Jul 252013


During a conference some while ago, Jacob Appelbaum gave a talk on the usefulness of the Tor project, allowing you to browse anonymously, liberating speech online, enabling web access in censored countries, etc.

Jacob described how the anonymizing Tor network consists of many machines world wide that use encryption and run the Tor software, which are routing internet traffic and on the way anonymize it, and then traffic leaves the network at some random host so the original sender cannot be traced back. These hosts are called “exit nodes”.

At the end of his talk, he prompted the audience:
Why don’t you run an exit node yet?
I had been using Tor in the past on and off, and while I couldn’t agree more with the privacy goals and anti-censorship measures outlined, I never setup an exit node to help the network. And I do admin quite a number of hosted machines that have idle bandwidth available…

It took me a while to get round to it, but some months after that I started to set up the first exit node on a hosted virtual server. It took a while to get it all going, I made sure I read up the legal implications of running it in Germany, setup disclaimers on the host for people checking it’s port 80, etc. After half a day or so, I had it going, watched in the logs how it connected to the network and… let it run.

Traffic came in slowly at first, but after 1 or 2 days, the node’s presence had propagated through the net and it started to max out CPU and bandwidth limits as configured. So far so good, I was happy helping people all over the world browsing the net anonymously and especially helping folks in countries with internet censorship to access all the net. Great!

Or so I thought at least. It only took some 5 or so days for me to get an official notice to cease network activity on this host immediately. Complaints about Copyright infringement were cited as the reason. Turned out that the majority of the “liberating” traffic I was relaying were torrenting copyrighted material. I had checked out the Tor guidelines in advance, which are correctly outlining that in Germany the TMG (law on telecommunication media) paragraphs §8 and §15 are actually protecting me as a traffic router from liability for the actual traffic contents, so initially I assumed I’d be fine in case of claims.

It turned out the notice had a twist to it. It was actually my virtual server provider who sent that notice on behalf of a complaining party and argued that I was in violation of their general terms and conditions for purchasing hosting services. Checking those, the conditions read:
Use of the server to provide anonymity services is excluded.
Regardless of the TMG, I was in violation of the hosting provider’s terms and conditions which allowed premature termination of the hosting contract. At that point I had no choice but stopping the Tor services on this hosting instance.

All in all a dissatisfying experience, but at least I could answer Jacob’s question now:
I’m not running an exit node because it’s not uncommon for German providers to exclude the use of anonymity services on the merits.
I actually got back to Jacob in Email and suggested that a note be added to the TorExitGuidelines wiki page so future contributors know to check out the terms and conditions of their hosting services. It seems my request has been ignored up to this day, for one reason or another.

I’d still like to support the Tor network however, so for all savvy readers out there, I’m asking:

  • Do you have any provider recommendations where running Tor exit nodes is not an issue? (In Germany perhaps?)
  • Is it at all feasible to be running Tor exit nodes in Germany without having to set a legal budget aside to defend yourself against claims?

Jun 212006

Traveling with a laptop to a foreign country, waiting at airports, driving in cabs, etc. puts your data at certain risks, considering the number of laptop losses at public places. Now, most of the documents and code on my system is free software or not particularly private anyway, but unfortunately not all. Some work related documents and emails i’m carrying around are not allowed to be disclosed, and so i had to decide whether to identify each one of them and either encrypt or delete them individually (very unattractive to maintain for emails and an automatically sync-ed homedir), or encrypt the laptop harddisk as a whole.
I went for the latter, luckily newer Linux kernels (>= 2.6.4) are meant to provide the necessary mechanisms out of the box. And except for one nasty devfs issue, migrating my Debian sarge system to fully encrypted partitions went surprisingly well. It still took some time to figure the necessary bits involved, especially since initrd-tools requires devfs support which got removed from newer Linux kernels. So i’ve kept notes on the steps performed and put them up here: Debian Rootfs Encryption Notes, mkinitrd 1.201 nodevfs hack.

On other topics, make sure to not miss the EFF video The Corruptibles! provided as The Corruptibles! (Ogg/Theora) and in other formats.