Re: [tor-talk] Fwd: ANONdroid

[Roger Dingledine <arma@xxxxxxx>]

On Thu, Jan 26, 2012 at 10:35:20AM +0200, Maxim Kammerer wrote:
> I see, so is that an optional feature that can be turned on by a MIX
> router operator once served by a surveillance order? It seems to me
> that it's an advantage over Tor, where relay operators can be served
> with an order and some Tor patches that they wouldn't be able to turn
> down to to the absence of a similar feature in Tor.

On Thu, Jan 26, 2012 at 06:07:39PM +0100, Moritz Bartl wrote:
> I would very much fight against authorities trying to force me into
> logging anything. There is no basis in German law for them to do so, and
> I don't see what properties they could specify to me other than "retain
> all connection data".

There is no such thing as "an order and some Tor patches that they
wouldn't be able to turn down". You always have the option of stopping
your relay. If you fail to fight the request, you should shut down
your relay, and then tell the world. Backdoored Tor relays will hurt
the network -- and hurt the general fight to legitimize anonymous
communication around the world -- more than they help it.

This was the trap that the JAP and Anon folks fell into -- and at the
time their network was small enough that they basically had the choice of
shutting down the network or deploying the backdoor. They reasoned that
it was better to have a service that provided anonymity to some people
than to have no service at all. The exact details made the decision even
messier (for example, it involved the police basically threatening a
university official at his house on a weekend; and the lawyers who had
signed up to fight such requests were not thrilled that the backdoor was
deployed without giving the lawyers enough time or warning to fight it).

Unfortunately, while "never install a backdoor; turn it off instead" is
an easy heuristic to follow, it's not enough by itself to ensure Tor's
anonymity. Remember that the best way to beat Tor is to observe both the
traffic flow going into the Tor network and also the traffic flow leaving
the Tor network, and then use statistics to realize they're correlated. So
people with bad orders can just go a hop upstream from your relay, where
your ISP generally cares more about its business than its users. And if
you somehow have a better ISP than that, just go to *its* upstream.

The traffic confirmation attack is the best way to beat the mix cascade
topology too -- and in that case there are fewer places to watch, and you
know exactly which exit point to watch for a given entry point. Bad news.

But don't lose sight of the really big picture: the differences in
philosophy and threat model between Tor and JonDoNym are much smaller
than the differences between distributed-trust anonymity designs and a
single-hop centralized proxy like hidemyass.com.

--Roger

_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk