[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Some legal trouble with TOR in France +

Hash: RIPEMD160

> 2.
> Well most people using Tor, aint running a server at ALL. They are just
the users, running Tor in Client only mode.
> And the "middlemen" are gonna be needed, if you want to have more hops!
maybe i am misinformed, but i was under the impression that middleman
mode only stops the circuit from ending at the node, all other 'exit'
nodes also carry middleman traffic
> Not everyone can run an EXIT server, but there are lots who can run a
middleman server, not everyone can find, nor afford an ISP willing to
allow them to run an EXIt server.
> But most ISP's "dont grieve about what the eye dont see" so running a
"middleman" is no problem.
yes but you completely missed my point, more exit nodes means less
chance that any one node is picked on by the law.
> My advice would be take advantage of their bandwidth, its free.
what am i paying my isp for if it's not bandwidth? i don't see your point
> And get EXIT servers to only run limited "middleman" capability and
stop trying to make them "Do-It-All".
> If "EXIT servers" gave, at maximum, 20% of currently "spare" bandwidth
to "middleman" traffic, and get in as many middlemen as possible, then
that might speed the whole Tor system up.
segregating exit and middlemen nodes more distinctly - how is this
going to help... do you want to stand at the top of the tower with
only 100 other people or would you prefer there was 300 with you? I
think you could look to a simple natural phenomenon to give an example
of why we, the small people, need to see this as a 'all for one, one
for all' - herds of grazing animals. Sure, there may be some at the
edges who will get eaten by the lions more, but the size of the
group... what happens if a lion foolishly gets himself into a pocket
at the edge and then finds himself surrounded by a sea of horns?
> 3.
> The only "Free-Riders" would appear to be ordinary Tor users who dont
run in server mode, but thats why we have Tor!
> Yes, Tor is a FREE SERVICE!
it is not a 'free service' at all, it is a group of people all
agreeing to do something for each other. your idea about segregating
makes it more dangerous for the end points than my idea of making all
nodes endpoints. the worse the ratio between exit nodes and client
only users gets, the more chance there is of exit nodes coming under fire.
> What about a system of service classes - different classes of service
for different classes of Tor user/service provider!
> More on that later...
> 4.
> No... they'll just run Tor in client mode only!
what if the software does not permit this? i think perhaps you are not
aware of how common it is for people to just install things and not
think about going into the source and modifying it. the sort of people
who would do this are the sort of people we DON'T want using tor, and
this should be something that should be incorporated into the default
configuration. Making it so all nodes are carrying traffic via the
verification mechanisms i described would help eliminate both free
riders and those wishing to exploit. Just like my metaphor of the herd
making pockets and luring the lions in, they can't win if they are
surrounded on all sides by the less powerful but organised and hostile
adversary. Lets face it, if you think tor is a good idea you are
hostile to something. And you are not powerful. It is only through
solidarity that tor even has a hope of surviving, let alone providing
a decent service to its members.
> Child porn is a different matter, it threatens the Tor network!
> It is best handled easier by a url/site/ip block list on the EXIT
nodes. to protect itself Torland should put a site uo tp create this
block list and Tor EXIt servers use it if they wish.
> Eg <16+,<18+,<21+ lists, then EXIT servers put on the lists approprate
tio theuir region.
> Also the client side of Tor could be have a user configuration to NOT
"obtain" pages/images/etc from URL/IP on these list according ot the
confugration they set. This protects them from that.
> Police could even add to this list and child protection/free speech
groups could double check to stop speech "censorship". 
well, the problem here is that what you are suggesting is essentially
saying that you should permit some level of censorship. you are
talking about a slippery slope here. There is nothing stopping any tor
user from running software such as peerguardian with a custom
blocklist. This should not be encouraged, however it should not be
prohibited. what you are talking about doing is adding a blacklisting
system to tor. Do you want to put the freedom to choose at risk? Who
can you trust to implement such a blacklist? Surely it would make more
sense, to, for example in the case of our french friend who has been
frisked by the police, for THEM to implement a blacklist, in
co-operation with those police, not only to show that we are on their
side, but to make it clear that the server operator is not interested
in being complicit. This would be a good thing to encourage server
operators to do. The better we can make our group's relations to law
enforcement, the more likely a) that they won't help push for laws
outlawing the use of tor and the operating of servers, and b) that
they could be educated in the benefits of tor for law enforcement
> As for terrorists, potentially we are ALL terrorists, and one mans
terrorist is another mans freedom fighter.
> Is "free speech" terrorism ? Currently, under UK regulations it is!
Supporting (sympathising/empathising) by the written or spoken word the
actions of "terrorists" is enough!
> How long will it be before any form of "anti-establishment" speech will
be classified as supportive of terrorist activities. not long, I'll bet.
> Orwell's "Big Brother" is here in 2006 and Orwell's "1984" is a reality
of today. The TV show "Big Brother" is a sign of the "confidence" they
feel in their ability, there they flaunt and "dry run" it right before
your very eyes. 
I think perhaps you are suffering from selective attention. In
parallel to this rise in totalitarianism there is also a rise in
libertarian and related 'isms'. Check out boingboing and slashdot

