL3fkikuwyLg@mail.gmail.com>
	<20140728024030.GA17724@savin>
	<CAAS2fgR+r6VoUse_ropq=p3WTy_qWq68fpCQim1FhcbkCXYtsQ@mail.gmail.com>
	<E0F82AAE-1B71-4B8B-A5D5-0301BBECC317@osfda.org>
	<53D5BB5F.2060200@bitwatch.co>
	<CAAS2fgRVUbEM=7KQt-Haue=+sgAFu=HrfDdS0hhatNawci_eZQ@mail.gmail.com>
Date: Mon, 28 Jul 2014 08:41:28 +0100
Message-ID: <CANAnSg3Wcw9SVamyzkRPwHjr6bAyU4h1KV+_o7pFMZqXcVjWqg@mail.gmail.com>
From: Drak <drak@zikula.org>
To: Greg Maxwell <gmaxwell@gmail.com>
Content-Type: multipart/alternative; boundary=f46d041826f60d361d04ff3c0dbc
X-Spam-Score: -0.5 (/)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
	See http://spamassassin.org/tag/ for more details.
	-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
	sender-domain
	-0.0 SPF_PASS               SPF: sender matches SPF record
	1.0 HTML_MESSAGE           BODY: HTML included in message
X-Headers-End: 1XBfYt-0000nP-DD
Cc: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>
Subject: Re: [Bitcoin-development] Abnormally Large Tor node accepting only
 Bitcoin traffic
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
	<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
	<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Mon, 28 Jul 2014 07:41:37 -0000

--f46d041826f60d361d04ff3c0dbc
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Related to Russia's Tor bounty?
http://www.theguardian.com/world/2014/jul/25/russia-research-identify-users=
-tor
On 28 Jul 2014 04:45, "Gregory Maxwell" <gmaxwell@gmail.com> wrote:

> On Sun, Jul 27, 2014 at 7:54 PM, mbde@bitwatch.co <mbde@bitwatch.co>
> wrote:
> > These website list Tor nodes by bandwidth:
> >
> > http://torstatus.blutmagie.de/index.php
> > https://torstatus.rueckgr.at/index.php?SR=3DBandwidth&SO=3DDesc
> >
> > And the details reveal it's a port 8333 only exit node:
> >
> http://torstatus.blutmagie.de/router_detail.php?FP=3D0d6d2caafbb32ba85ee5=
162395f610ae42930124
>
> As I pointed out above, =E2=80=94 it isn't really.  Without the exit flag=
, I
> believe no tor node will select it to exit 8333 unless manually
> configured. (someone following tor more closely than I could correct
> if I'm wrong here)
>
>
> > blockchain.info has some records about the related IP going back to the
> > end of this May:
> >
> > https://blockchain.info/ip-address/5.9.93.101?offset=3D300
>
> dsnrk and mr_burdell on freenode show that the bitnodes crawler showed
> it accepting _inbound_ bitcoin connections 2-3 weeks ago, though it
> doesn't now.
>
> Fits a pattern of someone running a bitcoin node widely connecting to
> everyone it can on IPv4 in order to try to deanonymize people, and
> also running a tor exit (and locally intercepting 8333 there),  but I
> suspect the tor exit part is not actually working=E2=80=94 though they're
> trying to get it working by accepting huge amounts of relay bandwidth.
>
> I'm trying to manually exit through it so I can see if its
> intercepting the connections, but I seem to not be able.
>
> Some other data from the hosts its connecting out to proves that its
> lying about what software its running (I'm hesitant to just say how I
> can be sure of that, since doing so just tells someone how to do a
> more faithful emulation; so that that for whatever its worth).
>
>
> -------------------------------------------------------------------------=
-----
> Infragistics Professional
> Build stunning WinForms apps today!
> Reboot your WinForms applications with our WinForms controls.
> Build a bridge from your legacy apps to the future.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=3D153845071&iu=3D/4140/ostg=
.clktrk
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>

--f46d041826f60d361d04ff3c0dbc
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<p dir=3D"ltr">Related to Russia&#39;s Tor bounty? <a href=3D"http://www.th=
eguardian.com/world/2014/jul/25/russia-research-identify-users-tor">http://=
www.theguardian.com/world/2014/jul/25/russia-research-identify-users-tor</a=
></p>

