Received-SPF: pass (sog-mx-1.v43.ch3.sourceforge.com: domain of zikula.org
	designates 74.125.82.46 as permitted sender)
	client-ip=74.125.82.46; envelope-from=drak@zikula.org;
	helo=mail-wg0-f46.google.com; 
MIME-Version: 1.0
In-Reply-To: <CAAS2fgRVUbEM=7KQt-Haue=+sgAFu=HrfDdS0hhatNawci_eZQ@mail.gmail.com>
References: <CAD5xwhhKKooGBfSY3nZzMmS=3WD=EdX9FQ7mZtQL3fkikuwyLg@mail.gmail.com>
	<20140728024030.GA17724@savin>
	<CAAS2fgR+r6VoUse_ropq=p3WTy_qWq68fpCQim1FhcbkCXYtsQ@mail.gmail.com>
	<E0F82AAE-1B71-4B8B-A5D5-0301BBECC317@osfda.org>
	<53D5BB5F.2060200@bitwatch.co>
	<CAAS2fgRVUbEM=7KQt-Haue=+sgAFu=HrfDdS0hhatNawci_eZQ@mail.gmail.com>
Date: Mon, 28 Jul 2014 08:41:28 +0100
Message-ID: <CANAnSg3Wcw9SVamyzkRPwHjr6bAyU4h1KV+_o7pFMZqXcVjWqg@mail.gmail.com>
From: Drak <drak@zikula.org>
To: Greg Maxwell <gmaxwell@gmail.com>
Content-Type: multipart/alternative; boundary=f46d041826f60d361d04ff3c0dbc
Cc: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>
Subject: Re: [Bitcoin-development] Abnormally Large Tor node accepting only
 Bitcoin traffic
Precedence: list

--f46d041826f60d361d04ff3c0dbc
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Related to Russia's Tor bounty?
http://www.theguardian.com/world/2014/jul/25/russia-research-identify-users=
-tor
On 28 Jul 2014 04:45, "Gregory Maxwell" <gmaxwell@gmail.com> wrote:

> On Sun, Jul 27, 2014 at 7:54 PM, mbde@bitwatch.co <mbde@bitwatch.co>
> wrote:
> > These website list Tor nodes by bandwidth:
> >
> > http://torstatus.blutmagie.de/index.php
> > https://torstatus.rueckgr.at/index.php?SR=3DBandwidth&SO=3DDesc
> >
> > And the details reveal it's a port 8333 only exit node:
> >
> http://torstatus.blutmagie.de/router_detail.php?FP=3D0d6d2caafbb32ba85ee5=
162395f610ae42930124
>
> As I pointed out above, =E2=80=94 it isn't really.  Without the exit flag=
, I
> believe no tor node will select it to exit 8333 unless manually
> configured. (someone following tor more closely than I could correct
> if I'm wrong here)
>
>
> > blockchain.info has some records about the related IP going back to the
> > end of this May:
> >
> > https://blockchain.info/ip-address/5.9.93.101?offset=3D300
>
> dsnrk and mr_burdell on freenode show that the bitnodes crawler showed
> it accepting _inbound_ bitcoin connections 2-3 weeks ago, though it
> doesn't now.
>
> Fits a pattern of someone running a bitcoin node widely connecting to
> everyone it can on IPv4 in order to try to deanonymize people, and
> also running a tor exit (and locally intercepting 8333 there),  but I
> suspect the tor exit part is not actually working=E2=80=94 though they're
> trying to get it working by accepting huge amounts of relay bandwidth.
>
> I'm trying to manually exit through it so I can see if its
> intercepting the connections, but I seem to not be able.
>
> Some other data from the hosts its connecting out to proves that its
> lying about what software its running (I'm hesitant to just say how I
> can be sure of that, since doing so just tells someone how to do a
> more faithful emulation; so that that for whatever its worth).
>
>
> -------------------------------------------------------------------------=
-----
> Infragistics Professional
> Build stunning WinForms apps today!
> Reboot your WinForms applications with our WinForms controls.
> Build a bridge from your legacy apps to the future.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=3D153845071&iu=3D/4140/ostg=
.clktrk
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>

--f46d041826f60d361d04ff3c0dbc
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<p dir=3D"ltr">Related to Russia&#39;s Tor bounty? <a href=3D"http://www.th=
eguardian.com/world/2014/jul/25/russia-research-identify-users-tor">http://=
www.theguardian.com/world/2014/jul/25/russia-research-identify-users-tor</a=
></p>

<div class=3D"gmail_quote">On 28 Jul 2014 04:45, &quot;Gregory Maxwell&quot=
; &lt;<a href=3D"mailto:gmaxwell@gmail.com">gmaxwell@gmail.com</a>&gt; wrot=
e:<br type=3D"attribution"><blockquote class=3D"gmail_quote" style=3D"margi=
n:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On Sun, Jul 27, 2014 at 7:54 PM, <a href=3D"mailto:mbde@bitwatch.co">mbde@b=
itwatch.co</a> &lt;<a href=3D"mailto:mbde@bitwatch.co">mbde@bitwatch.co</a>=
&gt; wrote:<br>
&gt; These website list Tor nodes by bandwidth:<br>
&gt;<br>
&gt; <a href=3D"http://torstatus.blutmagie.de/index.php" target=3D"_blank">=
http://torstatus.blutmagie.de/index.php</a><br>
&gt; <a href=3D"https://torstatus.rueckgr.at/index.php?SR=3DBandwidth&amp;S=
O=3DDesc" target=3D"_blank">https://torstatus.rueckgr.at/index.php?SR=3DBan=
dwidth&amp;SO=3DDesc</a><br>
&gt;<br>
&gt; And the details reveal it&#39;s a port 8333 only exit node:<br>
&gt; <a href=3D"http://torstatus.blutmagie.de/router_detail.php?FP=3D0d6d2c=
aafbb32ba85ee5162395f610ae42930124" target=3D"_blank">http://torstatus.blut=
magie.de/router_detail.php?FP=3D0d6d2caafbb32ba85ee5162395f610ae42930124</a=
><br>

<br>
As I pointed out above, =E2=80=94 it isn&#39;t really. =C2=A0Without the ex=
it flag, I<br>
believe no tor node will select it to exit 8333 unless manually<br>
configured. (someone following tor more closely than I could correct<br>
if I&#39;m wrong here)<br>
<br>
<br>
&gt; <a href=3D"http://blockchain.info" target=3D"_blank">blockchain.info</=
a> has some records about the related IP going back to the<br>
&gt; end of this May:<br>
&gt;<br>
&gt; <a href=3D"https://blockchain.info/ip-address/5.9.93.101?offset=3D300"=
 target=3D"_blank">https://blockchain.info/ip-address/5.9.93.101?offset=3D3=
00</a><br>
<br>
dsnrk and mr_burdell on freenode show that the bitnodes crawler showed<br>
it accepting _inbound_ bitcoin connections 2-3 weeks ago, though it<br>
doesn&#39;t now.<br>
<br>
Fits a pattern of someone running a bitcoin node widely connecting to<br>
everyone it can on IPv4 in order to try to deanonymize people, and<br>
also running a tor exit (and locally intercepting 8333 there), =C2=A0but I<=
br>
suspect the tor exit part is not actually working=E2=80=94 though they&#39;=
re<br>
trying to get it working by accepting huge amounts of relay bandwidth.<br>
<br>
I&#39;m trying to manually exit through it so I can see if its<br>
intercepting the connections, but I seem to not be able.<br>
<br>
Some other data from the hosts its connecting out to proves that its<br>
lying about what software its running (I&#39;m hesitant to just say how I<b=
r>
can be sure of that, since doing so just tells someone how to do a<br>
more faithful emulation; so that that for whatever its worth).<br>
<br>
---------------------------------------------------------------------------=
---<br>
Infragistics Professional<br>
Build stunning WinForms apps today!<br>
Reboot your WinForms applications with our WinForms controls.<br>
Build a bridge from your legacy apps to the future.<br>
<a href=3D"http://pubads.g.doubleclick.net/gampad/clk?id=3D153845071&amp;iu=
=3D/4140/ostg.clktrk" target=3D"_blank">http://pubads.g.doubleclick.net/gam=
pad/clk?id=3D153845071&amp;iu=3D/4140/ostg.clktrk</a><br>
_______________________________________________<br>
Bitcoin-development mailing list<br>
<a href=3D"mailto:Bitcoin-development@lists.sourceforge.net">Bitcoin-develo=
pment@lists.sourceforge.net</a><br>
<a href=3D"https://lists.sourceforge.net/lists/listinfo/bitcoin-development=
" target=3D"_blank">https://lists.sourceforge.net/lists/listinfo/bitcoin-de=
velopment</a><br>
</blockquote></div>

--f46d041826f60d361d04ff3c0dbc--