[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Tor and Financial Transparency

On Mon, Sep 16, 2013 at 07:55:08PM -0300, Juan Garofalo wrote:

> >> 
> >>         There's an interesting ambiguity here, it seems. First it's
> >>         stated that onion routing doesn't protect against 'big' (in
> >>         network terms) adversaries. But then no hard data is given
> >>         about how 'big' the adversaries really are.
> >
> >Ermm. I pointed you at our paper, the first paper attempting to
> >quantify that in a meaningful way using the best available data.
> >And, as I recall you thanked me for it.
>         Yes. I took a quick look at it first and asked how those
>         results affected hidden services, but I didn't get an
>         answer.

People have not yet done that work for hidden services.  Not because
they are uninterested but because there is so much to do and only so
much time to do it in. Actually the existence of guard nodes, whose
configuration plays such a large role in those results, itself came
about because of research the Lasse Overlier and I did on finding
hidden services, (published 2006 I think). But the solution of using
guards is itself a version of something described in earlier work by
Wright et al. in c. 2002, when they introduced "helper nodes" as
something to address the more general issue for lots of different
anonymity designs, not just Tor, which did not even have a published
design yet. For recent advances in attacks on hidden services cf.
"Trawling for Tor Hidden Services: Detection, Measurement,
Deanonymization" by Biryukov et al. Many of the issues have since been
address or are the subject of design changes that are being discussed
for Tor now. See the relevant trac tickets and Tor proposals.

>         I've now read it thoroughly. The use of an internet map and
>         circuit simulator is interesting. So, after something like
>         ten years, there's an analysis that tries to get a complete
>         and quantified picture of the system. Better late than
>         never, I guess.

I hope the above paragraph shows you that these things take a lot
of time. If you wanted those things all done before Tor was deployed,
Tor would never have been deployed. Lots of the research depends on
analyzing deployment and usage patterns on the real network. I think
Tor and its analysis actually stands out as a huge success story
for how much has been accomplished by how many people with how much
funding. People involved with inventing, engineering and, deploying
other significant systems are often astonished that it is not a much
bigger operation with orders of magnitude more funding. The paper
we've been talking about could not have been done in 2002, not just
because there was no widely used and deployed Tor network to get
data about, but because techniques and data for network measurement
(general Internet not just Tor-network) were not as advanced or

>         Maybe in 2002 the assumption that the internet was too big
>         and complex for it to be succesful monitored was correct,
>         but that assumption doesn't look too valid now?

What is technically possible and with what resources changes all the
time. And as I have said, there's lots of work that needs to be done
to say things that are meaningful, not just aphoristic about this.
That's why knowledgeable people will always reject except as deceptive
shorthand simple statements about whether _anything_ is safe, secure,
anonymous, unable to be monitored, etc.  They will attempt to turn these
into questions about a particular class of adversary (amount of
resources, dynamics of resource deployment, nature and target of
attack) attacking a particular class of users engaging in a particular
class of behavior, on a particular class and configuration of network.
With perhaps minor tweaking, this is as true of someone examining
the security of a class of crypto algorithms as of someone examining
intrusion resilience of an enterprise network.

> >> 
> >>         How well is Tor preserving the anonimity of its users? Well,
> >>         there are "hard problems" to answer that question...
> >> 
> >
> >And yes, this is a hard problem. Science and technology are lousy with
> >hard problems, and this is one of them. 
>         I'm not denying it's a hard problem. And it's a hard problem
>         that doesn't help Tor's reputation since it makes it hard to
>         know how well Tor is performing. But you knew that.

This points at a different kind of hard problem. People working on Tor
have tried to be clear all along about what it does and what it does
not do, and be clear about how much is unknown subject to long
scientific analysis. Tor has long been a model of openness that others
point to for how to do it. But how and where to be clear is tricky.

For example, for many years, the software used to say when firing up
something like "This is experimental software. Do not rely on it for
strong anonymity." At the same time however, other systems purported
to offer similar protections would be marketed as offering rock solid
protection or some such. People who, e.g., have lives that don't allow
them to spend time reading and learning to understand research papers
about the all the different technologies that they need to use every
day, would understandably think that something called "rock solid" is
better than something that is labeled by its own producer "for
experimental use only", even if the latter is actually way more secure
for their needs than the former. So in this context, it is deceptive
and can put people at risk to call Tor experimental in the terse blurb
that is all many users will see. So what's the most honest thing to do
here? What you see is the current best attempt to cope with that. 
But like everything else, this is recognized as not settled once and
for all and needs revisiting as time, resources, and which thing is
most urgent permits.


> >Those are merely hard problems rather than intractible ones, but feel
> >free to look at whatever you like. I hope I'm not being too presumptuous
> >in saying that you already have as much of an answer as those who
> >work on Tor can give you about that.
>         Yes, I see that. I must admit I mostly got a fair hearing from you.
> >Well no not exactly. I was being a bit terse with "set up for",
> > but I've already been overlong in so many respects. As Roger has already
> >explained somewhere (I forget sorry) quite well: It's not enough to
> >have open design.  You need to have good documentation of the code and
> >of the design
>         And that makes it easier for people to audit the system and
>         so the audit is more likely to happen, I see that.
>         Anyways, thanks for the discussion. 


tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsusbscribe or change other settings go to