And you should also remember that a p2p anonymity system like tor
permits detectives to infiltrate hives of hate groups, pornographers,
and other groups for which there is a real need to be able to do this.
Tor may enable the bad guys to get away with stuff for a little while,
but any bad guy lazy enough to use tor for this purpose is not going
to be hard to pin down by other people also using tor.
> 5.
> Ok, I've said enough on the subject of the Tor FREE SERVICE.
> Glad you liked the idea of random hops and hope you understand we need
middlemen servers for that.
> As a suggestion, and in way of appreciation to Tor EXIT/Server nodes,
what about a 2 or 3 tier quality of service provision?
This subject has already been covered and there is no practical way to
ensure that this system is not exploited by unscrupulous persons,
except perhaps via a system such as hashcash. The big ISP's are
talking up the idea of creating premiums for quality of service,
meaning they can be bought to give selective preference to websites
they like and grind other sites to a halt that they don't agree with.
If there is issues with congestion, then perhaps what is needed is not
to price the small people out, but to enable the small people to
contribute their small contributions. I don't think that tor should
become a 'for the rich only' for those who have got the resources to
run a big server. Tor should be a system of to each according to their
ability. I hate to sound all marxist here but if you didn't absorb the
import of the actions of such great historical figures as ghandi, who
proved that a large group of people with little power, in concert with
each other, can win against small groups with a lot of power. Besides
this, it is going against the intrinsic architecture of the internet
to exclude low bandwidth users from access at the level to which their
connection permits.If this were the default policy then what's the
value in a tiered system of access giving greater preference to server
operators - all users would be server operators. Ideally tor could, at
the user's request, upon installation query the user for how much
bandwidth they have available, and simply give preference *in the
server* to their own outgoing and returning traffic (and incoming in
the case of hidden services).
> EXIT servers (according to their tested EXIT bandwidth) get First
Class, ENTRY & Middleman servers get Second Class and Non-server Clients
ONLY get Third class.
> Its an incentive!
> Would that help you glymr?
what would help me is if i could run a server that only uses 3kb/s. I
am on a 256/64 connection which frequently ends up shaped to 64k
symmetric for half the month. I'd love to be able to put in what I
have, but it's not a trivial thing to set up selective bandwidth
limiting under linux, which has much greater responsiveness in its
tcp/ip stack than windows, for which shaping software is trivial to
set up. I'd rather to be able to specify 3kb/s on the server
configuration. This is a trivial change and I'm sure I'm not alone in
being a user who has only a limited bandwidth to offer, who needs to
be able to get usable latency while using tor and serving at the same
time. I'd be willing to bet at least 10% of clients are not running
servers simply because the architecture has an arbitrary bandwidth
limit which makes one's own use of the server impractical.

Also I should point out that even if you do shaping on your tor server
to bring its bandwidth usage down, the problem is then if you want to
use the same tor server to run your own traffic you are locked into
that shaping. Either way the pipe is clogged up and unusable for the
smaller bandwidth user.

Sure, I'd love to have 20kb/s symmetric to offer, but unfortunately on
standard ADSL version one, that would usually mean 2/3 of one's
outgoing is congested with tor server traffic which depletes overall
latency for the user themselves to such a degree it is unusable. If
you are lucky enough to have cable or adsl2+ or whatever, lucky you.
Don't go assuming that everyone else has. I think that tor would
benefit a lot from having a swarm of smaller bandwidth servers. It
would somewhat increase directory server traffic but if directory
mirroring were also turned on by default then that load would be shared.
> 6.
> No, random delays are not inserted by the extra hops (though some
timing differences are inserted - mainly predictable/repetitive tho')
but it does increase the complexity of an attack solution and so the
certainty of its successful computation.
Well, this is why I put forward the idea of having a number of
circuits running at the same time that alternately (or even randomly)
are selected for each new connection initiated. If one was browsing a
web page, and there is say 20 objects, and they are randomly
distributed through 5 different length circuits, the delays *are*
diffused stochastically to a degree without sacrificing latency to any
significant degree.
> What really gives the whole stategy the EDGE, is the random delays, in
individual packets.
> Just think of your http page request reply from the EXIT node as a train.
> Back it comes from the EXIT node with its carriages (packets) right
behind it. You can time them arriving and leaving each station (hode or
Roger has already talked about the question of random packet delays,
and the problem is that it affects latency much more than any
measurable benefit gained.
> Sure each station might have delays (latency), but this is often
non-transient and so predictable. Thats the whole point of a "timing"
> And by allowing the individual setting Client side setting you can
always opt out (or reduce you delays to only a little) of this "random
delay" if you want!    
> But "random" packet delay screws up the GLOBAL timing attack completely
and with the random circuit lengths (no. of hops) I doubt anyone, even a
GLOBAL adversary, would stand a cat in hells chance of a successful attack.
> Unless, the nodes have little or no traffic on them. Which as I said in
1. happens now!
> Hopefully, more hops means more traffic.
> If not, then there is only one other item needed to complete the
perfect defence against the "Global Adversary".
> That is "Random Cover Traffic". Just for where traffic is low.
> Sent all the way along (on a request and respond basis) the circuits.
> The only other thing that I can think of is random cutting up of
packets and reforming, particulary if separate (request) streams can be
mixed into the same packets. Then the Tor system would look more like a
"gunge" liquid flow from TOR node to TOR node, instead of "separated
stream packets". Just an idea! Sure the same principle of "onion"
encryption could be used but on top of this a node to node stream mixing
and a futher layer encryption to encapsulate the "flow".
You really should read the tor faq, it explains why all of these
things are not implemented.
> 7.
> ummm...
> With "Random Packet Delay" and "Random Cover Traffic" then the attacker
has to move to a probablistic solution!
> At that point the "Random Hop Length Circuit" really begins to bite.
> Only a FULL search of the solution space will return the best solution
because sometimes they dont know for certain (as any global adversary
can today) where the packets went from one node to the next.
> And you ALL know how "probability" dont crry much weight in courts
today. They want proof! 
> This is a n**h problem solution! (where n = total number of [middleman]
nodes and h = the maximum no. of hops!
> For Tor where n = 500 and h = 6 then the solution is nearly 2*10**16 in
size. A significant solution only solvable on supercomputers.
> Addition of even MORE "middlemen" would greatly improve the situation
for us, so come ion lets have MORE middlemen.
More middlemen only improves overall network capacity *in the middle*
the exit nodes carry just as much traffic as middlemen nodes. What you
are suggesting would increase congestion at the exit nodes. I think
possibly my own experience of excessive latency (oh and by the way,
when i first started using tor, latency was fine, and then, if I
installed fasterfox or similar pipelining tweaks, the network was
almost as low latency as without tor, this is definitely not the case
anymore) may be related to a lack of adequate growth in bandwidth
capacity of exit nodes. You can't make a pipe carry more by swelling
it in the centre, you will just end up with more turbulence in the
system. The pipe has to be of reasonably uniform width from one end to
the other.

