[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Anonymity easily thwarted by flooding network with relays?



> Does anyone have any comments on this paper? Any reassurance? Frankly,
> this is scary.

Yes, it's absolutely scary, and should be obvious. There's only maybe
3200 fingerprints out there. Heck, even the local computer club in a
major city could raise enough funds to deploy a handful of early guards,
then drop enough cloud nodes [1] on the net to make the odds of
compromise quite worthwhile... certainly enough for a DefCon/CCC style
executed proof of concept / vulnerability paper.

[1] Rent for a day or so

> I nominate this paper as a founding reason why Tor should permit users
> to increase the number of relay nodes used in each circuit above the
> current value of 3...

I'd love to have it be arbitrarily selectable from say 0-25 via the control
port and config, with a default of 3. People already do that with patches,
might as well shit it. And, as in my post about torrent and non-bandwidth
resources, a small subset of 'power users' using more than 3 hops wouldn't
seem to cause much transactional load to the TorNet. Rather, their choice
would likely only hurt their own bandwidth and latency.

I'd also nominate the issue, and others, as further reason Tor should ship
by default as a non-exit relay... and yes, with a nice info screen and a disable
button. There is absolutely no reason not to think the opponent has not
already clandestinely and sufficiently flooded the net with the
current nodebase.
The only workable defense is to deploy the users as countermeasure and
hope that however many users there are... 10k, 100k, 250k? etc, as time
goes by... will make flooding cost prohibitive.

Think of it this way... millions of users willingly and knowingly turn their
PC's into Bittorrent piece servers every day. Want proof, check out the
stats on thepiratebay.org. They happily risk extensive and conclusive
monetary civil suit against them. That's nuts, but they do it anyways.

There are currently very few laws [as opposed to contracts [2]] in the
world that would prohibit running a non-exit [or even an exit] relay. And
any other inquiries would outright fail due to common carrier. Or at most
be relegated to contributory or neglect... a much nicer outcome than the
suit above.

Given the risk is less, it would seem to be well rationalized, justified and
proper to therefore ship as a non-exit relay by default. And reap the
benefits.

I'm NOT advocating use of anon networks for any less than legitimate
purposes. Rather, that anon networks aren't just some robust grail
for only the people that 'need it'. But that that exact same robust
grail should be integrated by users into the whole variety of their daily
online activities as desired, and offer back what they use according to
their benefit.

With other P2P applications, you're either required to be a provider
or the protocol works against you if you're not. Which means to play,
you have to pay. At least with Tor shipping as NErelay by default,
they'd get a nice "we're helping by default and here's why" screen
and a button to opt out.

I'd announce it as a live enhancement trial to be brought out
in the next few releases and see what happens in regards to
user acceptance and net capacity. Provided scalability issues
are addressed in preparation first.

[2] Which are already ignored and broken by provider and subscriber
respectively.
***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/