verla via Tor Project Forum:

A concerning statement in this write-up is:

The C-Tor codebase is in maintenance mode and not accepting any new
features anymore (with a very narrow set of exceptions). We therefore
plan to have this change included solely in the upcoming Arti relay
work.

This appears to be false, as you just rolled out conflux and onion proof of work in the C-Tor codebase.What are the exceptions for new features into c-tor? Where are the exception criteria documented (speaking of transparency)? Will this proposal become an exception?

I think the answer to your last question is already in the text block
you quoted, no? The exceptions are determined by the network-team and
are on a case-by-case basis. The general rule is “no new features”.

Proposal Questions

• What does this proposal mean for those running C-Tor?

It should not affect them.

• Are you proposing a “flag day” for the entire network to switch to rust-tor?

We are not sure yet, but likely C-Tor relays will just be phased out via
the usual EOL mechanism: at some point there won’t be any security
updates and thus any supported C-Tor version for relays left and they
will therefore get blocked at the Directory Authority level.

• What happens to C-tor relays that refuse to put in valid email addresses if/when this proposal is accepted?

Nothing which is not happening already.

• Does this just bifurcate the network into c-tor and rust-tor versions?

No. We’ll have a period where both C-Tor and Arti relays will be in the
network but that is unrelated to the proposal at hand and is rather a
result of the overall transitioning to Arti relays.

• How do you plan to handle the duplicate email addresses on relays not in a “family”?

Not sure what you mean here, is that related to the next question?

• What’s to stop someone from just copying a known email from the public contactinfo?

You mean someone trying to impersonate an operator? We think we can
prevent that/make it detectable with the way our planned email
validation is constructed: it’s bound to the family keys/fingerprints of
relays. The details are still ironed out and will be in a technical
specification but we believe we’ll improve the situation here as well
compared to the status quo.

General Thoughts

Please show some transparency and document your setups where using valid email addresses in ContactInfo does not result in tens of thousands of spam/phishing emails per year.

Thanks @boldsuck for following up on that part.

On the general topic, it seems tor is losing its way here. If the clients do not trust the network, then why do we need more trusted relays? Are you implicitly admitting the tor network is not safe and/or the entire design is fundamentally flawed? Already, tor cannot protect against global passive adversaries. Such GPA’s already include the obvious intelligence and law enforcement agencies, but also google, facebook, apple, akamai, shein, bytedance, visa/mastercard and other with global reach on the internet. Such a proposal merely lets the GPA collect more information about relay operators.

I think the motivation section in the proposal as to why we need this is
mentioning the bad-relays case. There are some interesting ideas
mentioned as well that we could build on top of this proposal which
could help with trustworthiness. The network being safe or not is not a
yes/no topic. It’s more complicated, but we can help making it safer
with the current proposal as a building step. And that’s definitely in
the interest of Tor users.

Should this proposal be rammed onto relay operators, someone should start an anonymous email service which requires zero identifying information to accommodate those opting out of the surveillance economy.

Seems this got already addressed, too, nice.

atari via Tor Project Forum:

atari

Dramatization: Tor becoming Russia?

https://v236xhqtyullodhf26szyjepvkbv6iitrhjgrqj4avaoukebkk6n6syd.onion/t/russia-introducing-full-regulation-of-hoster-services/8862

Nope, Tor is not becoming Russia.

The development of Tor into a direction of knowing more and more about their network donators is kind of invading.

I think we should keep things in perspective here. We are not interested
in a copy of your passport nor are we interested where you are living,
where you are born, how old you are, which gender you have, which
language you are speaking etc. Just some random email address you use
for relay related purposes.

When I started to provide nodes somewhere in the 00s, it was an act of support for a network that felt anarchic and private - for users and supporters. I was very shocked once ioerror doxxed my real-name in a commit message, making it eternal. Since then I got much more cautions with revealing information about myself. Making an email mandatory basically means everyone who doesn’t do extra steps will also be easier known by the three or more letter agencies.

Example: ramping up a bigger amount of bridges somewhere where they are needed will be connected to this and that persona. Three or more letter agencies will have absolutely no problems in complying with this demand - they operate hidden and have identities for this.

http://pzhdfe7jraknpj2qgu5cz2u3i4deuyfwmonvzu5i3nyw4t4bmg7o5pad.onion/tor-social-contract/

And no - it is not a “one-time cost” to have an email, that is regularly checked and only accessed indirectly. I’m not even starting with the case, you might have to reply (stylometry) some emails with questions regarding your relay and giving out motivational reasons, because “unknown
operators” are a threat now…

This proposal would not only give the project more information - it also does give chunks to 3 letter agencies, law-enforcement and other interconnected parties. Maybe Tor could be more transparent - how often is the project approached by officials and being asked for hints? A hidden service operator is very much likely a node operator too… Warrant canary or something similar would also be nice.

I know the world is getting more and more complicated and I often tend to get as much information as possible - but I would not force someone to give me information.

Fair enough. Now, if you feel it’s too much asked for you to provide an
email address for running relays that’s fine. There are plenty of other
ways helping and contributing to Tor, e.g. by being engaged in the forum
or in other venues (as you are already doing).

And I strongly disagree with the statement “Remember that running a relay is an act of transparency” - that is “Newspeak” for me…

Sure, as I said above there are many ways to contribute to Tor and we
are appreciating all of them. There is no way around, though, to
building are stronger and safer network by being able to reach out to
operators and connect them closer in a community. See the motivation
section in the proposal for different use-cases, not just in the
bad-relay area.

Which needs to be checked on a regular basis - and again here starts the issue. Checking means I have to connect to some kind of mail service, which leaves traces. Otherwise when I check a webmail, I could easily anonymously check a website with all news that are important for me, without any further affiliation…

Because email always was, still is and will always be the best tool to build communities!*

*)This statement might be sponsored by XKeyscore

Vort via Tor Project Forum:

I dislike plain emails in ContactInfo not because of spam.
But because I do not want to give attackers easy way to get email address knowing only IP address.
The more steps they need to connect different pieces of data, the better.

Fair enough, but as I said in my reply to @atari there are other ways to
help Tor and its users. Maybe running a snowflake proxy instead or
helping here in the forum and/or on the bug tracker (as you already do,
thanks for that!) or… There are different folks being comfortable with
different contributions and that’s fine.

Against their will.

In my opinion, community forms by itself.
Role of administrators is to create favorable conditions for it.
Desire for power and influence (even with good intents) creates opposite effect.
However, I’m not expert in this topic (fortunately), so I may be wrong.

upd. Total premoderation of messages here on forum is another anti-community-building tactic.

Vort via Tor Project Forum:

Against their will.

That’s not how it works. We provide the means and can give tips e.g. if
there are already operators close by or organizations we know where
folks could connect to. We don’t force any relay to connect to any other
operator. There is no need to send status reports to the Tor Project
either. Or, you know, folks just self-organize realizing that email
addresses could be pretty useful for that use-case:

At the risk of unintentional alienation from the main opinion, I too feel that the anonymity network is becoming much less anonymous for the people who contribute to its existence; I recall seeing a post on the Tor Reddit where a Polish based note operator had all of their nodes removed after refusing to take part in a face to face video call.

I understand wanting to know a bit more about who major network contributors are but wanting to fix a face to a network feels a step too far from my perspective. It also realistically provides no benefit of security as a bad actor could take part in a video call to ensure the continuation of their service, someone could even meet you in person. What about AI too? Someone could probably video call using someone who doesn’t even exist.

There have been several and they all either turn sketchy or vanish.

Sarcasm I assume?

Its not too much as in too much effort but rather too much risk and all while providing nodes at an expense to the operator. I can unfortunately foresee some operators exiting out and the whole Tor network becoming much smaller and much more observable.

Can Tor team confirm or disprove this story?
Refusal to do so I will treat as confirmation.

I do not agree with this proposal. Relay operators should have a choice to contribute to the Tor network with as few requirements as possible so that it remains broadly accessible. For those willing to be contacted, they can provide information if they wish to do so at their discretion.

If I write that I am alone you can believe me, or look in the RIPE db. Torservers.net or Zwiebelfreunde is now just LIR. Moritz gave the IP’s to various Relay operators. In the Ripe Whois database you can see that we share 185.220.101.0/24 for 4 relay operators. We did this split because one operator with a /24 subnet easily had 25% exit traffic and we wanted more diversity.

Even an e.V. did not protect Torservers.net = Zwiebelfreunde from a search. It doesn’t matter whether you have a lawyer. If the police drive up with a truck and clear out your server racks, your neighbors will see you as a criminal.
If the police in my city visit me again, I will transfer the IP’s to an LLC. LKA, BKA, NSA and co. know what we are doing (or know Tor) and leave us alone.

There are many mail providers with hidden services.

No, why sarcasm.
First of all, it is not forbidden to operate Tor relays in Germany. Many providers support the Tor network, why should I bother hiding it?

So that you can operate servers anonymously you need:

• In-depth network knowledge.
• Bought a workstation anonymously with cash. (No traceable MAC)
• Monero and the knowledge of how to buy it anonymously.
• And surprise. An anonymous email address.
• An anonymously ordered server. (Is usually expensive or has little bandwidth)
• Every connection to the customer interface, SSH and IPMI must be anonymous.
• Years of discipline to always use the anonymous workstation and access.

And all of this + encrypted HD doesn’t help you (if you have data on the server that leads to you) and the entire hoster is taken down by the LKA during operation. Just like it happened at the Bulletproof-hoster ‘CyberBunker 2.0’ near me.

People should just use Skiff e-mail if they want contact abilities with zero credentials. It is end to end encrypted, free, requires no card/mobile/email to create and you can have multiple aliases under one account. All you do is choose your address and set your password.

Can’t you just spoof the MAC like you can with TAILS

I also thought that Monero is private enough for anonymous purchase to not matter?

If all seven of those things have to be happening flawlessly all together then I see why so many people mess up, there are probably less than 100 people currenty sucessfully running such an operation.

You can, but better safe than sorry. See my 1st and last point above. Do you think about this every time the next years if you upgrade or do you check whether a bug might occur? Remember, wired eth has one MAC, wifi has another, and dogging station has one too.

You know the sentence: “tor can’t help you if you use it wrong”? Same aplies for other things. But that’s getting off topic here. Read the books “Mastering Monero” & DNM bible, watch “Breaking Monero”. Start here
One hint: If you buy Monero on Kraken or Binance and send it to your wallet, don’t transfer it to your hoster few minutes later. Wait a few blocks. I trade Monero on bisq (Tor hidden service).

Vort via Tor Project Forum:

Can Tor team confirm or disprove this story?
Refusal to do so I will treat as confirmation.

We had some comments around that back then in
Reddit - Dive into anything.

That said, no, we did not require a face to face video call. We wanted
to chat with the operator after a bunch of backs and forths via voice as
a bunch of things get resolved (faster/at all) that way than via lengthy
email threads. But they were not up to that.

Do you mean comments made by Tor team?

So in case when operator do not want to do voice and video calls, is it still possible to continue discussing relay operation via text messages?

Vort via Tor Project Forum:

Do you mean comments made by Tor team?

Actually, I meant our forum topic not the Reddit link, sorry:

So in case when operator do not want to do voice and video calls, is it still possible to continue discussing relay operation via text messages?

That depends on the circumstances. Sometimes it’s part of our bad-relay
work and therefore needed.

I have a few more points to add to this thread’s topic.

My main issue is that the proposal is a mandatory email address within the ContactInfo field, while refusing all other inputs, including a blank field; I am still firmly against this. However, I am fine with the idea of a blank field or a valid email address being the only possible entries in the ContactInfo field. This allows Tor relay operators to choose between being contacted via email address or not being contacted at all, which complements my prior post.

Secondly, another additional suggestion is for the Tor Project to operate as a webmail provider, either on a limited-extent for providing email alias to Tor relay operators (similar to the FSF), or as a full-on service. This way, Tor relay operators can compartmentalize their Tor work while protecting their “real” email address. Both approaches are scalable, but the latter will require an excellent legal team to deal with all of the subpeonas, gag orders, and other legal entanglements that come with the territory, plus a warrant canary with an appropriate frequency. I largely assume that such legal experience has already been acquired by the Tor Project.

If this second suggestion is well received, I highly recommend a separate domain name that reflects this explicit purpose.

I don’t agree with the proposal that the contact field to contain just an email address.
If I want to complete my contact datails as xxx@yyy.com powered by NASA or xxx@yyy.com and my blog or other variants i should be able to do it.

I still don’t like that are a lots of relays with no contact adress, maybe the start is to make them use an email address to contact them and also do something with the relays that don’t respect MyFamily settings but no with others that have different things completed to contact field