security-discuss
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [security-discuss] gnuradio project DoS attacks GNU wget users


From: ng0
Subject: Re: [security-discuss] gnuradio project DoS attacks GNU wget users
Date: Thu, 2 Mar 2017 20:08:39 +0000

On 17-03-02 11:50:09, Richard Stallman wrote:
> [[[ To any NSA and FBI agents reading my email: please consider    ]]]
> [[[ whether defending the US Constitution against all enemies,     ]]]
> [[[ foreign or domestic, requires you to follow Snowden's example. ]]]
> 
>   > As far as I perceive it, ftp.gnu.org and the alpha ftp do not provide
>   > any access to be used from tor exit nodes.
> 
> This sounds like a real problem.  Can someone present a specific test case
> that fails?

That's as easy as running tor with a configuration where you exclude
at least exit-nodes located in the USA. Then you will try to download
any file on one of the download locations of gnu, with a graphical
webbrowser - it does not have to be torbrowser - you pass it the
arguments to use the socks5 proxy of tor as described in the torproject
website documentation, and just trying to establish a connection to
ftp.gnu.org will fail with "Error: Bad IP connecting".

I have not checked my config in a while, but this shows that there's at
least an problem if you connect not from within the USA. I can't recall
if I ever had a good exit-node connecting to ftp.gnu.org, but I doubt it.

>   > I find this annoying every time I have to check releases, update
>   > software for Guix, etc. If mirroring would be an option I would run an
>   > .onion mirror.
> 
> Last I heard we had lots of mirrors.  Making another kind of mirror
> would be useful too.
> 
> -- 
> Dr Richard Stallman
> President, Free Software Foundation (gnu.org, fsf.org)
> Internet Hall-of-Famer (internethalloffame.org)
> Skype: No way! See stallman.org/skype.html.
> 

Below I use "mirrors" when I refer to the root download architecture at
gnu.org, the exception is the provided mirror which should be clear from
context.

If this (whereby I mean providing .onion access at the root level
of software distribution, the gnu.org servers) is not or not right now
possible to be provided by the FSF/GNU[0], I strongly consider to
provide an .onion mirror with the intention to add .gnu gnunet later on.
However there are problems:

* I'm not looking really forward to administrate server(s) again, even
  if the underlying system makes administration easier.
* I'm limited in resources both financially and time to invest.
* My non-commercial ISP of choice is prepared for lots of traffic, they
  even have some tor exit- and non-exit relays/nodes in their network,
  but if this mirror would be used it would be a centralization of
  service which would be an easy target to take down, in addition to
  testing out how much traffic is okay for their infrastructure. Last
  time I ran an tor non-exit relay in there it was still okay with
  several TB of data per month.

I know I can just mirror some (and not all) mirrors of gnu.org, reducing
the size which is needed. At the current size of all gnu.org mirrors
this results in ~125GiB. Taking in consideration the operation system to
add and that at IN-Berlin eV (the ISP) you can only buy disk space in 25
sizes (n times 25) I get less than 20 Euro / month.
Now the consideration of the choice of datacenter vs "other places" and
therefore the choice of machine in use is how much electricity is
wasted in the process.
I have to think about compromisses of use vs costs as the ideal solution
would be to also provide a service for binary substitutes similar to
what's offered from https://hydra.gnu.org at the moment.

0: I'm not sure who's responsible for the server maintenance, I know
both parties are involved depending on the level of maintenance.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]