Should we run a Tor exit node at Farset?


#1

@Tyndyll asked a great question on Slack yesterday, one that’s come up a few times, but not been properly documented:

Has there ever been a discussion about running a Tor exit node at Farset?

Many, many times. If it’s not immediately obvious to readers why this might be a bad idea, this wall of text is a good first account of what you might be getting yourself into.

But of course this is Farset, since when were we sensible?

The First FlackNite

FlackNite used to be our regular 24-hour hackathon nights when Farset first opened. The first one involved getting the space into a ready state, which included network setup. It didn’t take us long to realize:

  • Farset’s internet was completely uncensored
  • We were a bunch of experimenting, anarchistic students, who thought no harm would come to them in their new charity dungeon

It seemed like a pretty good idea, running a Tor exit node - it would help people worldwide keep their anonymity, and have freedom of access to information, something nice to blog about. Thankfully, reality kicked in.

  1. Our uncensored internet would soon, as an exit node, be blocked from pretty much half the internet, and we’d have a lot more issues down the line trying to put out the fire we’d so hastily built
  2. @bolster said “No. Just… no.” This was back when
    a. he was a lot more sensible, and
    b. pretty much the benevolent dictator he originally intended to be :trollface:
  3. In his defense, we’d just been given free internet by Tibus, and not pissing them off was probably best

Farset’s internet split

Sometime in 2013 when Farset started getting a lot more sensible, and already had had it’s own bout of legal trouble, a few things were realized:

  • There was no difference between members and the charity when it came to the internet
  • Anyone can do bad things
  • Getting blamed for bad things you didn’t do isn’t fun, and sometimes expensive

To combat this, a new network setup was devised that would separate what the charity did on the internet, from what the members were doing. This was a logical split - we had 4 IP addresses, and it was about time we used them properly.

The network was sectioned off into two distinct areas:

It was hoped that this split would give the charity plausible deniability. Members were free to use their ‘side’ of the internet as they saw fit, as long as they stayed within Farset’s code of conduct, and the law. Farset wouldn’t keep any access logs, and respect member privacy, hoping to ensure that members were protected in what they chose to do in a hackerspace, but also that Farset itself could be safe from anything other than the crime of providing public internet access.

Managed vs. unmanaged internet

A lot of our members like to experiment with networks (it’s how I ended up being in charge of the mess I created here) however, as much freedom as we like to offer everyone in the space, it wasn’t long before the core internet and network services were solely controlled by ‘trusted people’ and the Directors. This was an obvious requirement, but a restrictive one, that prevented new members from having the same level of fun as we did when Farset first opened. There was also the requirement of trust - we (Farset) managed the internet, and it was up to members to believe our word that we wouldn’t restrict or track what people were doing.

In an attempt to combat these problems, and give complete freedom back to the members, the last public IPv4 address we had left was designated deimos.unit1.farsetlabs.org.uk - a No man’s land where a raw internet port was left for any member to ‘Do What Thou Wilt’ (be it Active Directory, running MITM attacks, messing with mail servers, etc.) assuming they still abided by rule #0.

Um, Tor?

It was quickly pointed out that there was nothing stopping this port being used as a Tor exit node, and by design, nothing we could do to restrict it. This resulted in a debate in Farset between:

  1. tell Tibus that this IP is dirty, and to fend off complaints from DMCA and Government agencies
  2. drop the whole port thing, because we’re a charity, a business with legal requirements, limited funding, and enough stress from other legitimate activity (freedom isn’t free)

###In conclusion:

It would be nice to run a Tor exit node, few dispute that - however, the problems it comes with, both legal and administrative, are not worth our, or our ISPs time.

We do run a Tor relay, and custom on-site proxy & resolver to allow .onion address access from within the space (Try DuckDuckGo on http://3g2upl4pq6kufc4m.onion/)

We currently do ​not​ relay traffic for the Tor network, however I personally have no issue with this. It would be nice to add to our list of ‘nice things we do’, but it is still the legal responsibility of the directors to make that decision. I haven’t bothered them with the question, but it’d be up there with running a full Bitcoin node, and offering free hosting for other charities and good causes.