Our lead relay engineer @alexhaydock has increased our stateless #Tor exit relay deployment to 96! (+1 because of the new #RISCV bare-metal node, +1 other we redeployed due to a silly spelling error). We're stress testing our three AMD Epyc 7402P servers that use #Proxmox.
Each one of the 96 Tor exit nodes are diskless Unified Kernel Images, 56MB in total size, using @alpinelinux's alpine-make-rootfs with an absolutely bare minimum number of packages. We'll be publishing more about our new architecture and configuration soon.
#AlpineLinux #privacy #anonymity #AntiCensorship #AccessToInformation #TorOps #TorOperators
8 days in and already up to 2.14 Gbps advertised bandwidth!
This question was not addressed on the AMA, in the end.
I'd still like to know the operators' answer, if they'd like to respond on here. #TorOps
Thanks to everyone who joined our Tor Operator AMA on Reddit and Mastodon! Your questions helped highlight the challenges and rewards of running Tor relays, but also highlighted the importance of Tor relays for online privacy.
The Tor network thrives on its community of operators. If you're thinking of running a relay, join the operators channel on Matrix/IRC, mailing list, or forums. We're there to help you get started!
#Tor #TorOps #TorRelays #Anonymity #Privacy #Censorship #AskMeAnything
Can you say more about any steps you take to secure your colocated hardware, including prevention, detection, and remediation? Do you use cameras, special server chassis, etc.? (No details of course: learning what you think is necessary, based on your experience as operators, is useful).
Relatedly, how much do you worry about supply chain attacks and related issues? Would you use Supermicro servers? Juniper switches? Do you worry about disabling ME, etc.?
About data center level surveillance:
Yes very much! We assume most big cloud providers and networks log and share their netflow data. Also it's trivial for a VPS or container provider to listen in on or manipulate the traffic, memory, processes, encryption keys and pretty much anything else.
So we tend to be pretty selective as to which datacenters we use. And we only use our own hardware.
About KAX17:
We think it's okay to ban adversaries from the Tor network, if there is enough evidence to support such a claim. In this case (with some great documentation by @nusenu !) it was established KAX17 was a malicious operator on the network.
But to be honest, I wasn't impressed by KAX17's OPSEC. They made many mistakes leading to them being caught. Imo anyone properly educated/motivated/funded could get away with similar practices, while being undetected.
About fan mail:
What is often? We get fan mail by government agencies and judicial authorities about once per week on average. And sometimes we get called or invited for a videoconference by a government agency. But the latter is rare.
Generally most government agencies are fairly understanding, both in the technical and non-technical sense.
Judicial authorities often don't understand anything about anything and can be a pain in the ass.
Bonus question:
I once screwed up the compilation of a critical part of our pretty extensive DNS infrastructure, effectively resulting in 22% of the Tor network's circuits not being able to resolve any domain on the clearnet/internet. I only found out the following morning.
Yeah, I'm not proud at that moment...
My takeaway:
Never make significant changes to your infrastructure closely before going to bed and always test thoroughly!
Great question indeed :).
We actually receive emails thanking us fairly regularly, and those are very much appreciated.
But in the end we don't need thanks to do what we do. We know that what we're doing helps a lot of people in situations where certain freedoms are not a given. And that is motivation enough to keep going :).
AS 396507
Spoon
Tor Relay Operator AMA
Nothing to hide