Understanding, Growing, & Extending Online Anonymity with Tor
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
Title |
| |
Alternative Title |
| |
Title of Series | ||
Number of Parts | 97 | |
Author | ||
License | CC Attribution 2.0 Belgium: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
Identifiers | 10.5446/45764 (DOI) | |
Publisher | ||
Release Date | ||
Language |
Content Metadata
Subject Area | ||
Genre | ||
Abstract |
|
FOSDEM 201011 / 97
1
2
4
5
6
8
14
15
16
17
23
29
38
41
42
44
46
47
48
50
53
54
62
63
64
65
66
71
74
75
77
78
79
80
82
84
85
94
00:00
BuildingComputer animation
00:45
CryptographyContent (media)MereologyDisk read-and-write headQuicksortCryptographyContent (media)Meeting/InterviewComputer animation
01:28
SteganographyProof theoryStatisticsMathematical analysisLine (geometry)Open sourceTelecommunicationPhysical systemSimilarity (geometry)Random numberEncryptionCross-correlationoutputFunction (mathematics)System programmingJava appletProxy serverInteractive televisionTerm (mathematics)WordSign (mathematics)EmailDifferent (Kate Ryan album)MIDIInformation privacyTape driveIdentity managementIn-System-ProgrammierungDesign by contractTelecommunicationWeb browserSystem identificationSoftwareView (database)InternetworkingFerry CorstenThumbnailMultiplication signMessage passingPhysical systemPoint (geometry)Web 2.0Letterpress printingGroup actionSteganographyFamilyCASE <Informatik>Office suiteMedical imagingMathematical analysisWeb pageInformationDefault (computer science)BackupPhysical lawStatisticsRight angleProof theoryInterior (topology)PlastikkarteQuicksortRow (database)Branch (computer science)Standard deviationLoginServer (computing)WeightProxy serverComputer animationLecture/Conference
07:11
Mobile appMultiplicationBlogForceSystem programmingSoftwareComputer networkOpen sourceIntegrated development environmentFiber bundleWeb browserOrbitPortable communications deviceControl flowInformation privacySelf-organizationProjective planeService (economics)Router (computing)Server (computing)Ring (mathematics)Proxy serverCodeSoftwareFrame problemVirtual machineLevel (video gaming)HypothesisGoodness of fitSoftware developerBlogIntegrated development environmentArithmetic meanDemonMobile appMultiplication signCross-correlationPhysical systemMathematical analysisVideoconferencingClient (computing)RoutingNumberInformation securityStandard deviationScheduling (computing)Degree (graph theory)Charge carrierElectronic mailing listMereologyPoint (geometry)Configuration spaceMetropolitan area networkContent (media)Information privacyCommunications protocolGreen's functionAndroid (robot)Semiconductor memoryGame controllerInternetworkingGraphical user interfacePresentation of a groupComputer fileOpen sourceWeb browserSatelliteThread (computing)Product (business)Mixed realityMessage passingComputer animationLecture/Conference
12:54
RoutingInformation privacyInstant MessagingPhysical systemServer (computing)Directory serviceStatisticsCodeRange (statistics)TelecommunicationImage registrationPhysical lawMetric systemVideoconferencingRow (database)Translation (relic)Client (computing)Table (information)Hash functionData compressionComputer fileAuthorizationQuicksortFile archiverIdentifiabilityWebsiteWeb serviceReading (process)Default (computer science)Public domainDirectory serviceFigurate numberServer (computing)Physical systemPolygon meshEncryptionSoftwareDirection (geometry)InternetworkingWeb 2.0Login1 (number)Ferry CorstenIP addressDirect numerical simulationTheory of relativityInformationRootTouch typingDifferent (Kate Ryan album)MereologyMessage passingMultiplication signEmailOvalTwitterTelecommunicationCodeLine (geometry)Set (mathematics)Graph (mathematics)Information privacySelf-organizationPoint cloudCore dumpCategory of beingMathematical analysisRoutingFirewall (computing)LaptopHypermediaDifferenz <Mathematik>Computer hardwareRight angleComputer animation
19:04
Nominal numberService (economics)Information privacyLeakForm (programming)Web pageGraph (mathematics)Term (mathematics)Time domainMenu (computing)System programmingHypermediaInformationAssociative propertyGUI widget19 (number)Router (computing)InternetworkingClient (computing)LeakService (economics)Hacker (term)Ferry CorstenWebsiteDomain nameMultiplication signRouter (computing)MassCore dumpBlock (periodic table)SoftwareSound effectProxy serverTwitterRevision controlAddress spaceRight angleSelf-organizationServer (computing)Independence (probability theory)Electronic mailing listOnline chatNeuroinformatikFamilyQuicksortVirtual machineArithmetic meanIn-System-ProgrammierungFacebookWeightUniform resource locatorIntercept theoremRoutingIP addressExpressionData centerMessage passingScaling (geometry)Classical physicsCASE <Informatik>File archiverOraclePasswordCommunications protocolLevel (video gaming)Lattice (order)OvalFirewall (computing)AuthenticationTraffic reportingComputer animation
25:15
Router (computing)InternetworkingComputer programProgrammer (hardware)Fraction (mathematics)Ubiquitous computingInternetworkingCASE <Informatik>Multiplication signAnalogyDegree (graph theory)Equivalence relationDifferent (Kate Ryan album)Moving averageQuicksortNeuroinformatikFreewareInformationSelf-organizationRow (database)Physical lawRoboticsPlanningComputer animationLecture/Conference
27:12
Computer programInformationComputerData miningCore dumpContent (media)Data structureComputer networkMappingDot productDifferent (Kate Ryan album)EmailWebsiteElectronic mailing listComputer programmingCore dumpIntercept theoremMassSoftwareCellular automatonGraph (mathematics)Entire functionComputer animation
28:18
DiagramMereologyPresentation of a groupBasis <Mathematik>Hand fanWebsiteFerry CorstenMereologyNumberComputer virusPhysical lawDirection (geometry)QuicksortProcess (computing)Condition numberTDMAStreaming mediaMultiplication signCASE <Informatik>Arithmetic meanBitReal numberAutomatic differentiationResultantPoint (geometry)Normal (geometry)Information privacyInternetworkingFacebookPlanningExpected value1 (number)Cellular automatonSpywareFamilyChemical equationForcing (mathematics)Right anglePlastikkarteCommunications protocolNeuroinformatikTerm (mathematics)InformationWeb pageAxiom of choiceCartesian coordinate systemVirtuelles privates NetzwerkTrailIP addressComputer clusterBlock (periodic table)Moment (mathematics)In-System-ProgrammierungFilesharing-SystemPosition operatorComputer fileProfil (magazine)Level (video gaming)IdentifiabilityBand matrixEmailPhysical systemPerspective (visual)Projective planeContent (media)Figurate numberDigitizingRobotForm (programming)Sound effectComputer animationLecture/Conference
36:36
BitQuicksortLevel (video gaming)Band matrixMultiplication signPhysical lawFreewareArmPay televisionFerry CorstenData structureInternet service providerSound effectFile archiverStudent's t-testServer (computing)CASE <Informatik>Web 2.0Euler anglesInternetworkingNeuroinformatikType theoryService (economics)EmailSuite (music)Information privacyAutomatic differentiationCasting (performing arts)Different (Kate Ryan album)WebsiteView (database)Online helpProjective planeLink (knot theory)Point (geometry)Physical systemRange (statistics)Key (cryptography)CodePublic-key cryptographyRepository (publishing)Filesharing-SystemTouch typingTorusExploit (computer security)Denial-of-service attackMusical ensembleIdentity managementPseudonymizationCodeIn-System-ProgrammierungOpen setTelecommunicationFrequencyKernel (computing)EncryptionOperator (mathematics)Proof theoryMathematicsComputer animationLecture/Conference
44:46
XML
Transcript: English(auto-generated)
00:10
All right. Shall we start? Can everyone hear me okay now that you're listening to my throat, not necessarily my voice? I have the benefit and the curse of being a native English speaker.
00:24
So if I speak very fast and you don't understand me, please say something. How many people know about Tor? Raise your hands. How many people have Tor installed? How many people use Tor daily? Okay. You've all just de-anonymized yourself. Thank
00:43
you. So let's talk about anonymity. Anonymity in the Western world has this very shadowy, scary sort of impression. It could also be people at the Liberty Bell with a giant onion head,
01:00
and the woman to the left shocked. There's a guy with an onion head looking at her. Anonymity in other parts of the world isn't negative. They like being part of a crowd. They like being able to hide and being able to pop up as an individual when they need to. So what is anonymity not? Anonymity is not cryptography. Cryptography just protects the
01:20
contents, and someone can still watch who you are and what you're doing. Anonymity is not steganography. Even if you hide messages in transit, you can still tell who's talking to who and how often they talk, or at least one party is. You may not know the intended recipient.
01:46
Anonymity is not wishful thinking. There are lots of promises. There's privacy by policy, which is most of what these are, is that you can't tell it's me. I promise not to look at your data. I promise not to record your data, and I promise not to tell anyone else I recorded
02:00
your data. I promise I didn't sign my name to it, and isn't the internet already anonymous? Well, as we'll find out. You can't prove it was me. Proof is a very strong word. Statistical analysis, or the technical term, is a long-term intersection attack. Works very, very well, and the longer you watch someone's communications, the more likely you can determine
02:24
that this was actually you, regardless of what you insist it is not. Promise you won't look, tell, remember. These are all promises. You all sign contracts with your ISP who probably says, you know, we value your privacy. We will never break a law. We will never sell your data accidentally. I've had my identity stolen by my bank lost their backup
02:44
tapes. They promised to never give up my data whatsoever. Now some mafia person has all my personal information and my bank accounts and my financial information because they broke a promise. Did they encrypt those tapes? No, of course not.
03:02
I promise not to remember. Many places say we don't record any information, at least in America. There have been all sorts of data breaches where credit card information was copied off to a local system so they could do better marketing and customer analysis. They promised not to remember the data either, and if you lost your credit card, you then were very upset because you had to go get another one and all this stuff, and by default,
03:23
you're the criminal, not the people who lost your data. And I promise not to tell. If someone offers you 50,000 euros to accidentally give up your web server logs or give up your transactional history, that's a tough incentive to defeat. And this is also
03:40
why the U.S. is growing with these data breach notifications because lots of companies say, you know, we promise not to tell anybody. We promise not to lose your data. We promise to use industry standard practices. It may or may not work. I didn't write my name on it. That's not what we're talking about. That's more identity. And isn't the Internet already anonymous? No, no, it's not. Who needs their privacy?
04:06
The vast majority of people who use Tor that I run into talking around the world are just normal, everyday people. It makes lots of press when you talk about Iranian activists or Chinese activists trying to take down their government. Most of those people just want to see what the BBC said about them. They want to see what CNN. They want
04:22
to see what the latest Hollywood movie is. They want to see why Dilbert was blocked and what does Dilbert say today. Militaries and law enforcement, the U.S. Navy and other branches are big users of Tor because they realize you can't have the Navy anonymity network because then everyone realizes you're just the Navy. So they treat
04:43
you that way. Law enforcement, I spent most of the past year talking to law enforcement and I've been absolutely surprised at how many law enforcement officers use Tor because they feel they need to protect themselves online. They need to protect their cases. They need to protect their families. And the fact that if you come from like FBI.gov
05:02
or Interpol.int, criminals tend to pick up on that quickly. Journalists, human rights workers, businesses. Another surprising thing is businesses, lots of lawyers use Tor. They use Tor so that when they go out to do investigations, they're not coming from like lawfirm.com or something and they can be more anonymous and they can do, get
05:22
I guess different ethical concerns resolved. So anonymous communications. An enemy loves company. You can't be the only person using Tor in your entire country where you stand out because you're the only person using Tor. There are countries in the world where
05:41
we have between one and ten Tor users and we tell them to at least coordinate and get on at the same time because otherwise you stand out as a sore thumb as I'm the only guy who ever used Tor so they pretty much can figure out. They may not know where you're going but they know where you started off and they know you're using Tor. And they can just beat it out of you anyway. The basic idea is hiding in the crowd. So
06:06
I'm the only person in a fluorescent green t-shirt here. So I would stand out in the crowd except you in the green sweatshirt. You and I would stand out in the crowd or everybody else. The idea is to look like everybody else. There's a thing with Panopticlick
06:22
with EFS Panopticlick browser identification. The whole idea about that is that it shows you how unique your browser print is against everyone else on the web. All the Tor users should look the same. So we look unique but we all look the exact same to everybody else. Tor is not the first system. It won't be the last when Tor dies at some point
06:42
or becomes illegal or becomes so popular everyone uses it. There will be other systems that say, you know, let's do the anti-animity. Let's do more dark nets. Yeah. The difference between high latency and low latency. Low latency systems, most people don't want
07:02
to wait forever for an email. They don't want to wait forever for the web page. They don't want to wait for their chat. High latency systems are very resistant to traffic analysis. Low latency systems are subject to traffic analysis, traffic correlation. What is low latency versus high latency? The more interactive your app, that's low
07:23
latency. If you're doing an IM, like I'm chatting, you know, I chat with my daughter or something, she doesn't want to wait a day and a half for me to say okay. Well, maybe she does sometimes. Video streaming, people don't want to watch videos one frame at a time every day. You get a different frame. Some apps do work well. Email, there's
07:42
things like Mixmaster and Mixminion that people will wait for a day, two days, three days to get their email through because they need that level of protection. Some news groups, people will withstand that much of a delay to respond to threads. Blogging, a lot of bloggers actually do their work offline and then they post, so they don't
08:01
mind if it takes a day or more to get their message posted. If anybody loves company, the vast majority of users are in the interactive apps, so we aim for the low latency network to be more like interactive apps. So what is Tor? Tor is an acronym. It is also not an acronym. It can mean Tor's
08:22
onion routing. It can mean the onion router. It can mean, I recently heard South African police called it the onion ring. And it can also mean telescoping onion routing. You'll often see it written in the press as capital Tor, meaning the onion router, but it actually doesn't have an acronym. We are an online anonymity software and network.
08:45
We are three clause BSD licensed in GPLv2. Everything we do is open source, transparent. You can ask us anything about the Tor. We've written down the specs so you can build your own compatible Tor clients based on the Tor protocol if you don't trust any of our code.
09:02
Other people have done this. And we actively encourage the research community to attack us. We figure that which doesn't kill us makes us stronger. And most of the research community that does try to break Tor, they do successfully break Tor and then they come up with a fix or they won't get their thesis approved and
09:22
they won't get their degree and that makes them sad. There are plenty of other people out there who attack Tor and then they go talk at a security conference and say, I can attack Tor in three packets. And then they realize that, well, it's a 10-year-old attack, five other people have done this presentation, but security conferences seem to have a short memory. And they'll get a lot of press about this. And sometimes they'll also say, well,
09:45
I can emulate the man if I control all the Tor nodes in my virtual machine. Well, yes, you can, because if you can watch all the traffic in and out, then you win. If you can watch all the traffic in and out of the entire Internet, which there are many national security agencies rumored to be able to do this,
10:04
then you may also win. We have a growing list of stuff. We started off with Tor, which is the Tor, the actual routing daemon client. And now we have a vast number of projects that people show up and say,
10:21
hey, I did this for my Ph.D. thesis and I'm giving you all the code and good luck. We've also developed a lot of things to make Tor easier to use. There's this Vidalia controller, hence the onion thing. And Vidalia is a GUI point and click. Voice of America actually funded this, because going to the countries they were interested in, giving people a command line
10:44
tool that says, here's a config file, here's your command line, just completely freaked everybody out. So we made this a little pretty gooey app that you can point and click, and it has a red, yellow, and green onion, so you can tell how Tor is doing, if it's connected, if it's not. And then we have a bunch of other stuff. Orbot is actually the newest thing we have,
11:04
and it's Android-compatible Tor. The issue with that is, so great, you have Tor running your Android phone. Nothing uses a proxy on Android. So you can host a hidden service, because you can get service servers running on Android, and now you have this Orbot thing that can talk Tor,
11:24
and you can connect to hidden services. So we're working on a browser, we're working on figuring out the rest of the environment. So who actually runs Tor project? About three years ago, we started taking donations before that. I've been a volunteer for about five or six years, and we were just a bunch of guys, and apparently you can't fund just a bunch
11:44
of guys. You need to fund an actual entity. So we created the Tor Project, Inc. It is, in U.S. terminology, a 501C3 nonprofit, which means your donations are tax-deductible. This is not a sales pitch, I'm just telling you. We're founded through research and development for online anonymity and privacy. And part of the reason we went nonprofit rather
12:06
than for-profit, my background is venture capital, and there are lots of VCs who wanted to fund us to do, you know, make Tor the biggest standard in America, whatever. But we believe we wanted to save the world, so we wanted to do everything transparent.
12:20
Everything we publish is transparent. Our internal schedules are transparent. Who works for us is transparent. How much they get paid, when they get paid is transparent. And it also helps that many people don't want to volunteer for a for-profit company, to a degree. And we need the volunteers to run the Tor network. We don't actually want to run the Tor network for liability reasons, in that Tor is considered
12:44
a common carrier in most countries, regardless of what you read in the press, and therefore, like a telephone company, you're not responsible for the content that goes across it. Tor started off, well, actually, onion routing started off at the Office of Naval Research
13:01
in the 1990s. The Navy realized that traffic analysis was a growing concern in various realms that they deal in, where traffic analysis at the core is, you watch all the communications, you figure out what the hubs are, and you take the hubs out. Your enemy is doing this, too. So if they can't figure out where the hubs are, because everyone looks like a mesh and everyone is talking to everyone else, then you've raised the bar enough that your enemy
13:24
now has to go figure out some other way. Either you've got to take out everybody all at once, or you, you know, do whatever else it takes to infiltrate an organization. They quickly realized that you can't have the Navy anonymity network, because then it would all be Navy personnel, and you'd be treated as a military counterpart.
13:41
So they open sourced it, public-domained it, and the U.S. government actually holds the patent on onion routing, the original idea of onion routing. And because it's the U.S. government, it's public domain, and, you know, they don't sell it, they don't do anything like that with it.
14:01
We say it's privacy by design, in that we don't record logs, we don't have any promises to break, because we don't have your data. By default, the Tor software doesn't record any sort of personally identifiable information for any strict definition of personally identifying. It supports any TCP right now. We're working
14:22
on UDP and possibly SCTP in the future. Wonderful performance, too, because lots of people want to use UDP over Tor, and there are ways to tunnel UDP through TCP, but those are messy. And over the past year, we've been sort of thrust into the limelight as activists around the world have picked up on Tor to circumvent national firewalls, because the
14:43
properties of breaking apart who you are from where you're going on the internet seems to work well. I've also talked to lots of, lots of bankers who use Tor, not because they want to defraud their bank, but because they want to get to Gmail to go check their mail, to go check their calendar, to see what time they have to pick their kids up from school or from soccer practice or something.
15:01
And they just, you know, they turn it on when they need it, they turn it off when they don't need it. One key difference is that we have a set of seven directory authorities, directory authorities are kind of like the root DNS servers, that they publish a consensus of all the relays in the network, and that's what your client downloads. We haven't done a distributed hash table yet, even though there may be designs out there, because there's partitioning attacks
15:24
where if you start breaking the DHT up, different people see different parts of the network, and then you can start to win as to profiling clients. What is Tor composed of? Primarily C. I couldn't get the graph from earlier, but around 2005, we were like 30,000 lines of code.
15:44
After lots of researchers and other people have committed to the code base, we have around 15 core committers and around 2,000 other volunteers between running relays, helping out with translations, helping out with documentation, and we've recently picked up a few people
16:03
who are very good at videos. They started putting together videos about how to use Tor, because people seem to like watching a video about how do I install Tor versus reading through the instructions. The tech, lay tech there are because we document everything we do, and because we come from academia, we tend to use lay tech for everything.
