El Reg reports
A dozen libraries across the US have asked for details on how to host Tor exit nodes following a decision by the small town of Lebanon, New Hampshire, to [forgo] police warnings.
Following a decision by the library's board of trustees earlier this week to put the exit node back online, the founder of the Library Freedom Project, Alison Macrina, said that she had heard from a number of other libraries interested in hosting tor nodes.
"Between libraries and community leaders around the country, we've heard from probably about a dozen who are interested in joining this", she told Motherboard.
One of those people was present at the board meeting, having driven two hours to attend. As a library trustee at nearby Reading, she revealed that it was going to have its own meeting on the issue next month.
[...] Macrina now says that the DHS' efforts have put her project on the map. "This has catalyzed additional libraries and community members", she told Motherboard. "Folks have emailed me saying 'We don't care if it gets shut down, we want to push back against [the DHS]'."
Previous: Library Running Tor Exit Node Gets Visit from Cops; Takes it Down
Despite Homeland Security Opposition, Tor is back at New Hampshire Library
(Score: 3, Insightful) by frojack on Sunday September 20 2015, @07:12PM
I worry about having these exit nodes compromised.
They generally are not managed by the most technically astute staff, and they sit there day in and day out with just about zero supervision.
Who applies updates to the software?
Who makes sure security holes are patched?
Who makes sure no TLA gains access to it's immediate upstream connection?
Who even checks the logs for signs of penetration attempts?
There is a group that helps set up these nodes: https://libraryfreedomproject.org/torexitpilotphase1/#main [libraryfreedomproject.org]
But they don't manage them, the nodes are running on dissimilar OS platforms.
Compromising an exit note's upstream connection is one of the best ways to de-anonymize the traffic.
No, you are mistaken. I've always had this sig.
(Score: 3, Informative) by ledow on Sunday September 20 2015, @08:39PM
What makes you think the Library - or indeed any entity at all - has the ability to ensure someone isn't sniffing their upstream connection.
That's the thing - tor is secure between tor nodes, but exit nodes are specialised. They are just open points on the Internet. Anyone can set one up and sniff that traffic anyway. They are NOT secure. A library also no more power than any other business to instruct their ISP not to sniff their traffic. Even that ISP cannot say that to their transit suppliers. Especially not against any form of law enforcement.
And - library computers? You should always consider them insecure anyway just by the sheer amount of use they get by random strangers. Physicals access beats all, remember. You can no more guarantee a library computer is safe to use than you can a cybercafe computer on some remote island.
This is the problem - not that there aren't enough tor exit nodes, but that ALL tor exit nodes suffer exactly the same problems. You literally have to treat the entire tor network as untrusted, whether casual user or serious researcher. Tor exit nodes are untrusted and untrustable. And thus you need to layer everything with encryption anyway. You're always going to be vulnerable to correlation attacks etc. too, because there is no protocol that avoids that. Tor doesn't magically make things secure.
As such, a library running a tor exit node is no more or less secure than any other node. A library computer connected to tor is no more or less secure than any other random public computer.
If you don't understand this, you do not understand tor.