[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Many more Tor users in the past week?



Thanks for sharing, Collin.  Those graphs are very interesting.  What the hell is going on???

-----Original Message-----
From: tor-talk [mailto:tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx] On Behalf Of Collin Anderson
Sent: Friday, August 30, 2013 11:37 AM
To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Many more Tor users in the past week?

Hi Mike,

On Fri, Aug 30, 2013 at 3:14 AM, Mike Perry <mikeperry@xxxxxxxxxxxxxx>wrote:

> Dude I love math and whatnot. Maybe science too, but this isn't 
> exactly a controlled experiment. So whatnot it is, then! (Also plus 
> one to you Collin, for being awesome).
>
> Can someone with more free time than me try to investigate one or more 
> of the following ideas.. You know, in the interest of whatnot?
>
>
Embarrassingly, I went straight to the most romantic hypothesis and then worked my way back elsewhere, IRC and Twitter. A few of these prospects could be reasonably addressed through the trends of the top fifty countries, illustrated here: http://cda.io/r/tor_mystery_2013.png

From the outset, this seems to suggest that the catalyst occurred between August 19-20.

Few other points of conjecture that came up:

   - I would infer based on no increase occurring in Iran that the Tor
   version being run by the agent is pre-2.4; Iran continues to implement
   countrywide DPI against Tor's SSL handshake, which was fixed for the moment
   in ticket #8443. Whether it's circumvention or malware, I would trust it
   would hit Iran.
   - As Runa notes, attempting to correlate with censorship is not strong,
   I would propose however that based on relative growth, a better indicator
   is level of development (ehem, piracy) and geography. I might be passing
   over someone, but it isn't until you get to Japan (40th) that you run into
   what is traditionally called a highly-developed state (all apologies for
   the terrible phrasing of this).
   - Pirate Browser with Tor was released when, August 11th or 12th? I
   would expect we would see a more gradual and less synchronous incline if it
   were natural adoption patterns (short of an autoupdater).

  A) The change in user counts for each country should be proportional
>      to the installation base of some infectable software population
>      for that country. Can we start with the easy ones with lots of
>      public data on them, such as Windows, Flash, or Java?
>

I would also look for piracy and software update rates.


>   B) Weird that we saw no new countries. Why? Is this just a canary
>      test to see if we'd fall over? Can we check for correlations
>      between our change in userbase per-country and the current number
>      of Internet users per-country too, to see if that matches?
>

I culled the list at 1,000 users on either dates, there were a few countries that cropped up with new users, like Anguilla. Macedonia and Bosnia are also interesting toward this, regionally and going from a hundred to a thousand.


>   C) People on IRC have suggested there is correlation to work hours.
>      Does this actually apply to countries with atypical work weeks
>      and holidays? (Is some popular corporate/work-group software the
>      target here?)
>

Look for Muslim countries in the chart.

>
> 2. If this was Pirate Browser:
>

It's not.


>
> 3. If this is widespread local censorship/unrest:
>
>   A) No level of censorship/social unrest happens across 91 countries at
>      once. Justify your existence, meme.
>

Like, Hack the planet, bro.

So I think we are left with one unfortunate, not Israeli conclusion. Is there an example of such fine grain statistics of botnet growth tagged with date and country? Seems like a pretty solid research dataset for someone.

Cordially,
Collin



>
>
> P.S. To the bot-herders who are totally not Israeli: Our network can't 
> scale as well as anything you can infect this fast. It will fall over, 
> and when it does, the whole Internet will be looking for you. Maybe 
> you should chillax a bit and consider running your own mix network. 
> Good luck! ;)
>
> > > I downloaded the direct connecting users csv and created a 
> > > spreadsheet between the start of the month and the end. It seems 
> > > that
> it
> > > was the confluence of many states increasing their censorship of 
> > > the Internet, especially instances like Vietnam and Facebook. Here 
> > > is the
> raw
> > > data:
> > >
> > >
> > >
> https://docs.google.com/spreadsheet/ccc?key=0Amq69Ncu9Fp_dDlFYWhDZlNCT
> kdfWGhFWGlCOWFFNWc&usp=sharing
>
> --
> Mike Perry
>
> --
> tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsusbscribe 
> or change other settings go to 
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>
>


--
*Collin David Anderson*
averysmallbird.com | @cda | Washington, D.C.
--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsusbscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk