[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Bridge Communities?



On 04/12/2013 10:37 PM, adrelanos wrote:
Hi Alex,

these are interesting thoughts. I wrote something related a while ago.

Tor: lobbies vs lobbies - Who will prevail?:
https://lists.torproject.org/pipermail/tor-talk/2012-August/025109.html

Alex M (Coyo):
Is Tor ever going to include support for isolated, independent bridge
relay communities that can host their own bridge directory authorities
without relying on the centralized tor directory hosted by Peter
Palfrader, Jacob Appelbaum and associates?
Good idea in general. (Although I don't share your reasons for it.)

What reasons would you have, then?

 From lurking here on the mailing lists and other places, Jacob and other
core Tor staff and advocates generally seem to have a worryingly
optimistic attitude toward the possibility of coordinated Tor
censorship, crackdowns, network manipulation and attack, coordinated
government raids upon Tor directory servers,
I am interested, where did they say so?

I am too tired and physically ill with an upper-respiratory infection to dig through mailing list archives at the moment.

If it is important that I shoulder the burden of proof, remind me later when I'm not coughing up blood.

or even assassinations
against Jacob Appelbaum and other core staff and volunteers involved in
the Tor project.
Why assassinations? I've heard the some mafia style groups have a better
method than violence. They catch a child after school, make up some
"Your parents told me to catch you today, I am your Uncle Sam." story,
aren't violent or threatening at all and go into some Disney land copy,
bring back the child afterwards. Not sure if that happens in reality,
but I am sure that works better than violence.

I do not understand how "taking a child to a theme park" relates in any way to Jacob Appelbaum being tagged and bagged.

May I ask for a clarification here?


Other than that, it seems obvious to me that killing people isn't
effective as turning them around. Why wouldn't they rather use violence
to force them to put a backdoor into next Tor version?

That isn't quite as trivial as you make it sound, and really, it's unnecessary.

It is a general consensus that the united states federal government has full access to the directory authorities and majority of guard nodes and exit nodes within the united states.

It is a general consensus that the Tor network provides only illusory anonymity to any user hostile to united states military supremacy.

The Tor network is a historical toy created by the united states military, and is just as possessed and controlled by the united states military as it has been from day one.


As far I know no Tor developer has been harassed for Tor yet. (Please
tell me if I am wrong.) Jacob has been harassed like in a totalitarian
state because of his connections to wikileaks. I also wonder how Jacob
could stay so calm after all what happened to him, not being already a
broken man. I admire the Tor developers for doing their work in such a
dangerous country (US), knowing about waterbording and that stuff.

Is it really so difficult to conceive of situations that involve violent
raids against the datacenters hosting Tor directory servers and their
mirrors, attacks, possibly physically violent, involving full military
force against Jacob Appelbaum and other critical developers, staff,
volunteers and advocates?
If that happens, that would be the worst case. I think without Tor
servers in the US and without the Tor developers, there is more Tor
network, since most Tor servers are in the US. Most other Tor servers
are in countries which the US can pressure as well. When the US decides
to take down Tor, it's pretty much over anyway.

My point exactly.

You really think the governments of the industralized "first world"
countries won't stoop that low?
Maybe they don't have to. When I understood Jacob in his speeches right,
he doesn't believe that Tor does defeat the NSA. Why should they break
Tor if it's an open book already to them already anyway?

Tor is not designed (in its current form) to even attempt to contest NSA control and manipulation.

One day, they will accuse Jacob and the other core developers of being
domestic terrorists or whatever as an excuse to fire upon native
citizens on domestic soil.

They will do it, one day.
Only in case they can't easily break Tor already anyway.

Tor is already broken.

Services like The Hidden Wiki, Silk Road, and other high-profile hidden services are obviously honeypots and sting operations, since those hidden services would have been raided immediately abd their admins arrested without a court hearing or judicial oversight of any kind. Do no pass Go, do not collect 200 worthless united states dollars, go directly to Guantanamo Bay (or whatever the current replacement is).

This is why providing relatively trivial means to deploy one's own
bridge communities with many pluggable transports in order to prepare
for that inevitability.
I don't see how that helps after hosting Tor servers has been made
illegal in US and most other countries.

Since when does the law matter?

The Bitcoin core developers and advocates will also be assassinated or
eliminated militarily as well. It is inevitable.
You really think our governments won't stoop that low? They are little
more than pan-handling bums attempting to justify their jobs at the
taxpayer's expense, and feel entitled to our money.
Not only that, but they have the sheer unabashed chutzpa to presume they
are legitimate in their entitlement, and have full authority to use our
own taxpayer money against us, to enforce unjust laws, to inflict
injustice against their own citizenry.

If they have absolutely no compunction about shoving CISPA or SOPA down
our throats, feel no remorse for warrantless wiretapping and unlawful
deep packet inspection, or forcing internet service providers into
spying on their own paying customers,
Agreed.

what makes you think they won't
slay Jacob Appelbaum where he stands?
Answered above already.

In other words, Jacob Appelbaum is a united states military shill and collaborator?

They will. They will, mark my words.

