1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
|
Received: from sog-mx-1.v43.ch3.sourceforge.com ([172.29.43.191]
helo=mx.sourceforge.net)
by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
(envelope-from <drak@zikula.org>) id 1XBfYu-0003X3-Rg
for bitcoin-development@lists.sourceforge.net;
Mon, 28 Jul 2014 07:41:36 +0000
Received-SPF: pass (sog-mx-1.v43.ch3.sourceforge.com: domain of zikula.org
designates 74.125.82.46 as permitted sender)
client-ip=74.125.82.46; envelope-from=drak@zikula.org;
helo=mail-wg0-f46.google.com;
Received: from mail-wg0-f46.google.com ([74.125.82.46])
by sog-mx-1.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128)
(Exim 4.76) id 1XBfYt-0000nP-DD
for bitcoin-development@lists.sourceforge.net;
Mon, 28 Jul 2014 07:41:36 +0000
Received: by mail-wg0-f46.google.com with SMTP id m15so6898697wgh.5
for <bitcoin-development@lists.sourceforge.net>;
Mon, 28 Jul 2014 00:41:29 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20130820;
h=x-gm-message-state:mime-version:in-reply-to:references:date
:message-id:subject:from:to:cc:content-type;
bh=uGqEpysU0Y3llof4N8a2UCYcZAoBbGUbZ1eTTvkG2XI=;
b=HAWCFl7WZbfGmhIj3U2DR5WV7ZdciRcpC70/txaG0nxSWBkEVezc0xJ7HILQFfS5V+
O1dFmNLxV+z2a6ILy92fcDfxY9aXCBSgj05mvzKJLkc8hTp5y8Ag0/hls2DJ3DSJR7a4
LSAdplud1Dn+DtVrLhEa4kFWukij30/rTRwR0hm6cpgFSDmlKlh2SxGvyOthHxSeDz1n
Kdp654rsYXxYWj3WV6cu0RprrE39mmyrxLw5ZZb+5uQ1YIjWBQ8gmCOJOBBy7Syo+f39
mK9xbUs9Q/F0ffUnrK7cJLlwTtswhrCXzv8Z/vxwIklBybL98XMIfQwAwEIF+Lf0qU4h
CvWw==
X-Gm-Message-State: ALoCoQmXqtI8wK7QNpxlpLwLa8+2wv5DKA/eGdz9msbr+nnrY1lcDm8W7td0j7seY/F+DVGktzTu
MIME-Version: 1.0
X-Received: by 10.180.104.42 with SMTP id gb10mr27961409wib.65.1406533288923;
Mon, 28 Jul 2014 00:41:28 -0700 (PDT)
Received: by 10.194.87.70 with HTTP; Mon, 28 Jul 2014 00:41:28 -0700 (PDT)
Received: by 10.194.87.70 with HTTP; Mon, 28 Jul 2014 00:41:28 -0700 (PDT)
In-Reply-To: <CAAS2fgRVUbEM=7KQt-Haue=+sgAFu=HrfDdS0hhatNawci_eZQ@mail.gmail.com>
References: <CAD5xwhhKKooGBfSY3nZzMmS=3WD=EdX9FQ7mZtQL3fkikuwyLg@mail.gmail.com>
<20140728024030.GA17724@savin>
<CAAS2fgR+r6VoUse_ropq=p3WTy_qWq68fpCQim1FhcbkCXYtsQ@mail.gmail.com>
<E0F82AAE-1B71-4B8B-A5D5-0301BBECC317@osfda.org>
<53D5BB5F.2060200@bitwatch.co>
<CAAS2fgRVUbEM=7KQt-Haue=+sgAFu=HrfDdS0hhatNawci_eZQ@mail.gmail.com>
Date: Mon, 28 Jul 2014 08:41:28 +0100
Message-ID: <CANAnSg3Wcw9SVamyzkRPwHjr6bAyU4h1KV+_o7pFMZqXcVjWqg@mail.gmail.com>
From: Drak <drak@zikula.org>
To: Greg Maxwell <gmaxwell@gmail.com>
Content-Type: multipart/alternative; boundary=f46d041826f60d361d04ff3c0dbc
X-Spam-Score: -0.5 (/)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
See http://spamassassin.org/tag/ for more details.
-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
sender-domain
-0.0 SPF_PASS SPF: sender matches SPF record
1.0 HTML_MESSAGE BODY: HTML included in message
X-Headers-End: 1XBfYt-0000nP-DD
Cc: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>
Subject: Re: [Bitcoin-development] Abnormally Large Tor node accepting only
Bitcoin traffic
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Mon, 28 Jul 2014 07:41:37 -0000
--f46d041826f60d361d04ff3c0dbc
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Related to Russia's Tor bounty?
http://www.theguardian.com/world/2014/jul/25/russia-research-identify-users=
-tor
On 28 Jul 2014 04:45, "Gregory Maxwell" <gmaxwell@gmail.com> wrote:
> On Sun, Jul 27, 2014 at 7:54 PM, mbde@bitwatch.co <mbde@bitwatch.co>
> wrote:
> > These website list Tor nodes by bandwidth:
> >
> > http://torstatus.blutmagie.de/index.php
> > https://torstatus.rueckgr.at/index.php?SR=3DBandwidth&SO=3DDesc
> >
> > And the details reveal it's a port 8333 only exit node:
> >
> http://torstatus.blutmagie.de/router_detail.php?FP=3D0d6d2caafbb32ba85ee5=
162395f610ae42930124
>
> As I pointed out above, =E2=80=94 it isn't really. Without the exit flag=
, I
> believe no tor node will select it to exit 8333 unless manually
> configured. (someone following tor more closely than I could correct
> if I'm wrong here)
>
>
> > blockchain.info has some records about the related IP going back to the
> > end of this May:
> >
> > https://blockchain.info/ip-address/5.9.93.101?offset=3D300
>
> dsnrk and mr_burdell on freenode show that the bitnodes crawler showed
> it accepting _inbound_ bitcoin connections 2-3 weeks ago, though it
> doesn't now.