<div class=3D"gmail_quote">On 28 Jul 2014 04:45, &quot;Gregory Maxwell&quot=
; &lt;<a href=3D"mailto:gmaxwell@gmail.com">gmaxwell@gmail.com</a>&gt; wrot=
e:<br type=3D"attribution"><blockquote class=3D"gmail_quote" style=3D"margi=
n:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On Sun, Jul 27, 2014 at 7:54 PM, <a href=3D"mailto:mbde@bitwatch.co">mbde@b=
itwatch.co</a> &lt;<a href=3D"mailto:mbde@bitwatch.co">mbde@bitwatch.co</a>=
&gt; wrote:<br>
&gt; These website list Tor nodes by bandwidth:<br>
&gt;<br>
&gt; <a href=3D"http://torstatus.blutmagie.de/index.php" target=3D"_blank">=
http://torstatus.blutmagie.de/index.php</a><br>
&gt; <a href=3D"https://torstatus.rueckgr.at/index.php?SR=3DBandwidth&amp;S=
O=3DDesc" target=3D"_blank">https://torstatus.rueckgr.at/index.php?SR=3DBan=
dwidth&amp;SO=3DDesc</a><br>
&gt;<br>
&gt; And the details reveal it&#39;s a port 8333 only exit node:<br>
&gt; <a href=3D"http://torstatus.blutmagie.de/router_detail.php?FP=3D0d6d2c=
aafbb32ba85ee5162395f610ae42930124" target=3D"_blank">http://torstatus.blut=
magie.de/router_detail.php?FP=3D0d6d2caafbb32ba85ee5162395f610ae42930124</a=
><br>

<br>
As I pointed out above, =E2=80=94 it isn&#39;t really. =C2=A0Without the ex=
it flag, I<br>
believe no tor node will select it to exit 8333 unless manually<br>
configured. (someone following tor more closely than I could correct<br>
if I&#39;m wrong here)<br>
<br>
<br>
&gt; <a href=3D"http://blockchain.info" target=3D"_blank">blockchain.info</=
a> has some records about the related IP going back to the<br>
&gt; end of this May:<br>
&gt;<br>
&gt; <a href=3D"https://blockchain.info/ip-address/5.9.93.101?offset=3D300"=
 target=3D"_blank">https://blockchain.info/ip-address/5.9.93.101?offset=3D3=
00</a><br>
<br>
dsnrk and mr_burdell on freenode show that the bitnodes crawler showed<br>
it accepting _inbound_ bitcoin connections 2-3 weeks ago, though it<br>
doesn&#39;t now.<br>
<br>
Fits a pattern of someone running a bitcoin node widely connecting to<br>
everyone it can on IPv4 in order to try to deanonymize people, and<br>
also running a tor exit (and locally intercepting 8333 there), =C2=A0but I<=
br>
suspect the tor exit part is not actually working=E2=80=94 though they&#39;=
re<br>
trying to get it working by accepting huge amounts of relay bandwidth.<br>
<br>
I&#39;m trying to manually exit through it so I can see if its<br>
intercepting the connections, but I seem to not be able.<br>
<br>
Some other data from the hosts its connecting out to proves that its<br>
lying about what software its running (I&#39;m hesitant to just say how I<b=
r>
can be sure of that, since doing so just tells someone how to do a<br>
more faithful emulation; so that that for whatever its worth).<br>
<br>
---------------------------------------------------------------------------=
---<br>
Infragistics Professional<br>
Build stunning WinForms apps today!<br>
Reboot your WinForms applications with our WinForms controls.<br>
Build a bridge from your legacy apps to the future.<br>
<a href=3D"http://pubads.g.doubleclick.net/gampad/clk?id=3D153845071&amp;iu=
=3D/4140/ostg.clktrk" target=3D"_blank">http://pubads.g.doubleclick.net/gam=
pad/clk?id=3D153845071&amp;iu=3D/4140/ostg.clktrk</a><br>
_______________________________________________<br>
Bitcoin-development mailing list<br>
<a href=3D"mailto:Bitcoin-development@lists.sourceforge.net">Bitcoin-develo=
pment@lists.sourceforge.net</a><br>
<a href=3D"https://lists.sourceforge.net/lists/listinfo/bitcoin-development=
" target=3D"_blank">https://lists.sourceforge.net/lists/listinfo/bitcoin-de=
velopment</a><br>
</blockquote></div>

--f46d041826f60d361d04ff3c0dbc--