Which is why I am saying, we need to have all installations of tor run
~2kb/s exit node servers by default, and have this as a hard coded
minimum setting, so that no person in the tor network is not
contributing to making the end of the pipe as fat as possible. And
this statistically decreases the chance of any single node coming
under attack from a legal entity. United we stand, divided we fall.
You are promoting more division, this is the road to hell.
> For Tor where n = 10000 and h = 6 then the solution is 10**24 in size.
This would be impossible to solve, even with teraflop/s supercomputers,
in as reasonable amount of time (years).
> But today the solution is trivial, just follow the returning train one
station at a time to the next station on the return journey right back
to the CLIENT 3 hops back from the "EXIT" station!
> Today there is no huge space search! Today given only the EXIT node and
the ENTRY node data we can solve on a PII in under 5 minutes (& probably
under 5 seconds).
Assuming they have access to both ends. And if you'd read the tor FAQ
you'd know that tor DOES NOT defend against the well equipped global
adversary. It is not intended to. Hence this line of thought is
irrelevant. If you want an anonymising network which does defend
against this, there is a number of them. However, most of them are
impractical for web browsing.

I think a possible element of the problem may be in the RNG used by
tor to randomise circuit path selection. More entropy in circuit
generation would result in a more even distribution of circuits across
the network. The RNG will give the tor traffic a particular signature
which will decrease the natural entropy of the system and increase the
chances of correlating traffic in and out.

In lieu of a stronger randomness in the server's patterns, perhaps a
change in circuit selection could be made - when servers are not in
use, they flag this to the directories and the circuits will then
select these nodes in order to eliminate their 'empty' flag. This
would reduce the need for wasteful cover traffic, because the network
would agorically disperse traffic more widely. And one should also
note that sometimes this must be happening because of timezones and
the localisation of circuit exit points to the traffic. This sort of
load balancing system would naturally alter latency patterns and
reduce deadspots in server traffic patterns. All by itself doing this
would reduce the overall effectiveness of timing attacks because nodes
would be more evenly sending traffic, the network would breathe as one
rather than have hotspots and deadspots, both of which result in a
reduction of anonymity and an increase in latency.
> They dont even have to consider the possiblity that there might be more
than 3 hops from the EXIt node back to the Client.
> What we rely on today, is one of the nodes being in a country which
will not divulge their network logs. But as I've already shown this is
really irrelevant against an adversary with the logs of the IN and OUT
> Maybe that is why the someone recently reckoned the German authorities
have a "matter of fact" attitude about TOR EXIT nodes.
> Coz once they know that if its a Tor EXIT node they just call up the
"Global Timing Solution" program and presto... we have the culprit!
Exactly. And is that a bad thing? The point being that the global
adversary is not in the tor design. The global adversary can do
exactly what you say. However, there is many more adversaries with
much smaller capabilities who are worth defending against. The global
adversary is only confounded by the low latency mix/onion systems such
as what you mention below. Do you have any idea how many 'little cops'
would call on such a 'global timing solution'? It's not going to
happen. The global adversary does not want to be known. The global
adversary does not include tinpot dictator's gestapo gangs, it does
not include marketing organisations, it does not include small
country's intelligence services, and knowing how partisan those people
tend to be, one would be inclined to think that the 'global adversary'
probably does not even exist anyway. Or that there is at least 2 of
them and they don't like each other and thus rule themselves out of
the global adversary category by their intrinsic nature.
> If you really wanna know what a slow "P2P" anonymous network client is
like, have a go at I2P. Have you heard of the phrase "paint drying"?
and what you are suggesting will exactly cause tor to become that.
> Dave Page asked,
> "I could definitely offer 10k, perhaps 15k. I think it'd be useful if Tor
> would be happy with 5k, since that will make running Tor servers on the
> increasingly popular (in the UK) 128kbit upstreams feasible."
> Most of the traffic I see consumes about 5-10KB/sec thats less than
half the stated minimum.
> I reckon your contribution would be useful, if not least to TOR's
anonymity as a whole.
> What is needed in Tor is (and Im not sure how much is already done) is
some sort throughput estimation (perhaps this could be done with the
"Random Cover Traffic" - each node only has to attach its timings into
the packets to get a good picture of the current latencies of each node
in the circuit) by the client of the nodes and then choice of approriate
nodes in its circuit.
> Thats free.
> [Hey Cat, break the cycle - eat chicken!]

Version: GnuPG v1.4.3 (MingW32)