>
> Fits a pattern of someone running a bitcoin node widely connecting to
> everyone it can on IPv4 in order to try to deanonymize people, and
> also running a tor exit (and locally intercepting 8333 there), but I
> suspect the tor exit part is not actually working=E2=80=94 though they're
> trying to get it working by accepting huge amounts of relay bandwidth.
>
> I'm trying to manually exit through it so I can see if its
> intercepting the connections, but I seem to not be able.
>
> Some other data from the hosts its connecting out to proves that its
> lying about what software its running (I'm hesitant to just say how I
> can be sure of that, since doing so just tells someone how to do a
> more faithful emulation; so that that for whatever its worth).
>
>
> -------------------------------------------------------------------------=
-----
> Infragistics Professional
> Build stunning WinForms apps today!
> Reboot your WinForms applications with our WinForms controls.
> Build a bridge from your legacy apps to the future.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=3D153845071&iu=3D/4140/ostg=
.clktrk
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>
--f46d041826f60d361d04ff3c0dbc
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<p dir=3D"ltr">Related to Russia's Tor bounty? <a href=3D"http://www.th=
eguardian.com/world/2014/jul/25/russia-research-identify-users-tor">http://=
www.theguardian.com/world/2014/jul/25/russia-research-identify-users-tor</a=
></p>
<div class=3D"gmail_quote">On 28 Jul 2014 04:45, "Gregory Maxwell"=
; <<a href=3D"mailto:gmaxwell@gmail.com">gmaxwell@gmail.com</a>> wrot=
e:<br type=3D"attribution"><blockquote class=3D"gmail_quote" style=3D"margi=
n:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On Sun, Jul 27, 2014 at 7:54 PM, <a href=3D"mailto:mbde@bitwatch.co">mbde@b=
itwatch.co</a> <<a href=3D"mailto:mbde@bitwatch.co">mbde@bitwatch.co</a>=
> wrote:<br>
> These website list Tor nodes by bandwidth:<br>
><br>
> <a href=3D"http://torstatus.blutmagie.de/index.php" target=3D"_blank">=
http://torstatus.blutmagie.de/index.php</a><br>
> <a href=3D"https://torstatus.rueckgr.at/index.php?SR=3DBandwidth&S=
O=3DDesc" target=3D"_blank">https://torstatus.rueckgr.at/index.php?SR=3DBan=
dwidth&SO=3DDesc</a><br>
><br>
> And the details reveal it's a port 8333 only exit node:<br>
> <a href=3D"http://torstatus.blutmagie.de/router_detail.php?FP=3D0d6d2c=
aafbb32ba85ee5162395f610ae42930124" target=3D"_blank">http://torstatus.blut=
magie.de/router_detail.php?FP=3D0d6d2caafbb32ba85ee5162395f610ae42930124</a=
><br>
<br>
As I pointed out above, =E2=80=94 it isn't really. =C2=A0Without the ex=
it flag, I<br>
believe no tor node will select it to exit 8333 unless manually<br>
configured. (someone following tor more closely than I could correct<br>
if I'm wrong here)<br>
<br>
<br>
> <a href=3D"http://blockchain.info" target=3D"_blank">blockchain.info</=
a> has some records about the related IP going back to the<br>
> end of this May:<br>
><br>
> <a href=3D"https://blockchain.info/ip-address/5.9.93.101?offset=3D300"=
target=3D"_blank">https://blockchain.info/ip-address/5.9.93.101?offset=3D3=
00</a><br>
<br>
dsnrk and mr_burdell on freenode show that the bitnodes crawler showed<br>
it accepting _inbound_ bitcoin connections 2-3 weeks ago, though it<br>
doesn't now.<br>
<br>
Fits a pattern of someone running a bitcoin node widely connecting to<br>
everyone it can on IPv4 in order to try to deanonymize people, and<br>
also running a tor exit (and locally intercepting 8333 there), =C2=A0but I<=
br>
suspect the tor exit part is not actually working=E2=80=94 though they'=
re<br>
trying to get it working by accepting huge amounts of relay bandwidth.<br>
<br>
I'm trying to manually exit through it so I can see if its<br>
intercepting the connections, but I seem to not be able.<br>
<br>
Some other data from the hosts its connecting out to proves that its<br>
lying about what software its running (I'm hesitant to just say how I<b=
r>
can be sure of that, since doing so just tells someone how to do a<br>
more faithful emulation; so that that for whatever its worth).<br>
<br>
---------------------------------------------------------------------------=
---<br>
Infragistics Professional<br>
Build stunning WinForms apps today!<br>
Reboot your WinForms applications with our WinForms controls.<br>
Build a bridge from your legacy apps to the future.<br>
<a href=3D"http://pubads.g.doubleclick.net/gampad/clk?id=3D153845071&iu=
=3D/4140/ostg.clktrk" target=3D"_blank">http://pubads.g.doubleclick.net/gam=
pad/clk?id=3D153845071&iu=3D/4140/ostg.clktrk</a><br>
_______________________________________________<br>
Bitcoin-development mailing list<br>
<a href=3D"mailto:Bitcoin-development@lists.sourceforge.net">Bitcoin-develo=
pment@lists.sourceforge.net</a><br>
<a href=3D"https://lists.sourceforge.net/lists/listinfo/bitcoin-development=
" target=3D"_blank">https://lists.sourceforge.net/lists/listinfo/bitcoin-de=
velopment</a><br>
</blockquote></div>
--f46d041826f60d361d04ff3c0dbc--
|