16:27
We write a lot. So in a nutshell, how does Tor work? The blue cloud is the Internet. You use Tor user. You have Tor software installed on your laptop, and you want to get to your web server.
16:42
Terminology is entry node, middle node, exit node. The entry node is where you first connect to. There's also guard nodes to protect you from attacks where you can watch, just pick up traffic over time and start noticing trends. And the exit node is where you actually exit the Tor network. You build an encrypted tunnel from your client, so everything is encrypted as it goes into
17:02
Tor or leaves Tor into the network, through the network, and if your traffic originally was encrypted, like HTTPS, IMAPS, POP3S, then it comes out that way. We are a tunnel. We don't touch your traffic at all. We just wrap it in encryption and relay it around the world. There have been press stories about people, particularly this guy in Sweden who set up
17:24
an exit node, recorded all his traffic, and said, look, I have embassies and all this stuff using these. One, he found out the hardware that was illegal and that the Swedish police came and arrested him, and no one's heard from him ever since, because you can't wiretap, because he's not a telco. And two, most of the accounts that he thought he had were actually criminals watching these
17:46
accounts anyway. He also disclosed some police investigations which were watching fake accounts, which is really what he got in trouble for. So how many people use Tor? Well, it's an enemy system.
18:02
We don't ask. We don't ask for demographics. You don't have to register. We don't record anything on our web servers. As a U.S. company, not recording anything on our web servers gets us around U.S. export laws so far. As soon as we start recording IP addresses and start doing registration, then we have to block all the bad countries for whatever
18:24
the U.S. considers bad. However, we do disclose everything we record. Everything we record about Tor is published on metrics. We have another site called Archive that is copies of the directory authority's consensus
18:41
files from every hour of every day for the past seven years. It's around 25 gigs compressed. It's around a couple hundred gigs uncompressed. And a few organizations have started looking at that to look through to see are there anonymity attacks here, are we giving out more information than we need, and we look
19:00
forward to their research. However, Mozilla does spy on you. This is from the Tor button dashboard. We've made it completely public so everyone can see what's being recorded about you inside Mozilla. If you have Tor button installed and have check for version updates, it will dutifully report to Mozilla over Tor that you have Tor button installed, here's the version,
19:22
and here's how many daily users you have. This is undercounting. Lots of people don't use Firefox. And there are a lot more devices out there that have Tor embedded in them. So roughly half a million daily users seems right. You may have noticed Tor is slow at times, all the time. It's getting faster.
19:43
One is because we have like half a million people using 2,000 servers. In reality, you have half a million people using 2,000 servers trying to go through 500 exit nodes, so the exit nodes become the bottleneck because you've got this swell of traffic going into them. And we've had millions of people download it, and the common use case is you download it, you use it when you need it, and then
20:04
you turn it off when you don't need it. Some other features are hidden services. The Finnish Defense Department actually wrote and funded most of this hidden services stuff because they wanted a way to host location independent sites, services, chats. So the .onion domain is what they use internally.
20:31
The way it basically works is your client, so Tor clients can also run hidden services. It doesn't have to be a relay. So if you have millions of clients, we probably have millions of hidden services. I know I personally have hidden services for
20:43
all my SSH stuff, so when I'm traveling, like on this wireless here, I can just SSH into my hidden service node as opposed to going to an actual IPv4 address. WikiLeaks has used this successfully. Many of you must know about WikiLeaks. You can publish documents from whistleblowers and more transparency.
21:03
Somewhere inside the Ministry of Defense leaked the How to Stop Leaks document, which obviously no one read that document. WikiLeaks is the most obvious example. There are other examples where human rights organizations will work in country, and even the fact that they are in country is enough to get their activists arrested.
21:22
So they'll use a hidden service with some sort of out-of-band authentication, whether it's SMS or, you know, here's a secret pass phrase, so that people in country can report in, and they know who they are roughly, but there's no trace of them actually going to a site that any sort of sensor will notice. Because Tor looks like SSL talking to their normal website, no one would ever think that
21:44
anything's going on. So how is Tor different? Why do we use relays? This classic design for proxy service, you have a single big machine somewhere in the world. Maybe this is your brother running this because he moved to America or Europe. Maybe it's some company you trust, and, you know, Alice and Bill can talk to each
22:05
other all day long, and it's great. It's fast. They're not worried about it. Maybe Alice is behind some sort of restrictive firewall, she can get by it. They can talk to Bill. So the issue is if that relay goes evil for some definition of evil, meaning they accidentally
22:20
recorded all your traffic, and then they lost it or sold it, the company is actually a government front, and they want to record everything you do, just so they can go back at you for a history, or maybe your brother decides that he's going to sell your traffic because he needs the money. It doesn't matter. The big machine somewhere in a data center can be wiretapped, meaning that the government
22:44
or anybody, corrupt criminals do this too, corrupt ISPs do this too, where they'll just record all the traffic in and out, traffic confirmation attacks very well, so, you know, I saw you go to Facebook because Facebook looked like this going in and you went like this going out. If you're using unencrypted protocols, they
23:03
can also grab what are username and passwords, all the text you're going back and forth, what you searched for, and everything else with that relay. So where does all this matter? So we have this cool NME network. Lots of researchers use it. Lots of hackers and other people like to hack at it and play with it, and
23:21
some people use it for hidden services. The mass majority of people seem to use it for anti-censorship. The core of this comes from Article 19 and 20. You have the right to freedom of expression. You have the right to freedom of assembly. George Orwell was an optimist, as it's turning out. He imagined many people cutting
23:42
up newspaper archives. That only scales so well. He could never imagine that millions of computers would be able to do this vastly faster than he could, and John Gilmore said while the net intercept censorship is damages and it routes around it, not so much true anymore. Ask the people in China, ask the people in Australia who are about
24:03
to get lots of censorship, and they can't route around it because the censorship's in the routers. They control the IPs. They control the domains that you're allowed to see. Almost every country in the world is implementing some sort of censorship regime, and first off, it comes to protect the children. I can tell you from lots of law
24:23
enforcement talks that they tell you that these block lists for protecting the children are where porn was, not where it is and not where it's going. So you have this growing list of websites that are for children, to protect children, to stop gambling, to stop bad phishing targets. In talking to Richard Clayton last night, again, by the time something
24:42
gets into a block list, for a national block list, it's already been passed. The criminals have already moved on, so now you're just blocking whoever the unlucky person is to get that domain or that IP address. On a social level, people still are willing to work around it. There is a chilling effect that as people get picked up, especially in Iran, we saw this, where people would go to
25:04
Twitter or people would go to Facebook to say, here's what we're going to organize, and then that person gets picked up, all your friends go, whoa, what is this? I can't do this. I can't afford to be beaten up. I can't afford to be arrested. Governments are monitoring the internet a lot. Every organization, every government has
25:25
an internet surveillance plan. There are different names up there for what it's called. The idea is to record all the data about you, just in case you might be a criminal. The analog I heard was actually from Jacques, I want to say, Veras, from the DGJLS on
25:43
Thursday. He said basically the police are coming to him saying that, in the old world, in the physical world, I can watch somebody. I can record what they do, and I have a history, and there's a history that can be recreated based on who saw who doing what, and then a crime was committed, so I can build up the history into that crime,
26:02
and then I can go forward and watch them completely. They want the same thing on the internet. The difference is, in the real world, you have this sort of free situation where, as soon as someone is suspected of a crime, then you can tell them. Then you can record what they do, who they call, how often they talk to people, where they go for their coffee in the morning. On the internet, you can do that all the time. You can record everybody, every last
26:23
detail, down to infinitely degrees of timing, and get all their information, just in case. And because computers make it vastly easier to update, you can sort through this in this massive haystack you've built, just in case people want to be criminals. And this, understandably, freaks out a lot of people. This is the equivalent of the Stasi
26:44
becoming robots, so that seven of seven East Germans are Stasi. If anyone recognizes that room, that's the NSA wiretap room. Some countries, and yes, I've said this to people in the US, some countries obey their laws, and roll out the
27:04
various bills that force you to record the internet. Others do warrantless wiretapping, which is record everything, just because they can. The core traffic data is who talks to who, how often they talk, how much data they send. That's all you need to do to pick up networks of people.
27:21
When the former director of the Interception Modernization Program in the UK says, wait, what are we doing here? That should be assigned to people. When your own internal people start freaking out, saying, holy crap, look at all the stuff we're recording about these people. You can rebuild my entire friendship, social networks, and everything.
27:40
And that's what it looks like. There's a fine paper on the economics of mass surveillance, and how absolutely cheap it is to surveil everybody all the time, and build really cool social network maps. This is actually from mailing lists, of different mailing list people, and who overlaps who, and who talks to who. And the issue with this is, maybe you're not worried about your social graph, but
28:04
many places will say, all right, so one of these red dots becomes a terrorist cell, or becomes a child porn cell, or becomes a gambling site. Is everyone associated with it now guilty? In many countries, the answer is yes. And there we go.
28:21
We have some fans who created some graphics for us. You can rejoice your anonymity. And getting involved as volunteer, we have a fine, long volunteer page of, here's the technical projects, here's advocacy projects, here's anything you can do to help people around the world. And that's it. Any questions?
29:01
How to best convince a wife, mother, or other non-technical family member that they should be using Tor? Well, so believe it or not, I don't force Tor on my wife and daughter either. I let them make out, I'm basically letting Facebook and the banks who lose all your
29:21
data, and everyone else freak them out, so they realize they should do something. I've talked to some cancer victims who, you know, either they or their loved ones find out they have cancer, they go start Googling for stuff, and all these ads show up about, here's all the treatments, and they go to Gmail, and they get all these pharmaceutical
29:40
ads, and then they start realizing that, for a while, all the results are sort of sorted based on, here's your pharmaceutical stuff. And that's typically enough to freak people out, that they start worrying about what's going on in the U.S. and other countries that don't have sort of nationalized healthcare. You can lose your job if you find that you have a condition that is very expensive. The incentives aren't quite there yet.
30:02
There's been lots of research by Alessandro Acquisti out of CMU in Pittsburgh, who's doing work on incentives for privacy and how much people will pay for privacy, how much they won't. I used to worry about how would we tell people to worry about these things, and it seems the commercial industry is doing just fine, and the government industry is doing
30:23
just fine. I think most people who use Tor now are sort of early adopters. My grandmother had her computer broken into, turned into a bot, and she phished and spammed like thousands of people, and I apologize for that if you're a part of that, but she didn't know. She got this cool crossword thing, and so she ran this application that gave her
30:41
a cool crossword puzzle, which just happened to infect her. She worried about what information they had, and then she independently started searching for VPNs or privacy tools to protect herself online. As the world gets more and more online, and as you have things like data retention,
31:01
people start to worry about the trail they leave, and it's nothing. I found I can't convince someone who doesn't already worry about their privacy to run Tor until they have something happen. They have the holy cow moment.
31:20
Thank you. As a Tor user, I've observed that there are a few exit nodes, and the major problem is as people try more and more to use, Tor is getting slower and slower. Have you any plans of increasing the number of exit nodes? There are some things we can do to increase this number.
31:42
Thank you. Yeah. So we have multiple plans. One, when we first designed Tor, we figured, eh, we'll worry about it when it gets to half a million users. We're now at half a million users. There's a lot of protocol designs we need to do to make things faster. We have a fine 27-page performance roadmap that we wrote up that goes in excruciating
32:00
detail down to multiplexed TCP streams. We don't queue busy streams versus less busy streams, meaning if you're file sharing over Tor, you hog lots of bandwidth, and the IM users who only need tiny little bits get pushed out. So we're going to start this year a release for Tor campaign, where the first step of
32:22
that was to get the legal protections in place. Many people would want exit nodes if they know there's help available for if someone does something bad through your IP address, that has the most chilling effect, where if someone, you know, fishes a site or does whatever, gambling fraud or something through your Tor exit node, the police come and knock on your door, if you're
32:42
lucky, and say, you know, we think your IP address did something bad. We have a growing number of law firms around the world who will give free help or at least give you directions to people who can help you to say, well, here's how to defend against this. You have a civil right to run these things. Your IP address is personally identifiable. They can't just give it out anywhere, and it's not you.
33:03
Tor is treated like a telephone company where they're not responsible for the content, just the delivery. Lots of great examples you give for, I guess, what I would think of as positive users of Tor in terms of, you know, anonymizing people that are doing good work, you know, fighting
33:23
oppression in countries, say. But from an ethical perspective, my interest would be whether you think on balance it's used ethically for things that many people consider good versus bad, you know, because when you choose to use your computer as an exit node, you're making, I guess, an ethical choice that you're going to hide people, and maybe you want, you know, maybe it's good
33:42
to hide U.S. military personnel from being blown up. Other people disagree. But, I mean, at least what is your sense of the balance of use of Tor? Is it typically pornography or is it typically, you know, worthy human rights activists or is it typically military spies or, you know, ethically, how do you persuade people
34:01
to use their computer to support Tor? So for people who have done research on this, the vast majority of Tor traffic is absolutely mundane and boring. What makes the press are the people who get caught for doing child porn or gambling or
34:21
credit card fraud, and no one ever hears about, you know, use or browse BBC successfully. No one cares. That's sort of expected. Do criminals use Tor? Of course they do. Criminals also use cell phones, cars, highways, digital cameras, and all this other stuff. They use email.
34:41
The 9-11 hijackers use Hotmail quite successfully, and we generally say, like any technology, we promote the good uses. It's an infrastructure. It's an automizing layer on the internet, and we just let it, the whole point is to let it look like the internet. Internet traffic is like some percentage of porn, some percentage of normal usage, some
35:03
percentage of watts, some percentage of criminals, and the best I can tell you is that we're here to promote the good uses. We do work with law enforcement. When law enforcement comes to us and says, you know, so-and-so threatened to kill his wife and he used a Tor posting, they generally have a profile, and they can start figuring
35:21
things out. Old-fashioned police techniques work well because criminals have to be lucky all the time. Police have to be lucky once. There have been lots of cases where criminals slip up, forget to turn on Tor, use a real IP address, and it takes a shockingly short amount of time for someone already under suspicion to get arrested.
35:42
Does that answer your question, yes or no? Mostly? Anyone else? Hello. I have a question. Well, Tor is nice, but why do you list the exit nodes? I have a site here with 2,112 exit nodes, meaning, well, if I go to some forums,
36:03
where I will say, hey, you're on a Tor node, well, you can't post, bye-bye. So how does that enhance anonymity to list the nodes, actually? I don't get that. So a number of sites, and I'll pick on Wikipedia, block the Internet based on IP because
36:21
they assume an IP is a person. Unfortunately, when they block IP addresses from posting, they've blocked all of AOL and most ISPs that NAT everyone to death. We are working on systems, one of the tools up there was called Nimble. Nimble is a pseudonym system that you do some sort of computation and prove that you
36:44
are you. You get a nonce, and the nonce is then what you use to log into the websites. These are very much in design and in research, but we realize this concern exists. And as people, the same concern with websites that is, like, free node has a sort of hidden service, GPG-based identity that you can prove that, you know, here's who I am, I've
37:06
done some sort of computation, and this identity is valid until I turn into a jerk, then you can block that identity. And it's difficult enough that you can't just create thousands of them and spam everybody.
37:25
Anybody else? Another question? Yeah. Do you know if anyone is building an anonymous or pseudonymous payment system on top of this? I know that people have thought about it and are thinking through incentives. Some of the concerns, some of the research challenges actually are with incentive systems,
37:44
you'd be very careful what you incent. There's a technology called, I think it's called BitBlinder, that's basically for anonymous file sharing. And they have some sort of payment structure where for every byte you transmit you get two free bytes or something like that, and they've created all sorts of incentives for people
38:02
that want really, really fast nodes for the short bit of time to get twice the amount of bandwidth and then they shut it down. As for actual, like, e-cache type things, I know those are in research. I don't think anyone's deployed, like, a hidden service-based e-cache system yet.
38:25
Hi. I would like to know if you have some, maybe some more news about recent attack from some black ops on the Tor server?
38:42
I think I got half that. Can you repeat your question? My question is, recently there were attack against web server on the Tor project, and maybe you know who's behind or why such attack occur on Tor project.
39:06
Are you asking who, how do you know who runs the Tor server? The web server, the host. Oh, our bandwidth hogs, is what you're talking about, our public notification, the breach we had?
39:20
Yeah. Yeah. No, we don't. We suspect they're southern German, because the Germans who work on Tor said this is Bavarian. No one writes like this. So either someone's very good at faking a Bavarian. Mostly what they attacked was SPD.de, and they wanted lots of bandwidth to do a bandwidth amplification attack, or a DDoS.
39:41
We spent a lot of time and had a lot of help looking through, doing forensic analysis of our servers, and as far as we can tell, they used some old SSH exploit on someone else's server, took the keys, because Tor people are still people. They have the private key for their SSH along with their public key, and got into
40:01
other servers, and then installed basic kernel exploits to some are zero day, we found out, which may be coming published soon, and published, used it to do bandwidth attacks, bandwidth intensive attacks. All the friends just point to that they didn't realize what they broke into.
40:21
They just saw, look, here's some servers on some gigabit links. Woohoo, I can go attack things really quickly now. They didn't touch into Tor code. We had two people go through every Git commit, every SVN commit, compared to what was in the repository, compared to what we send emails out when that happens, compared to their own trees, and looked through every last bit for the past two years to
40:43
see if anything changed. One of our volunteers, who is a student in Germany, went through every single Git commit ever, and compared everything to make sure that what changed was actually what was supposed to change, and no one went through and modified the archives. So basically, one, we got lucky.
41:03
Two, they just wanted, they were basically silly attackers and wanted bandwidth, and took advantage of volunteer and other servers that related to Tor. I mean, Tor is a great project about privacy and everything like this, but there
41:23
are some other parties who don't like the point of view of Tor and Tor user, and do you think with maybe the widely range of user, there will be also widely more attacks like this kind of?
41:44
Do we expect to get attacked more? As activists around the world have used Tor to actively speak out against their government, this attracts a different level of attention that we're not quite used to, and we're working through securing our systems and
42:03
doing things sort of more securely, vastly more securely, so that as we get them like nation level espionage and other services, that we can at least detect them and hopefully defend against them.
42:22
So exit nodes are in fact being wiretapped, so using Tor would increase the chances of you being, of your communications being followed? Do you know if this is correct, and if so, wouldn't that mean that you would only want to pass encrypted traffic to Tor?
42:42
So we encourage people to use encrypted traffic, period, whether you use Tor or not. Are you likely to be more wiretapped? It's unclear. I mean, right now, most law enforcement, you have to have a reason to wiretap somebody, and there's all sorts of precautions in place, and
43:02
then they may or may not be able to analyze that much data that comes out, so I think the answer right now is no. Could it be in the future? Maybe. As laws come into effect, when the IPRED law came into effect in Sweden, we saw Tor usage from Sweden go up by 50%. You know, like other VPN providers saw their subscription
43:21
skyrocket the day before, so you put the laws in place, and you just created this arms race of people trying to avoid being wiretapped, whether it's at a nation level or individual level. Did anyone in the Western world ever got sued for running a
43:41
Tor exit node? They're not from running a Tor exit node, no. They've been taken to court. There's a guy, Morpheum, from Germany who had his exit node, did something bad. Police came and collected his computer, and then he became much more of an activist because his attitude was,
44:00
well, you know, screw them. They're going to do this to me. Watch me. I'm going to run five exit nodes. Not only does he run more exit nodes, he now runs wikileaks.de and a bunch of other things, and he keeps winning cases that basically what he's doing is nothing more than telecodes do, like the ISPs and the telephone companies do, so why should he be picked on? He will also run very open exit policies to attract
44:22
more traffic just to sort of, because he wants to have the flights. So the answer right now is no. Tor is not illegal anywhere in the world, as far as we know. Maybe North Korea, but North Korea has no internet, and when you browse, when you go to the Internet Cafe in North Korea, you have an 18-year-old with
44:41
an M16 sitting behind you ready to shoot you if you do something bad. So that's a pretty good incentive not to do that.