And when that happens, we must be ready. Jacob's legacy needs to live
on. Christian Fromme, Roger Dingledine, Nick Mathewson, Andrea Shepard,
Dr. Paul Syverson..., their legacy must live on, regardless of whether
the government shoves them against a cinderblock wall and shoots them
dead where they stand.
As far I understand, Dr. Paul Syverson works for Naval Research
Laboratory and can be told to stop working on Tor and work for something
else instead.

The others, already covered that above.

Why does this not surprise me?

We must prepare for this inevitability. We need more pluggable
transports, we need to break up the Tor relay network into distinct
domains, we must make the tor relay network far more resilient to
coordinated attacks, we need to decentralize the directory authorities
and mitigate the horrifying damage in the event of directory authority
compromise, and the subjugation and subversion of directory authorities,
hidden services, user privacy and the physical safety of relay operators.
I value pluggable transports in general, but I don't see how they help
against the attack you are describing. Pluggable transports help
obfuscating connections from Tor users to Tor bridges. Bridges alone
won't create a Tor network. Who hosts relays and exit relays once Tor
developers are in prison, Tor servers get raided and/or illegal?

Just because the Tor network is worthless and merely an interesting toy in its current form does not mean it cannot lead to the development of networks that actually promote Internet liberty and privacy rather than being a united states military plaything and elaborate honeypot.

What exists now does not determine what exists in the future.

We need far more stringent entry and exit guard node policies, more
flexible and informative relay server statistics and circuit routing
control.
A nice to have, but I don't think it defeats your threat model.

No, only a complete redesign of Tor and a new security and network model will make Tor relevant to Internet privacy.

We need bridge relay communities with independent bridge directory
authorities that can be run by semi-isolated communities, including
bridge communities within other overlay networks such as private
OpenVPN, CJDNS or AnoNet networks. As it is, if the Tor client cannot
connect to the centralized high-value targets controlled by the Tor
project team, Tor is absolutely worthless and useless.

This must change. Tor should be usable by independent relay communities,
specifically bridge relay communities with 100% use of obfuscation
protocols or even clandestine communications methods.

For those who forgot, 'clandestine' means no one can even determine any
communication is occurring, while 'covert' means that enemies can
determine that communications are occurring, but not the content, and
not necessarily the specifics as to who is communicating with whom.

Some people term it 'covert communication' where heavy use of
steganography and obfuscation is used to hide traffic from detection and
interception, but goes further than that, and makes traffic itself
plausibly deniable, not just the content of or parties to a particular
instance of communication.

Tor needs to evolve very rapidly and become impossible to detect,
manipulate, intercept or interfere with, or it is going to very rapidly
become irrelevant and useless.
How do you propose to obfuscate connections between relays and (exit)
relays? The list of them is public, that's the basic Tor design.
Therefore a state can take them easily down as soon as they made them
illegal.

The solution is to not publicize relay servers.

You break up the entire tor relay network into relatively isolated relay domains, and manually peer domain router relays.

Domain router relays onion route tor circuits from within relays within the relay domain. All tor relay traffic is obfuscated, not just tor bridge relays. In other words, ALL tor relays behave as bridge relays and heavily obfuscate traffic to thwart interception and detection.


I don't think Tor can ever defeat your threat model. Tor is build around
the idea, that there are free countries where Tor is legal. If there are
no countries left where Tor is legal, Tor will surely cease to exists.

One important step to detect if developers have been threatened are
Deterministic builds. (Which would allow third parties to check if
downloads The Tor Projects is providing actually match the source code
the Tor Project claims to have used for compilation, or if they where
forced to include a backdoor while keeping the extra source secret or if
the build machine has been compromised.)
https://trac.torproject.org/projects/tor/ticket/3688

The solution to that is to maintain mirrored repositories and provide nightly snapshot builds yourself using jenkins or something on your own privately-hosted gitorious instance and host the binaries repositories for your bridge community (or in my model, your relay domain)

Don't say I didn't warn you.
In conclusion, the threat model you are making up isn't unrealistic.
However, Tor can't defeat it by design. Friend to Friend networks such
as RetroShare could defeat it, in theory, all that's missing in
RetroShare are pluggable transports to obfuscate traffic to friends.

The problem with RetroShare is that every time your IP changes, you are forced to manually renegotiate manual peering.

You think normal average users are going to have time for that?

Aint nobody got time fo dat.

Now, if RetroShare had a sophisticated DHT + PEX method for automated repeering with identities you have already permitted without compromising your RetroShare IP:port to malicious observers, that would make it a lot more practical and usable.

If RetroShare could be used over another overlay network such as GnuNET, CJDNS or Tor (once completely redesigned to eject NSA and Navy control from the network consensus and directory authorities), you would not really need to provide an elaborate automated repeering mechanism, but the RetroShare core developers are extremely hostile to the concept of tunneling RetroShare TLS links over an overlay.

General consensus is that RetroShare is nice, until one single friend-of-a-friend is careless and permits a law enforcement or military raid to reveal the existence of the F2F network, and from there, it's "like shooting fish in a barrel."
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk