Re: Anonymity through decentralization (was Re: Ultimate solution)

[Arrakis <arrakistor@xxxxxxxxx>]

Roger,

We have produced a commercial that should help explain the service we
are offering. I have no intention of holding it out as onion routing
unless we switch to onion routing, and I will elaborate on our website
as to how the network works.

Would you be interested in a video that depicts how onion routing
works? I've been toying with the idea of putting one together.

Regards,
Arrakis

> On Sun, Mar 25, 2007 at 09:57:20AM -0600, Arrakis wrote:
>> 2) Torpark is not commercial, it is totally free and open source. We
>> simply offer an upgrade to get higher speeds than the tor network can
>> provide.
>> 
>> 3)  The  fact  that  trust  isn't  distributed  is  a  positive, not a
>> negative,  because you don't have to trust everyone with your outgoing
>> plaintext traffic. We have independent security auditors make sure our
>> admins  are  not tracking anyone or doing anything malicious.

> I'm leaving the licensing discussion alone for now, but I wanted to
> respond to this technical point. Tor's security [1] comes from two
> components. The first is its large and diverse user base -- as the user
> base expands, the mere use of Tor doesn't narrow you down to a specific
> user community or specific few people who are known to have fetched the
> program [2]. The second is the diversity of the relays -- as the Tor
> network expands, fewer adversaries are able to be in enough places on
> the network to succeed at linking senders to recipients.

> Now, it's still an open research question what metrics we should use
> for these components (that is, how exactly we measure the security we
> get from them), but my intuition is that after a certain point the first
> component doesn't contribute much more to security -- meaning in Tor's
> current state, its security grows primarily as the network grows.

> And remember that by "being in enough places", I mean being in a position
> to watch (or otherwise measure [3]) the traffic; the best attacks we know
> right now only look at characteristics of the traffic flow [4], because
> any sort of coordinated compromise of many relays is probably harder.

> I'm not saying Tor's design is perfect. We are still grappling with
> Sybil attack questions, and as you say we need to encourage our users to
> employ end-to-end encryption and authentication when appropriate. And
> we're still not happy that a widely dispersed attacker can probably do
> very well against Tor.

> But a central organization that administers all the relays, even if it
> puts them in different places geographically, and even if it promises to
> do perfect audits and employ only perfect people, aims for a fundamentally
> different sort of security than Tor aims to provide. The traffic analysis
> attacks above are still just as much of a concern, but insider attacks and
> other attacks on/by the organization are now a significant question too.

> You can launch a new single-hop proxy service, commercial or not,
> proprietary or not. You can also launch a multi-hop service where you
> control every hop. And the license of the Tor software lets you use it
> if you find it useful for your purposes. But please don't deceive your
> users by changing the security context and then encouraging them to think
> that just because the Tor software is present somewhere in the picture,
> they are benefitting from the type of security that Tor aims to provide.

> --Roger

> [1] By "security", I'm talking primarily about unlinkability here;
> but that's a different thread.
> [2] http://freehaven.net/anonbib/#usability:weis2006
> [3] http://freehaven.net/anonbib/#torta05
> [4] http://freehaven.net/anonbib/#danezis:pet2004