Re: [tor-dev] resistance to rubberhose and UDP questions

[Eugen Leitl <eugen@xxxxxxxxx>]

On Thu, Oct 04, 2012 at 01:50:47PM -0400, Robert Ransom wrote:

> The v3 network consensus document must be signed by a majority of the
> (currently nine) directory authorities' signing keys.  None of the

Nice.

> directory authorities are operated by Tor Project, Inc..

Is there a documented process by how these authorities are chosen,
and ways for third parties to audit that it's not a tentacle operation?
 
> > 18:07 <@cjd> run their own botnet with fake tor nodes so your circuit is
> > always owned
> 
> TPI does not have the expertise needed to run a botnet for this purpose.

TPI being...?
 
> > 18:07 <+eleitl> I don't really know for sure, but there's intrinsic trust to
> > Tor developers, yes.
> > 18:08 <+eleitl> You can run your own Tor network, though.
> > 18:08 <+eleitl> Some botnets do that.
> 
> Interesting.  Do you have a reference describing one of these botnets?

Sorry, that was typed in haste. The only botnet using Tor
I'm aware of is 

http://www.reddit.com/r/IAmA/comments/sq7cy/iama_a_malware_coder_and_botnet_operator_ama/

which uses the regular Tor network. Not aware of a botnet
running a private Tor network, though such a thing can be
not far behind.
 
> > 18:08 <@cjd> I trust them to make the software right, esp. since I could
> > check if they did.
> > 18:09 <@cjd> But a little arm twisting can change someone's motives pretty
> > fast.
> > 18:09 <+eleitl> Maintaining signing secrets is a problem.
> > 18:09 <+eleitl> They should have used a P2P design.
> 
> Do you have a âP2P designâ for Tor which doesn't rely on trusted
> parties âmaintaining signing secretsâ and which isn't broken?

No need to be snarky, I mean well. There are obviously ways in which
network quorum can eliminate authorities as a single point of failure
(see Bitcoin, Tahoe LAFS, etc).

> (Hint: No, you don't.)
> 
> Do you have any âP2P designâ for Tor at all which isn't broken?

What very few people know: I'm actually a dog. W00f. I don't have the money or 
the skills to do anything which would survive more than a friendly sandbox.
Don't ask me for patches, I'll drag you in a wet skunk which has been dead for
a while.
 
> > 18:10 <@cjd> If someone (with government hat?) tells you they can make your
> > life hell...   I wouldn't fault them
> >              for doing what the man says.
> > 18:10 <@cjd> *wouldn't fault you
> > 18:10 <+eleitl> I'll try bugging some Tor developers about that scenario,
> > and see how they squirm.
> > 18:11 <+eleitl> Also, the UDP connection thing.
> > 18:11 <@cjd> You can "stack" your circuit setup packets if you're using UDP
> > 18:11 <@cjd> stack -> all headers in the same packet
> > 18:12 <@cjd> cjdns does the same thing
> 
> If this refers to including the circuit-extension packet which caused
> a relay to open an OR connection in the first UDP packet that it sends
> in order to open that connection, I agree that that would be a good
> thing to do, although mostly for reasons that cjd isn't mentioning.
> 
> If this refers to setting up a complete three-node Tor circuit with
> only one outgoing packet sent by the client, that can be implemented
> without a UDP-based transport (and early versions of Tor did implement
> it).

Thanks, I'll pass that on when I'm cjdnsland again.

By the way, I would be very interested in Tor developer's opinions about
the design of cjdns (of course, that's still pretty much in flux, and
parts of infrastructure missing, particularly P2P DNS).
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev