[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Bridge Communities?

Alex M (Coyo):
> On 04/12/2013 10:37 PM, adrelanos wrote:
>> Hi Alex,
>> these are interesting thoughts. I wrote something related a while ago.
>> Tor: lobbies vs lobbies - Who will prevail?:
>> https://lists.torproject.org/pipermail/tor-talk/2012-August/025109.html
>> Alex M (Coyo):
>>> Is Tor ever going to include support for isolated, independent bridge
>>> relay communities that can host their own bridge directory authorities
>>> without relying on the centralized tor directory hosted by Peter
>>> Palfrader, Jacob Appelbaum and associates?
>> Good idea in general. (Although I don't share your reasons for it.)
> What reasons would you have, then?

Competition and more people involved always pushes projects forward faster.

>>>  From lurking here on the mailing lists and other places, Jacob and
>>> other
>>> core Tor staff and advocates generally seem to have a worryingly
>>> optimistic attitude toward the possibility of coordinated Tor
>>> censorship, crackdowns, network manipulation and attack, coordinated
>>> government raids upon Tor directory servers,
>> I am interested, where did they say so?
> I am too tired and physically ill with an upper-respiratory infection to
> dig through mailing list archives at the moment.
> If it is important that I shoulder the burden of proof, remind me later
> when I'm not coughing up blood.

Keep your time.

>>> or even assassinations
>>> against Jacob Appelbaum and other core staff and volunteers involved in
>>> the Tor project.
>> Why assassinations? I've heard the some mafia style groups have a better
>> method than violence. They catch a child after school, make up some
>> "Your parents told me to catch you today, I am your Uncle Sam." story,
>> aren't violent or threatening at all and go into some Disney land copy,
>> bring back the child afterwards. Not sure if that happens in reality,
>> but I am sure that works better than violence.
> May I ask for a clarification here?


> I do not understand how "taking a child to a theme park" relates in any
> way to Jacob Appelbaum being tagged and bagged.

I don't know if Jacob has children and it's none of my business. Instead
of mentally breaking a mastermind like Jacob, they rather threaten it's
loved ones to make him stop working what he is working on it or to make
him even working for them.

>> Other than that, it seems obvious to me that killing people isn't
>> effective as turning them around. Why wouldn't they rather use violence
>> to force them to put a backdoor into next Tor version?
> That isn't quite as trivial as you make it sound, and really, it's
> unnecessary.

Why it's not simple? It's well inside their budget.

> It is a general consensus that the united states federal government has
> full access to the directory authorities and majority of guard nodes and
> exit nodes within the united states.
> It is a general consensus that the Tor network provides only illusory
> anonymity to any user hostile to united states military supremacy.
> The Tor network is a historical toy created by the united states
> military, and is just as possessed and controlled by the united states
> military as it has been from day one.

Let's assume that's true -> no danger for Tor core people from the US.

What about other countries? Tor gives network access to many people in
countries who censor Tor. Couldn't they get totally mad if their
technical fight fails and switch over to a secret service violent operating?

>> As far I know no Tor developer has been harassed for Tor yet. (Please
>> tell me if I am wrong.) Jacob has been harassed like in a totalitarian
>> state because of his connections to wikileaks. I also wonder how Jacob
>> could stay so calm after all what happened to him, not being already a
>> broken man. I admire the Tor developers for doing their work in such a
>> dangerous country (US), knowing about waterbording and that stuff.
>>> Is it really so difficult to conceive of situations that involve violent
>>> raids against the datacenters hosting Tor directory servers and their
>>> mirrors, attacks, possibly physically violent, involving full military
>>> force against Jacob Appelbaum and other critical developers, staff,
>>> volunteers and advocates?
>> If that happens, that would be the worst case. I think without Tor
>> servers in the US and without the Tor developers, there is more Tor
>> network, since most Tor servers are in the US. Most other Tor servers
>> are in countries which the US can pressure as well. When the US decides
>> to take down Tor, it's pretty much over anyway.
> My point exactly.

>>> You really think the governments of the industralized "first world"
>>> countries won't stoop that low?
>> Maybe they don't have to. When I understood Jacob in his speeches right,
>> he doesn't believe that Tor does defeat the NSA. Why should they break
>> Tor if it's an open book already to them already anyway?
> Tor is not designed (in its current form) to even attempt to contest NSA
> control and manipulation.
>>> One day, they will accuse Jacob and the other core developers of being
>>> domestic terrorists or whatever as an excuse to fire upon native
>>> citizens on domestic soil.
>>> They will do it, one day.
>> Only in case they can't easily break Tor already anyway.
> Tor is already broken.

If that's your opinion, all you can do with Tor is learn from it, take
the source code and improve it. Someone should lobby for a competitive
anonymity network solving all issues. That someone could be you. I don't
think it's realistic to see any alternative, better anonymity network
showing up. Demanding things is one thing, but who does the actual work?

> Services like The Hidden Wiki, Silk Road, and other high-profile hidden
> services are obviously honeypots and sting operations, since those
> hidden services would have been raided immediately abd their admins
> arrested without a court hearing or judicial oversight of any kind. Do
> no pass Go, do not collect 200 worthless united states dollars, go
> directly to Guantanamo Bay (or whatever the current replacement is).

>>> This is why providing relatively trivial means to deploy one's own
>>> bridge communities with many pluggable transports in order to prepare
>>> for that inevitability.
>> I don't see how that helps after hosting Tor servers has been made
>> illegal in US and most other countries.
> Since when does the law matter?

I'll agree the law isn't necessary, it certainly makes things easier to
sell to other citizen. Making a law against Tor is easy going. A law
"hosting a Tor server = 1 month in prison" would already minimize the
amount of Tor servers.

>>> The Bitcoin core developers and advocates will also be assassinated or
>>> eliminated militarily as well. It is inevitable.
>>> You really think our governments won't stoop that low? They are little
>>> more than pan-handling bums attempting to justify their jobs at the
>>> taxpayer's expense, and feel entitled to our money.
>>> Not only that, but they have the sheer unabashed chutzpa to presume they
>>> are legitimate in their entitlement, and have full authority to use our
>>> own taxpayer money against us, to enforce unjust laws, to inflict
>>> injustice against their own citizenry.
>>> If they have absolutely no compunction about shoving CISPA or SOPA down
>>> our throats, feel no remorse for warrantless wiretapping and unlawful
>>> deep packet inspection, or forcing internet service providers into
>>> spying on their own paying customers,
>> Agreed.
>>> what makes you think they won't
>>> slay Jacob Appelbaum where he stands?
>> Answered above already.
> In other words, Jacob Appelbaum is a united states military shill and
> collaborator?

I don't think so and I don't know how you came to that conclusion from
my writings.

>>> They will. They will, mark my words.
>>> And when that happens, we must be ready. Jacob's legacy needs to live
>>> on. Christian Fromme, Roger Dingledine, Nick Mathewson, Andrea Shepard,
>>> Dr. Paul Syverson..., their legacy must live on, regardless of whether
>>> the government shoves them against a cinderblock wall and shoots them
>>> dead where they stand.
>> As far I understand, Dr. Paul Syverson works for Naval Research
>> Laboratory and can be told to stop working on Tor and work for something
>> else instead.
>> The others, already covered that above.
> Why does this not surprise me?

Not sure what you mean, but quite sure you got me wrong. :/

>>> We must prepare for this inevitability. We need more pluggable
>>> transports, we need to break up the Tor relay network into distinct
>>> domains, we must make the tor relay network far more resilient to
>>> coordinated attacks, we need to decentralize the directory authorities
>>> and mitigate the horrifying damage in the event of directory authority
>>> compromise, and the subjugation and subversion of directory authorities,
>>> hidden services, user privacy and the physical safety of relay
>>> operators.
>> I value pluggable transports in general, but I don't see how they help
>> against the attack you are describing. Pluggable transports help
>> obfuscating connections from Tor users to Tor bridges. Bridges alone
>> won't create a Tor network. Who hosts relays and exit relays once Tor
>> developers are in prison, Tor servers get raided and/or illegal?
> Just because the Tor network is worthless and merely an interesting toy
> in its current form does not mean it cannot lead to the development of
> networks that actually promote Internet liberty and privacy rather than
> being a united states military plaything and elaborate honeypot.
> What exists now does not determine what exists in the future.
>>> We need far more stringent entry and exit guard node policies, more
>>> flexible and informative relay server statistics and circuit routing
>>> control.
>> A nice to have, but I don't think it defeats your threat model.
> No, only a complete redesign of Tor and a new security and network model
> will make Tor relevant to Internet privacy.

I don't remember having seen such complete redesigns in any open source
project. People have too much habits and are too stubborn. It's much
more likely, that a new project will be created and handle your threat

>>> We need bridge relay communities with independent bridge directory
>>> authorities that can be run by semi-isolated communities, including
>>> bridge communities within other overlay networks such as private
>>> OpenVPN, CJDNS or AnoNet networks. As it is, if the Tor client cannot
>>> connect to the centralized high-value targets controlled by the Tor
>>> project team, Tor is absolutely worthless and useless.
>>> This must change. Tor should be usable by independent relay communities,
>>> specifically bridge relay communities with 100% use of obfuscation
>>> protocols or even clandestine communications methods.
>>> For those who forgot, 'clandestine' means no one can even determine any
>>> communication is occurring, while 'covert' means that enemies can
>>> determine that communications are occurring, but not the content, and
>>> not necessarily the specifics as to who is communicating with whom.
>>> Some people term it 'covert communication' where heavy use of
>>> steganography and obfuscation is used to hide traffic from detection and
>>> interception, but goes further than that, and makes traffic itself
>>> plausibly deniable, not just the content of or parties to a particular
>>> instance of communication.
>>> Tor needs to evolve very rapidly and become impossible to detect,
>>> manipulate, intercept or interfere with, or it is going to very rapidly
>>> become irrelevant and useless.
>> How do you propose to obfuscate connections between relays and (exit)
>> relays? The list of them is public, that's the basic Tor design.
>> Therefore a state can take them easily down as soon as they made them
>> illegal.
> The solution is to not publicize relay servers.

How should that work? The IS the very advantage of Tor. The Tor client
has the list of relays and decides itself which path it creates. If you
know only a very few relay servers, certain attacks get even easier.

> You break up the entire tor relay network into relatively isolated relay
> domains, and manually peer domain router relays.
> Domain router relays onion route tor circuits from within relays within
> the relay domain. All tor relay traffic is obfuscated, not just tor
> bridge relays. In other words, ALL tor relays behave as bridge relays
> and heavily obfuscate traffic to thwart interception and detection.

I don't find that convincing. Approaches like friend to friend networks
(RetroShare) with pluggable transports and creating a new internet using
wifi hardware seems more realistic to me.

>> I don't think Tor can ever defeat your threat model. Tor is build around
>> the idea, that there are free countries where Tor is legal. If there are
>> no countries left where Tor is legal, Tor will surely cease to exists.
>> One important step to detect if developers have been threatened are
>> Deterministic builds. (Which would allow third parties to check if
>> downloads The Tor Projects is providing actually match the source code
>> the Tor Project claims to have used for compilation, or if they where
>> forced to include a backdoor while keeping the extra source secret or if
>> the build machine has been compromised.)
>> https://trac.torproject.org/projects/tor/ticket/3688
> The solution to that is to maintain mirrored repositories and provide
> nightly snapshot builds yourself using jenkins or something on your own
> privately-hosted gitorious instance and host the binaries repositories
> for your bridge community (or in my model, your relay domain)

Very few users will do that.

>>> Don't say I didn't warn you.
>> In conclusion, the threat model you are making up isn't unrealistic.
>> However, Tor can't defeat it by design. Friend to Friend networks such
>> as RetroShare could defeat it, in theory, all that's missing in
>> RetroShare are pluggable transports to obfuscate traffic to friends.
> The problem with RetroShare is that every time your IP changes, you are
> forced to manually renegotiate manual peering.
> You think normal average users are going to have time for that?

First time I hear that. However, that doesn't sound like something which
couldn't be fixed with a patch.

> Aint nobody got time fo dat.
> Now, if RetroShare had a sophisticated DHT + PEX method for automated
> repeering with identities you have already permitted without
> compromising your RetroShare IP:port to malicious observers, that would
> make it a lot more practical and usable.

> If RetroShare could be used over another overlay network such as GnuNET,
> CJDNS or Tor (once completely redesigned to eject NSA and Navy control
> from the network consensus and directory authorities), you would not
> really need to provide an elaborate automated repeering mechanism, but
> the RetroShare core developers are extremely hostile to the concept of
> tunneling RetroShare TLS links over an overlay.

> General consensus is that RetroShare is nice, until one single
> friend-of-a-friend is careless and permits a law enforcement or military
> raid to reveal the existence of the F2F network, and from there, it's
> "like shooting fish in a barrel."

In conclusion, I don't believe any software can defeat a state who
imprisons and tortures every contributor of some anonymity or friend
network. Software is much too fragile against serious attempts to take
downs. Traffic obfuscation is weak. In your threat model the ISP is
certainly evil and logging big amounts of traffic. Once a bug or
weakness in the traffic obfuscation code has been found, every
participant of the network is known. Software can certainly play one
role in preserving freedom, not the only one.

tor-talk mailing list