On 10/16/2013 4:50 PM, Roger Dingledine wrote:
I read the paper - good job. Some of it will be over the heads of some, but that's unavoidable unless make it 10+ pages, in newbie language, then few would read it all, so... I'm not bashing Tor here, so leave your pitchforks in the barn. Just asking questions, making observations that may / may not have an answer or even be useful.On Sun, Sep 01, 2013 at 10:10:56PM -0400, Roger Dingledine wrote:Yep. They're part of the Tor research community. I have plans for writing a blog post about the paper, to explain what it means, what it doesn't mean, what we should do about it, and what research questions remain open.Here it is: https://blog.torproject.org/blog/improving-tors-anonymity-changing-guard-parameters --Roger
One thing jumps out, Tor doesn't know for sure who's running Guard or exit nodes - & can't unless they start doing (regular, repeated) extensive personal interviews, background checks, giving polygraph tests, injecting sodium pentathol to those wanting to run nodes. I guess more so for Guards.
Since apparently now LEAs from (some) countries are teaming up, sharing info, etc., seems possible the problem of LEAs (or any adversaries) running a higher % of nodes could get worse, not better. If adversary nodes as a % of all nodes doesn't increase (new good guy nodes keeps up w/ increase of adversarial ones), then overall risk hasn't changed. But how can Tor (or any group) determine the risk if they have no reasonably reliable way to determine the REAL intention / identity of node operators (spies infiltrating Tor Network)?
Governments, crooks have proven themselves VERY resourceful over decades, or 100's of yrs. The U.S., let alone other industrialized nations partnering together, has a lot more manpower, resources & money than Tor Project. I don't think we can out spend "them," for setting up nodes. How many full / part time programmers or "idea people" does Tor have (as good as they are) VS. one agency of one industrialized nation?
Is there any way - in the future, that Tor could run a much larger % of nodes or at least, instead of constantly trying to figure how to "beat / drastically improve the odds" that an adversary won't accidentally control the entry / exit nodes on circuits? Perhaps a noble, but losing game, if gov'ts band together & decide Tor, or the entire internet, IS worth serious monitoring. Perhaps reasonable anonymity on a world wide party line is too ambitious? (Those that don't know what a "telephone party line" was, can "Startpage it." [stop saying "Google it"] :)
What about somehow getting a better handle on who actually runs the nodes? With its current policies & design, Tor is in a very tough position to "ensure quality" (anonymity). Tor isn't supposed to see any real data on the network - for one, so they can't be forced to give anything up (again, noble), but that prevents some (a lot of?) capability for quality control. No company would / could handle its own security that way. It's a Catch 22 situation for Tor, because of legal threats that many gov'ts impose, that many corporations don't face. And if they had some REALLY secret stuff to send abroad, they'd fly it in their own jet.
What about a COMPLETELY different approach, rather than trying to develop methods to "beat the odds," *ad infinitum,* against what COULD become an ever increasingly larger PERCENTAGE of gov't / adversary run nodes? Surely, it'd be worthwhile to look way down the road & see where Gov'ts / LEAs may be going w/ this & whether they can be "bested," by following the same course that Tor is on (even with improvements along the way)? I have no idea - I'm just saying, sometimes the only way businesses, technologies, gov'ts survive & thrive is to completely change course. For all of history, gov'ts have gone to GREAT lengths to spy on citizens & adversaries & have often done pretty well at it.
Well liked corporations can often be as secretive as they want - they're "protecting corporate data & assets." Tor is looked at in part (*by gov'ts & LEAs*), as a tool for terrorists, criminals - of all sorts. They couldn't care less if honest people, whistle blowers swim near schools of criminals & terrorists, whether some will get caught in the same net. Maybe, like Corporations that get away w/ figurative murder, Tor Project should start contributing heavily to key political figures, to ensure they'll "be left alone?" :D
You laugh, but that's exactly why big business, who by current STATUTES, break JUST AS MANY OR MORE laws, as Gov'ts / LEAs *ASSUME* that Tor users do? Big Business is left alone & entities like Tor are on the hit list.
-- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk