silent 31C3 preroll titles applause Roger: Okay, hi everybody! I’m Roger Dingledine, and this is Jake Appelbaum. And we’re here to tell you more about what’s going on with Tor over the past year. We actually wanted to start out asking Laura to give us a little bit of context from her perspective, about Citizenfour, and the value of these sorts of tools to journalists. applause Laura: So. Am I live? Okay. Roger and Jake asked me to say a few things about Tor, and what does it mean for investigative journalists. And I can say that certainly the work that I’ve done, on working with disclosures by Edward Snowden, and first communicating with him would not have been possible. Without the work that these 2 people do. And that everybody [does] who contributes to the Tor network. So I’m deeply grateful to everyone here. applause When I was communicating with Snowden for several months before I met him in Hongkong we talked often about the Tor network, and it’s something that actually he feels is vital for online privacy. And, to sort of defeat surveillance. It’s really our only tool to be able to do that. And I just wanted to tell one story about what happens when journalists don’t use it. I can’t go into lots of details, but there’s a very well known investigative journalist who was working on a story. He had a source. And the source was in the Intelligence community. And he had done some research on his computer, not using Tor. And I was with him when he got a phone call. And on the phone, the person was saying: “What the fuck were you doing looking up this, this and this?” And this is an example of what happens when Intelligence agencies target journalists. So without Tor we literally can’t do the work that we need to do. So thank you, and please support Tor! Thanks! applause Roger: Well, thank you! continued applause Jacob: So to follow-up on what Laura has just said: We think it’s important to really expand, not just into the technical world, or to talk about the political issues in some abstract sense. But also to reach out to culture. So in this case, this is a picture in the Reina Sofia which is one of the largest museums in Spain. And that in the middle is Mason Juday, and Trevor Paglen, and that’s me on the right. And the only time you’ll ever find me on the right! And so it is the case that this is a Tor relay. It’s actually 2 Tor relays running on the open hardware device Novena, made by bunny and Sean. And it’s actually running as a middle relay now, but it may in some point with one configuration change become an exit relay. And it is the case that the Reina Sofia is hosting this Tor relay. So, now, if… so we live in capitalism… applause So it is the case that if the Police wanna seize this relay they got to buy it like every other piece of art in the museum. laughter and applause And part of the reason that we’re doing this kind of stuff – at least that piece of art which I did with Trevor and Mason and Leif Ryge who is also in this room, and Aaron Gibson, also in this room – is because we think that culture is important. And we think that it’s important to tie the issue of anonymity not just as an abstract idea but as an actual thing that is representative not only of our culture but of the world we want to live in, overall. For all the cultures of the world. And so, for that reason we also have quite recently been thinking a lot about social norms. And it is the case that there’s a person in our community, and many persons in our community that have come under attack. And have been deeply harassed. And we think that that sucks! And we don’t like that. Even though we promote anonymity without any question, i.e. no backdoors ever, and we’ll get back to that in a minute, it is the case that we really want to promote ‘being excellent to each other’. In the sort of spirit of Noisebridge! applause And it’s still a little bit American-centric but you can get the basic idea. It applies to Europe as well. Just replace ‘First Amendment’ with some of your local law. Or a local constitutional right. It isn’t the case that we’re saying that you shouldn’t have the right to say things. But we are saying “Get the fuck out of our community if you’re going to be abusive to women!” applause and cheers And you’ll note that I used the word ‘Fuck’ to say it. And I’m sorry about that. Because the point is we all make mistakes. And we want to make sure that while it’s true that we have transgressions we want to make sure that we can find a place of reconciliation, and we can work towards conflict resolution. And it’s important at the same time to recognize that there are people who’s real lives are harmed by harassment online. In this case one of the people is in this audience. And I hope that they won’t mind being named. But we want to give her a shoutout and say that we stand behind her 100%. Roger: Yeah, so, … applause So one of our developers on core Tor, Andrea, has been harassed on Twitter and elsewhere, really a lot more than should happen to anybody. And there are a couple of points to make here. One of them is: She’s a woman, and women online have been harassed for basically since ‘online’ has existed. Not just women, other minorities, pretty much all over the place. Especially recently things have been getting worse. The other important point to realize: she’s not just being attacked because she happens to be there. She’s being attacked because they’re trying to attack the Tor project and all the other people in Tor. So, yes, she may be the focus of some of the attacks but we - the rest of the Tor community, the rest of the security community - need to stand up and take on some of this burden of communicating and interacting, and talking about these issues. We can’t just leave it to her to defend herself. applause Jacob: And so we want to set a particular standard which is that there are lots of journalists that have a lot of questions. And we really think that there are a lot of legitimate questions to ask. E.g. I think it sucks that we take Department of Defense money, sometimes. And sometimes I also think it’s good that people have the ability to feed themselves, and have the ability to actually have a home and a family. Now, I don’t have those things, really. I mean I can feed myself, but I don’t have a home or a family in the same way that, say, the family people on side of Tor do. And they need to be paid. It is the case that that is true. And that raises questions. Like I, personally, wouldn’t ever take CIA money. And I think that nobody should. And I don’t think the CIA should exist. But we have a diversity… applause …we have a diversity of funding because we have a diversity of users. And so that raises a lot of questions. And I think people should ask those questions. And Roger, and the rest of the Tor community feels that way, too. But it’s important that we don’t single out a specific person. And, in particular, to single out Andrea, again. She does not deserve all the heat about some of the decisions that the Tor project as a non-profit makes. She is a developer who is integral to Tor. If it was not for her a significant portion of Tor would not exist. It would not be as bug free as it is. And it would not be getting better all the time. So we want people to reach out to this alias, if they actually want to talk, and have a forum where the whole of Tor can really respond, and think about these things in a positive way, and really engage with the press. In a way that we can manage; because at the moment we get, I would say, 5 (on average) press requests every day. That’s really a lot. And it is also the case that 4 of those requests are very well phrased, extremely reasonable questions. And one of them is, you know: “Why to choose to run Tor?” And we should address all of them. We really should. And at the same time we have to recognize that some of these people that are kind of harassing, they might trigger me. That one will trigger me, and I would probably write back with something kind of shitty. So we want to distribute the work in a way where people will be nice. Even to the people that are unreasonable. Because at the core – we need to be held to account, and we need people to look to us about these things, and to ask us these hard questions. And so this is the address to reach out to: [press@torproject.org]. Not harassing Andrea online on Twitter. Not coming after individual developers. Not posting crazy stuff on the mailing list. Wait until we’ve actually talked to you, then post the crazy stuff on the mailing list. Or wherever you’re going to post it. And then hopefully we can actually answer the questions in a good faith-, helpful way. There’s no reason to talk about conspiracy theories, we can just talk about the business plans. And into that point wanna make it clear: stop being an asshole to people in the community. But this is not negotiable. We’re not saying because we don’t want you to harass people that we’re going to backdoor Tor. That will never happen. You will find a bullet in the back of my head before that happens. And maybe Roger’s, too. Depending on the order of operations. laughter and applause Roger: Okay, so we’re going to talk a little bit about the various things we’ve done over the past year. To give you a very brief introduction to Tor: Tor is an anonymity system. You’ve got Alice, the client over there. She builds a path through 3 different relays around the world. And the idea is that somebody watching her local network connection can’t figure out what destination she’s going to. And somebody watching the destinations can’t figure out where she’s coming from. And we have quite a few relays at this point. Here’s a… the red line is the graph of the number of relays we’ve had over the past year. For those of you who remember ‘Heartbleed’ you can see the big drop in April when we removed a bunch of relays that had insecure keys. But this is not the interesting graph. The interesting graph is ‘capacity over the past year’. And we’ve gone from a little over 6 GBps of capacity up to more than 12 GBps of capacity. applause And as long as we can make the difference between those 2 lines big enough then Tor performance is pretty good. But we rely on all of you to keep on running relays, and make them faster etc. so that we can handle all the users who need Tor. Okay, another topic. Deterministic builds. Mike Perry and Seth Schoen did a great talk a few days ago. So you should go watch the stream on that! The very short version is: We have a way of building Tor Browser so that everybody can build Tor Browser and produce the same binary. And that way you don’t have to worry about problems on your build machine and you can actually check that the program we give you, really is based on the source code that we say that it is. Jacob: And this is of course important because we really don’t want to be a focal point where someone comes after us and says: “You have to produce a backdoored version”. So it’s very important because we do receive a lot of pressure, from a lot of different groups. And we never want to cave. And here’s how we think it is the case that we will never cave: Free Software, open specifications, reproducible builds, things that can be verified with cryptographic signatures. That will not only keep us honest against the – what do you call it – the angels of our better nature. I don’t believe in angels. But anyway. The point is that it will keep us honest. But it will also keep other people at bay. From trying to do something harmful to us. Because when something happens you will be able to immediately find it. And Mike Perry, by the way, is incredible. He probably hates that I’m saying his name right now. Sorry, Mike! Are you here? laughter Bastard! laughs But Mike Perry is a machine. He also has a heart! But he’s a machine. And he’s incredible. And he has been working non-stop on this. And he is really ground-breaking in not only doing this for Firefox but really thinking about these hard problems, and understanding that if he was just building this browser by himself, and he was doing it in a non-verifiable way that it would really, actually be a serious problem. Because we distribute this software. And so, I mean there is a reason that the NSA calls Mike Perry a “worthy adversary”. And it is because he’s amazing! applause So let’s give it up for Mike Perry! ongoing applause Roger: Not only that, but his work, along with Bitcoin’s work has pushed Debian and Fedora, and other groups to work on reproducible builds as well. So, hopefully the whole security community will get better! applause Jacob: And to the point about Citizenfour. One of the things that’s been happening quite recently is that really respectable nice people like the people at Mozilla have decided that they really want us to work together. Which is great. Because we wanted to, and we have respected their work for a very long time. And so Tor is now partnering with Mozilla. And that means that Mozilla, as a group, will be running Tor relays. At first middle nodes, and then, hopefully, we believe, exit relays. And that is huge because Mozilla is at the forefront of doing a lot of work for end users. Just everyday regular people wanting privacy. Things like DoNotTrack e.g. are a way to try to experiment. Things like the Tor Browser a way to experiment even further. To really bring Privacy-by-Design. And it’s amazing that Mozilla is doing that. And we’ve made a partnership with them, and we’re hopeful, cautiously optimistic even, that this is going to produce some very good results where our communities can sort of fuse, and give Privacy-by-Design software to every person on the planet with no exceptions whatsoever. applause Now we also have a couple of things that we would like to talk about, just generally, that are a little bit technical. But at the same time we wanna keep it accessible because we think that this talk, well, it’s useful to talk about technical details. The most important thing is somebody who has never heard of the Tor community before, who watches this video, we want them to understand some of the details, and enough, let’s say, technical understanding that they’ll be able to go and look it up if they want to, but they’ll also understand we’re not just glossing over, completely. So, pluggable transports are very important. Right now, the way that Tor works is that we connect with an SSL/TLS connection. The protocol SSL/TLS, one of the 2, depending on the client library, and the server library. And that looks like an SSL connection, for the most part. But as some of you know there are people on this planet they collect SSL and TLS data, about everything flowing across the internet. That’s really a problem. It turns out we thought in some cases that it was just censorship that mattered. But it turns out broad classification of traffic is really, actually, a problem not just for blocking but also for later doing identification of traffic flows. So I’ve already lost the non-technical people in the audience, so, let me rephrase that and say: We have these other ways of connecting to the Tor network. And they don’t look just like a secure banking transaction. They look instead like DNS, or HTTP – that is your regular web browsing or name resolution. And we have a lot of different pluggable transports. And some of them are cool. Some of them make it look like you’re connecting to Google. When in fact you’re connecting to the Tor Project. And it’s because you, in fact, are connecting to Google. Leif Ryge, are you in the room, here? Maybe, no? This is really… you guys, and your anonymity! laughter It is the case… he showed this to me, I mentioned this to some other people and David Fifield, I think, either independently rediscovered it. There’s also the GoAgent people that discovered this. You can connect to Google with an SSL connection, and the certificate will say: dadada.google.com. And you of course verify it. And it is of course signed, probably by Adam Langley, personally. And… maybe it’s just the Google CAs. And then you give it a different HTTP host header. So you say: actually I wanna talk to Appspot. I wanna talk to torbridge.appspot.com. And inside of the TLS connection, which looks like it’s a connection to Google which is one of the most popular websites on the internet you then make essentially an encrypted connection through that. And then from there to the Tor network. Using Google, but also Cloudflare – they don’t just provide you with captchas! laughter and applause laughs Poor Cloudflare guy! We were joking we should stand outside his office and make him answer captchas to get in the door! laughter and applause All of those people clapping wish you would solve the Cloudflare captcha issue! So it also works with other compute clusters. And other CDNs. And so this is really awesome because it means that now you can connect through those CDNs to the Tor network, using Meek (?) and other pluggable transports like that. So that’s a huge win. And deploying it by default – I think we have another slide for that… Roger: Nope, that’s it! We’ve got a different one, yes. So, one of the neat things about Meek (?) is: because it works on all these different sorts of providers – Akamai and all the CDNs out there – a lot of those are still reachable from places like China. Lots of our pluggable transports don’t work so well in China, but meek does, at this point. So there are a lot of happy users. Here’s a graph of an earlier pluggable transport that we had, called ‘obfs3’. It still works in China, and Iran, and Syria and lots of places around the world. But the sort of blue/aqua line is how much use we’ve seen of obfs3. And you can tell exactly when we put out the new Tor browser release that had obfs3 built-in and easy-to-use by ordinary people. So one of the really important pushes we’ve been doing is trying to make – rather than trying to explain how pluggable transports work, and teach you everything – just make them really simple. Make them part of Tor browser, you just click on “My Tor isn’t working so I wanna use some other way to make my Tor work”. And we’ve got 10.000 people at this point who are happily using obfs3. I think a lot of them are in Syria and Iran at this point. applause Something else we’ve been doing over the past year is working really hard on improving the robustness, and testing infrastructure, and unit tests for the core Tor source code. So Nick Mathewson and Andrea Shepard in particular have been really working on robustness to make this something we can rely on, as a building block in tails, in Tor browser, in all the other applications that rely on Tor. So in the background things were getting a lot stronger. Hopefully that will serve us very well in the battles to come. applause Jacob: So this fine gentleman who was a teen heartthrob on Italian television many years ago… Arturo: Thank you for doxing me! Jacob: Sorry. both laugh If only you’d been using Tor! Arturo: Yeah, TV over Tor. So… A project that we started a couple of years ago with Jake is sort of related I guess to the Tor project’s goals of increasing privacy and having a better understanding on how people’s lives are impacted through technology. And this project is called OONI, or the ‘Open Observatory of Network Interference’. And what it is, before being a piece of software is a set of principles, and best practices and specifications written in English for how it is best to conduct network related measurements. That sort of measurements that we’re interested in running have to do with identifying network irregularities. These are symptoms that can be a sign of presence of surveillance or censorship, on the network that you’re testing. And we use a methodology that has been peer-reviewed, of which we have published a paper. It’s implemented using free software. And all of the data that we collect is made available to the public. So that you can look at it, analyze it and draw your own conclusions from it. applause And so we believe that this effort is something that is helpful and useful to people such as journalists, researchers, activists or just simple citizens that are interested in being more aware, and have a better understanding that is based on facts instead of just anecdotes, on what is the reality of internet censorship in their country. And we believe that historical data is especially important because it gives us an understanding of how these censorship and surveillance apparatuses evolve over time. So I would like to invite you all to run Ooniprobe today, if you copy and paste this command line inside of a Debian-based system. Obviously… perhaps you should read what is inside it before running it. applause But once you do that you will have a Ooniprobe setup and you will be collecting measurements for your country. If instead you would like to have an actual hardware device we have a very limited number of them. But if you’re from an interesting country and you’re interested in running Ooniprobe we can give you a little Raspberry Pi with an LCD screen that you can take home, connect to your network and adopt a Ooniprobe in your home network. To learn more about this you should come later today at Noisy Square, at 6 P.M. to learn more about it. Roger: Thank you! applause Jacob: And, just to finish up here, I mean, OONI is a human rights observation project which Arturo and Aaron Gibson – also somewhere in the room, I’m sure he won’t stand up so I won’t even ask him. It’s great! Because we went from a world where there was no open measurement, with only secret tools, essentially, where people acted like secret agents, going in the countries to do measurements. There wasn’t really an understanding of the risks that were involved, how the tests function, where non-technical people could have reasonable explanations. And now we have open measurement tools, we have open data standards, we have really like a framework for understanding this as a human right to observe the world around you. And then also to share that data, and to actually discuss that data, what it means. And to be able to set standards for it. And hopefully that means that people have informed consent when they engage in something that could be risky, like running Ooni in a place like… that is dangerous like the United States or Cuba, or something like China. applause And so, Arturo personally though, is the heart and soul of Ooni. And it is really important that we see that the Tor community is huge. It’s really huge, it’s made up of a lot of people doing a lot of different things. And part of Ooni is Tor. We need Tor to be able to have a secure communications channel back to another system, we need that so that people can log into these Ooniprobes e.g. over Tor Hidden Services. That kind of fusion of things where we have anonymity but at the same time we have this data set that is in some cases identifying, in some cases it’s not identifying, depending on the test. We need an anonymous communications channel to do that kind of human rights observation. And so… just so we can make Arturo a little… feel a little appreciated I just wanna give him another round of applause, for making this human rights observation project. applause Jacob joins the applause Roger: So I encourage all of you not only to run Ooniprobe in interesting places, and in boring places because they might become interesting. But also to help write new tests, and work on the design of these things, so that we can detect and notice new problems on the internet more quickly. Something else we’ve been up to over the past year is Tor Weekly News. We were really excited by Linux Weekly News etc. and… so every week there’s a new blog post and mail that summarizes what’s happened over the past week. We encourage you to look at all these. A special shout-out to harmony and lunar for helping to make this happen over the past year. Thank you! applause Jacob: Finally there’s a Tor list you can be on, that you really wanna be on! Roger: Being on lists is good. One of the other features we’ve been really excited about over the past year: EFF has been helping with Outreach. EFF ran a Tor relay challenge to try to get a lot of people running relays. And I think they have several thousand relays that signed up because of the relay challenge. Pushing a lot of traffic. So that’s really great! applause And at the same time not only did they get a lot of more people running relays but they also did some great advocacy and outreach for getting more exit relays in universities, and basically teaching people why Tor is important. We all need to be doing more of that! We’ll touch on that a little bit more later. So you all I hope remember what was going on in Turkey, earlier this year. Here’s a cool graph of Tor use in Turkey when they started to block Youtube and other things. Then people realized, I need to get some tools to get around that censorship. But you probably weren’t paying attention when Iraq filtered Facebook, and suddenly a lot of people in Iraq needed to get some sort of way to get around their censorship. So there are a bunch of interesting graphs like this on the Tor Metrics project, of what’s been going on over the past year. Jacob: And we actually… – if you could go back, yeah. One thing that’s really interesting about this is: Karsten Loesing who is, I think, also not going to stand up, maybe you will? Are you here? I don’t see you, Karsten? No? No, okay. He does all the metrics, this anonymous, shadowy metrics figure. And if you go to metrics.torproject.org you’ll see open data that is properly anonymized – you would expect that from us – as well as actual documents that explain the anonymity, the counting techniques, that explain the privacy conserving statistics. And you can see these graphs, you can generate them based on certain parameters. If you are interested in seeing e.g. geopolitical events, and how they tie in to the internet, this project is part of what inspired Ooni. This is how we get statistics and interesting things about the Tor network itself. From Tor clients, from Tor relays, from Tor bridges. And it tells you all sorts of things. Platform information, version number of the software, which country someone might be connecting from etc. Where they’re hosted… If you are interested looking at this website and finding spikes like this you may in fact be able to find out that there is a censorship event in that country, and we haven’t noticed it. There are a lot of countries in the world if we split it up by country. And sometimes 50.000 Tor users fall off the Tor network because another American company has sold that country censorship equipment. We need help finding these events, and then understanding their context. So if in your country something like that happens looking at this data can help us not only to advocate for anonymity in such a place but it can help us to also technically realize we need to fix a thing, change a thing… And it’s through this data that we can have a dialog about those things. So if you have no technical ability at all but you’re interested and understand where you come from – look at this data set, try to understand it, and then reach out to us and hopefully we can learn about that. That’s how we learn about this, that’s how we learned about the previous thing. And many years ago we gave a Tor talk about how countries and governments and corporations try to censor Tor. And of course, a lot has happened since then. There’s a lot of those things, and very difficult to keep up with them. So we really need the community’s help to contextualize, to explain and define these things. Roger: Okay. Next section of the talk, ‘things that excited journalists over the past year’. That actually turned out to be not-so-big a deal. And we’re gonna try to blow through a lot of them quickly, so that we can get to the stuff that actually was a big deal. So I guess in August or something there was going to be a Blackhat talk about how you can just totally break Tor, and then the Blackhat talk got pulled. Turns out that it was a group at CMU who were doing some research on Tor. And I begged them for a long time to get a little bit of information about what attack they had. Eventually they sent me a little bit of information. And then we were all thinking about how to fix it. And then Nick Mathewson, one of the Tor developers, said: “Why don’t I just deploy a detection thing on the real Tor network, just in case somebody is doing this?” And then it turns out somebody was doing this. And then I sent mail to the Cert (?) people saying: “Hey, are you, like, are you like running those 100 relays that are doing this attack on Tor users right now?” And I never heard back from them after that. So that’s sort of a… this is a sad story for a lot of different reasons. But I guess the good news is we identified the relays that were doing the attack, we cut them out of the network, and we deployed a defense that will first of all make that particular attack not work anymore. And also detect it when somebody else is trying to do an attack like this. Jacob: This, of course, is… applause This is a hard lesson, for 2 reasons. The first reason is that that it’s awful to do those kinds of attacks on the real Tor network. And there’s a question about responsibility. But the second lesson is that when these kinds of things happen, and we have the ability to actually understand them we can respond to them. It’s really awful that the talk was pulled, and it is really awful that these people were not able to give us more information. And it’s also really awful that they were apparently carrying out the attack. And there were lots of open questions about it. But in general we believe that we’ve mitigated the attack which is important. But we also advocated for that talk to go forward. Because we think that, of course, the answer to even really frustrating speech is more speech! So we wanna know more about it. It somehow is very disturbing that that talk was pulled. And they should be able to present their research, even if there’s anger on our face it’s important for our users to know as much as we can, so that we can move forward with protecting Tor users. Roger: Okay, so, another exciting topic from a couple of months ago: Russia apparently put out a call-for-research work… loud splashing noise from Jake opening a loaded water bottle …to come up with attacks on Tor. Jacob: It’s another attack on Tor! Roger: Enjoy your water, Jake. I hope that was worth it. laughs Jacob: laughs It was really worth it. Was very thirsty. Roger: So Russia put out a call-for-research proposals on attacking Tor. Somebody mistranslated that phrase from Russian into ‘prize’, or ‘bounty’, or ‘contest’. And then we had all these articles, saying “Russia is holding a contest to break Tor” when actually, no, they just wanted somebody to work on research on Tor attacks. So this would be like the U.S. National Science Foundation holds a contest for Tor research. That’s not actually how government funding works. Mistranslations cause a lot of exciting journalist articles but as far as I can tell it turned out to be basically nothing. Also it was basically ‘no money’. So, maybe something will come of this, we’ll see. Something else that’s been bothering me a lot, lately: Cryptowall, now called ‘Cryptolocker’. So, there are jerks out there who break into your mobile phone of some sort, give you malware, viruses, something like that. They encrypt your files, and then they send you basically a ransom note saying “We’ve encrypted your file, if you want it back send some Bitcoin over here!” So this is bad, so far. But then the part that really upsets me is they say: “And if you don’t know how to do this go to our website torproject.org and download the Tor Browser in order to pay us”. Fuck them! I do not want people doing this with our software! applause Jacob: Yeah, fuck them. I mean I don’t really have a lot to contribute to that. I mean it’s really… Hidden Services have a really bad rap, and it’s frustrating, right? There’s a… of course this quantitative and qualitative analysis that we can have here. And the reality of the situation is that one Globaleaks leaking interface is ‘one.onion’ (?), for example. What is the value of that? Versus 10.000 Hidden Services run by these jerks? And it’s very hard to understand the social value of these things, except to say that we really need things like Hidden Services. And jackasses like this are really making it hard for us to defend the right to publish anonymously. And so, if you know who these people are please ask them to stop! I don’t even know what the ask is there. But they really should stop. Or maybe there’s some interesting things that you can do. I don’t know. But we really, really don’t like that this is someone’s first introduction to Tor! That they think that we’re responsible for this. We most certainly are not responsible for these things. We certainly do not deploy malware. And Hidden Services are actually very important for a lot of people. These people are not those people! applause Roger: Another ‘exciting’ story, a month or 2 ago, was, “81% of Tor users can be de-anonymized…” and then some more words, depending on which article you read. So it turns out that one of our friends, Sambuddho, who is a professor in India now, did some work on analyzing traffic correlation attacks in the lab. He found, in the lab, that some of his attacks worked sometime, great… And then some journalists found it, and said: “Ah! This must be the reason why Tor is insecure today”. So he wrote an article, it got Slashdot, it got all the other news stories. And suddenly everybody knew that Tor was broken because “81% of Tor users…”. So it turns out that Sambuddho himself stood up and said actually: “No, you misunderstood my article”. But that didn’t matter because nobody listened to the author of the paper at that point. So I guess there’s a broader issue that we’re struggling with here, in terms of how to explain the details of these things because traffic correlation attacks are a big deal. They probably do work if you have enough traffic around the internet, and you’re looking at the right places. You probably can do the attack. But that paper did not do the attack. So I keep finding myself saying: “No no no, you’re misunderstanding the paper, the paper doesn’t tell us anything, but the attack is real! But the paper doesn’t tell us anything”. And this is really confusing to journalists because it sounds like I’m disagreeing with myself with these 2 different sentences. So we need to come up with some way to be able to explain: “Here are all of the real attacks, that are really actually worrisome, and it’s great that researchers are working on them. And they probably are a big deal, in some way. But no, that paper that you’re pointing at right now is not the reason why they’re a big deal”. We also saw this in the context of an NSA paper which was published a couple of days ago, thanks to some other folks. Jacob: Sad, ‘some other folks’! Roger: ‘Some other folks’. I won’t specify exactly which other folks. And they similarly had a traffic correlation attack. And in the paper it’s really a bad one. It’s the same as the paper that was published in 2003, in the open literature. There was a much better paper published in 2004, in the open literature, that apparently these folks didn’t read. So I don’t wanna say traffic correlation attacks don’t work, but all these papers that we’re looking at don’t show… aren’t very good papers. Jacob: So one of the solutions to a lot of journalists that don’t understand technology is that it’s actually quite easy to be a journalist by comparison to being a technologist. It’s possible to write about things in a factually correct way, sometimes you don’t always reach the right audiences, that can actually be difficult. It depends. So you have to write for different reading comprehension levels, e.g. And we tried to write for people who understand the internet. At least when I write as a journalist. And so, when I sometimes take off my Tor hat I put on my journalistic hat. And part of the reason is that in order to even tell you about some of the things that we learn, if I don’t put on my journalistic hat I get a nice pair of handcuffs. So it’s very important to have journalistic protection so that we can inform you about these things. So e.g. it is the case that XKeyscore rules – we published some of them. Not ‘we’, Tor. But me and this set of people at the top, of this by-line here. In NDR. Some of you know NDR, it’s a very large German publication. I also publish with Der Spiegel, as a journalist. In this case we published XKeyscore rules. Where we specifically learned an important lesson. And the important lesson was, even if you’re a journalist explaining things exactly technically correctly – people will still get it wrong. It’s just not the journalists that get it wrong. It’s the readers. Very frustrating. People decided that because the NSA definitely has XKeyscore rules that is rules for surveilling the internet, where they’re looking at big traffic buffers. TEMPORA e.g. the British surveillance system that is built on XKeyscore. With a – probably – week-long buffer of all internet traffic. That’s a big buffer, by the way. Doing these XKeyscore rules, running across that traffic set, they would find that people were connecting to directory authorities. One of those directory authorities is mine, actually, quite ironically. And then Sebastian Hahn, and other people in this audience. And some people said: “Oh, don’t use Tor because the NSA will be monitoring you!” That is exactly the wrong take-away. Because there are XKeyscore rules on the order of tens of thousands, from what we can tell. So everything you do is going through these giant surveillance systems. And what you’ll learn when you monitor someone using Tor is that they’re using Tor potentially, in that buffer. Which is different than ‘they learn for sure that you were going to the Chaos Computer Club’s web site’, or that you were going to a dating site. So it’s the difference between ‘they learn some keeny (?) bit of information about you’, that you’re using an anonymity system, versus ‘they learned exactly what you were doing on the internet’. Now if there were only a few XKeyscore rules at all, and it was just that about Tor then that conclusion people reach would be correct. But it’s exactly not true. The XKeyscore system is so powerful that if you have a logo for a company, so anyone here that runs a company, and you put a logo inside of a document, the XKeyscore system can find that logo in all of the documents flowing across the internet in real-time. And alert someone that someone has sent a .DOC or a PDF with that image inside of it. And alert them. So that they can intercept it. So the lesson is not “Don’t use Tor because XKeyscore may put your metadata into a database, in the so-called ‘corporate repositories’”. The lesson is “Holy shit, there’s this gigantic buffering system which has search capabilities that even allow you to search inside of documents. Really, really advanced capabilities where they can select that traffic and put it somewhere else”. “Use an anonymity system!” And also: “Look, they’re targeting anonymity systems, even in the United States, which, at least for the NSA they’re not supposed to be doing those kinds of things”. They literately were caught lying here. They’re doing bulk internet surveillance even in the United States. Using these kinds of systems. That’s really scary. But the real big lesson to take away from that is, actually, that they’re doing this for all the protocols that they can write fingerprints for. And they have a generic language where they can actually describe protocols. And so we published a number of those, we = NDR. And I would really recommend you read and understand that. But the lesson, again, is not “Oh no, they’re going to detect you’re using Tor”. We have never said that Tor can e.g. protect you against someone seeing that you’re using it. Especially in the long term. But rather the point is exactly the scariest point. This mass internet surveillance is real. And it is the case that it is real-time. And it’s a real problem. applause Roger: If you’re using Tor they see that you’re using Tor. If you’re not using Tor they see exactly where you’re going. You end up in a list of people who went to ‘this’ website, or ‘this’ website, or used ‘this’ service, or sent ‘this’ document. And the diversity of Tor users is part of the safety, where, just because they know you’re using Tor doesn’t tell them that much. One of the other things I’ve been wrestling with after looking at a bunch of these documents lately is the whole ‘how do we protect against pervasive surveillance’. And this is an entire talk on its own. We’ve been doing some design changes. We pushed out some changes in Tor that protect you more against pervasive surveillance. We – for the technical people out there – we’ve reduced the number of guard relays that you use by default from 3 to 1. So there are fewer places on the internet that get to see your Tor traffic. That’s a good start. One of the other lessons we’ve been realizing: The internet is more centralized than we’d like. So it’s easy to say “Oh, we just need more exit relays, and then we’ll have more protection against these things”. But if we put another exit relay in that same data sensor (?) in Frankfurt that they’re already watching that’s not actually going to give us more safety against these pervasive surveillance adversaries. Something else I realized: so we used to talk about how Tor does these two different things. We’ve got anonymity, we’re trying to protect against somebody trying to learn what you’re doing, and we’ve got circumvention, censorship circumvention. We’re trying to protect against somebody trying to prevent you from going somewhere. But it turns out in the surveillance case they do deep packet inspection to figure out what protocol you’re doing, to find out what you’re up to. And in the censorship case they do deep packet inspection to figure out what protocol you’re using, to decide whether to block it. So it’s actually… these fields are much more related than we had realized before. And it took us a while, I’m really happy that we have these documents to look at, so that we have a better understanding of how this global surveillance and censorship works. Long ago, so in 2007, I ended up doing a talk at the NSA, to try to convince them that we were not the bad guys. And you can read the notes that they took about my talk at the NSA. Because they’re published in the Washington Post. So I encourage you to go read what the NSA thought of my talk to them. That same year I ended up going to GCHQ, to give a talk to them, to try to convince them that we were not the bad people. And I thought to myself: “I don’t want to give them anything useful. I don’t want to talk about anonymity, because I know they’re going to try to break anonymity. So I’m going to give them a talk that has nothing to do with anything that they should care about. I’m going to talk about the censorship arms race in China, and DPI, and stuff like that, that they shouldn’t care about at all”. Boy, were we wrong! applause So the other thing to think about here, there are a bunch of different pluggable transports that could come in handy against the surveillance adversary. We have, so far, been thinking of pluggable transports in terms of ‘there’s somebody trying to censor your connection, they’re doing DPI, or they’re looking for addresses, and they’re trying to block things’. One of the things we learned from this past summer’s documents: imagine an adversary who builds a list of all the public Tor relays. And then they build a list of all of the IP addresses that connect to those Tor relays. Now they know all the bridges, and many of the users. And now they build a list of all the IP addresses that connect to those IP addresses. And they go a few hops out, and now they know all the public relays, all the bridges, all the users, all of the other things that are connected to Tor. And they can keep track of which ones they should log traffic for, for the next 6 months, rather than the next week. That’s a really scary adversary. Some of the pluggable transports we’ve been working on could actually come in handy here. So ‘Flash proxy’ is one of the ones you heard about in last year’s talk. The basic idea of a Flash proxy is to get users running web browsers to volunteer running web-RTC, or something like that to basically be a short-lived bridge between the censored user and the Tor Network. So the idea is that you get millions of people running browsers, and then you can proxy from inside China, or Syria, or America, or wherever the problem is, through the browser into the Tor Network. But from the surveillance perspective suddenly they end up with an enormous list of millions of people around the world that are basically buffering the Tor user from the Tor Network. So if they start with this list of IP addresses, and they’re trying to build a list of everything, now they end up with millions of IP addresses that have nothing to do with Tor. And they have to realize, at the time they’re watching, that they want to go one more hop out. So I don’t know if that will work. But this is an interesting research area that more people need to look at: How can we, against an adversary who’s trying to build a list of everybody who has anything to do with Tor, how can we have Tor users not end up on that list. What sort of transports or tunneling through Google app spot (?), or other tools like that can we use to break that chain, so it’s not as easy for them to track down where all the users are. Okay, Silk Road 2, we’ve had a lot of questions about. I think it’s called Operation Onimous (?). I actually talked to an American law enforcement person who was involved in this. And he told me, from his perspective, exactly how it happened. Apparently the Silk Road 2 guy wrote his name down somewhere. So they brought him in, and started asking him questions. And as soon as they started asking him questions he started naming names. And they counted up to 16 names, and they went and arrested all those people, and collected their computers. And then they put out a press release, saying that they had an amazing Tor attack. applause So there are a couple of lessons here. One of them is: Yes, it’s another case where opsec failed. But the other lesson that we learn is: These large law enforcement adversaries are happy to use press spin and lies, and whatever else it takes to try to scare people away from having safety on the internet. Jacob: This is a really… to me, especially, if I take off my Tor hat and put on my journalistic hat, as if I can actually take off hats etc., but it’s really terrifying that journalists don’t actually ask hard questions about that. You know, the Europol people that spoke to the press, they talked about this as if they had some incredible attack, they talked about 0-day, they talked about how, you know, they had broken Tor, “You’re not safe on the Dark Web”. We don’t even use the term ‘Dark Web’. That’s how you know that they’re full of shit. But it’s… applause That’s sort of like when people have Tor in all caps (?)(?)(?)(?)(?)(?), dark web, that kind of stuff, this is a bad sign. But the way they talk about it, it was clear that they, as far as we can tell, they don’t have that. But they really hyped it. As much as they possibly could. I mean, it is, effectively, and I think it is even technically a psychological operation against the civilian population. They want to scare you into believing that Tor doesn’t work. Because, in fact, it does work, and it is a problem for them. So any time they can ever have some kind of win-it-all they always spin it as if they’re great, powerful adversaries, and it’s us-versus-them. And that’s exactly wrong. It is not us-versus-them. Because we all need anonymity. We all absolutely need that. And they shouldn’t be treating us as adversaries. They, in fact, are also Tor users, quite ironically. So it is interesting though, because they know that they haven’t done that. But they don’t want you to know that they haven’t done that. In fact, they want you to know the opposite. Of course we could be wrong. They could have some super-secret exploit, but as far as we can tell that just is not the case. So, what’s to be learned from this? We used to think it was just American law enforcement that were scary jerks. Now it’s also European. I don’t know if that’s the right buzzing(?). But hopefully some of you will go and work at Europol, and tell us what’s really going on. applause Roger: Speaking of Hidden Services. We have a new design in mind, that will have some stronger crypto properties, and make it harder to enumerate Hidden Services. It won’t solve some of the big anonymity questions that are still open research questions. But there are a lot of improvements we’d like to make, to make the crypto more secure, and performance changes etc. And we’d been thinking about doing some sort of crowd funding, kickstarter-like thing, to make Hidden Services work better. We’ve got a funder who cares about understanding Hidden Services, but that’s not the same as actually making them more secure. So we’d love to chat with you after this about how to make one of those kickstarters actually work. Jacob: Right, so, if you have questions we have some amount of time for questions. And while you line up at the microphone I’ll tell you a quick story. So if you have questions please line up at the microphone, so we can do this. This is a picture of a man who was assassinated in San Francisco. His name is Harvey Milk. Anybody here – ever hear of Harvey Milk? applause Great. Harvey Milk was basically the first out-gay politician in, I think, the United States. He was a city council member in San Francisco. And this was during a huge fever pitch apora (?) where… basically it was the battle between: “Are people who are gay people or not?” And what he said is: Go home and tell your brothers, your mothers, your sisters, your family members and your co-workers that you’re gay. Tell them that, so that when they advocate for violence against gay people, when they advocate for harm against you that they know they’re talking about you. Not an abstract boogieman. But someone that they actually know, and that they love. We need every person in this room, every person watching this video later to go home and talk about how you needed anonymity, for 5 or 10 minutes. How you needed it every day to do your job. We need people to reach out. Now that’s a sad story with Harvey Milk which is that he and mayor Moscone of San Francisco were actually killed by a very crazy person, that was also in city government, in the American traditional extreme gun violence. He was shot and killed. And that person actually got away with it. The so-called ‘Twinkie defense’. So we’re not trying to draw that parallel. Just to be clear please don’t shoot us and kill us! Not even funny, unfortunately. But to understand that we are really under threat, a lot of pressure. There’s a lot of pressure. We get pressure from law enforcement investigation agencies to backdoor Tor, and we tell them: “No”, and that takes a lot of stress and dumps it on us. And we need support from a lot of people, to tell them to back off. It can’t just be us that say that. Or we will lose some day. And there are also very scary adversaries that do not care at all about the law. Not that those guys care about the law but really don’t care about the law at all. And we need people to understand how important anonymity is, and make sure that that goes into every conversation. So really, go home and teach your friends and your family members about your need for anonymity. This lesson from Harvey Milk was very useful. It is the case that now, in California where there is a huge fever pitch (?) battle about this that you can e.g. be gay and be a school teacher. That was one of the battles that Harvey Milk helped win. applause So, with that I think that we have time for… Herald: Yeah, we have like 10 minutes left for questions. So, thank you so much for the talk! It’s really inspiring. Thank you for keeping up the work! applause Really! Although you do this every year it never gets old. And I think your… every year you give people the chance to leave the Congress with a feeling of hope and purpose. So, thank you so much for everything you do and every minute you spend on this project. So we start with a question from the internet. applause Jacob: We’d like to take a few questions from the internet all at once, if possible, so we can try to answer them as quickly as possible. Signal Angel: Okay. Herald: Alright. Signal Angel: So, the first one: Yesterday you said that SSH is broken. So what should we use to safely administrate our Tor relays? Jacob: Hah! That’s great. So, first of all! Next set of questions! Signal Angel: So the next one is: How much money would be needed to get independent from Government funding, and is that even desired? Jacob: Ah, do you want me to do both? Roger: Sure. Jacob: Okay. Signal Angel: Hope so. Jacob: Okay. First question: Consider using a Tor Hidden Service, and then SSH’ing into that Tor Hidden Service. Composition of cryptographic components is probably very important. A detail about SSH: We don’t know what is going on. We only know what was claimed in those documents. That’s a really scary claim. This creates a political problem. The U.S. Congress and other political bodies should really be asking the secret services if they really have a database called CAPRI OS where they store SSH decrypts. And how they populate that database. Because that is critical infrastructure. We can’t solve that problem with the knowledge that we have right now. But we know now: There is a problem. What is that problem? So, composition of those systems: It seems to be, the documents say that they haven’t broken the crypto in Tor Hidden Services. So put those two together. And also consider that cryptography only buys you time. It really isn’t the case that all the crypto we have today is going to be good maybe in 150 years. If Sci-Fi quantum computers ever come out, and they actually work, Shor’s algorithm and other things really seem to suggest we have a lot of trouble ahead. And the second part, about money: Yeah, we would love to replace Government funding. I mean at least I would. But that isn’t to say that we don’t respect that there are people that do fund us to do good things. We do take money from agencies who e.g. the Department of Human Rights and Labor, at the State Department. They’re sort of like the advertising arm for the gun-running part of the State Department, as Julian Assange would say. And they actually care about Human Rights. They care that you have access to anonymity. It’s weird because the State Department – the rest of it – might not care. But, we really, really would like to off-set that money. But we’d like to grow. We’d like to be able to hire 100 people in this room to work on this full-time. Because the planet needs anonymity. But that requires that we find that money. And the best place at the moment is by writing grant proposals. And that is how we have in fact done that. And that allows us also to operate openly. So we don’t have e.g. clearances. And we try to publish everything we can about it. And if you ever write a FOIA we always tell the agency that has received the Freedom Of Information request: Give the requestor everything. Give it all to them. We have nothing to hide about this, we want you to see that. We want you to see that when a government agency has paid us money that we have done it for THIS line item, and THIS line item. And we’ve done it as well as we could do it, and it is in line with the open research, and we have really done a good thing, that helps people. Roger: So I’d love to diversify our funding. I’d love to have foundations, I’d love to have the EFF model where individuals fund because we do great things – look at what we did over the past year – and in fact, right here: Look at what we did over the past year. We’ve done so amazing things, we’re gonna do some more amazing things next year. We need your help to actually make all of this happen. Jacob: Anybody here a Bitcoin millionaire? Because we now take Bitcoin! applause Herald: Alright, let’s take a question from microphone 1. Question: Just a short question: is there a follow-up on the Thomas White tor-talk mailing list thing? Roger: So, Thomas White runs a few exit relays. Some of them are quite large, I’m very happy he does that. It is quite normal for exit relays to come and go. He is in England, and as far as I can tell England is not a very good place to be these days. But he’s trying to fix his country from inside which is really great. Basically the short version is: It’s not a big deal. He runs some exit relays, somebody tries to take them down, there are 6000 relays in the network right now, they go up and down, it’s normal. Question: Is this related to the Tor blog post, that Thomas White thing, where you said there’s an upcoming… Roger: It is unrelated, except for the fact that everybody was watching. So then, when he wrote a tor-talk mail saying “Hey, I’m concerned about my exit relays”, suddenly all the journalists said: “Oh my god, they must be the same thing!” So, no, unrelated! Jacob: There are a lot of people that have been attacking the Tor network. You’ve probably seen there’ve been Denial-of-Service attacks, and things like that on the Tor directory authorities. This is what I was saying one or two slides ago when I said “Please tell people the value of Tor, and that you need it”. Because when people do Denial-of-Service attacks, when they see servers, we really need, in a peer2peer network way, to draw up more relays to actually increase the bandwidth capacity, to increase the exit capacity. And it’s very important to do that. Right? I mean it’s very, very serious that those things happen. But it’s also important that the design of the network is designed with the expectation that thieves will steal computer systems, that jerks will denial-of-service them etc. So if you can run an exit relay, thank you! Thank you for doing that. Next question? applause Herald: Yeah. Let’s take a question from microphone 2. Question: First of all a quick shoutout to your Ooni friend. Please don’t ask people to run arbitrary code over the internet. Curl-piper’s age (?) is not good style. Roger: There’s a deb (?) that we’re working on also that should be a lot better. Jacob: Yeah, ‘apt-get install ooniprobe’ will also work. Question: Do you have any plans of implementing IPv6, finally? Jacob: So there is IPv6, so Linus Nordberg, one of the finest Tor people I’ve ever met, he, in fact, helped add IPv6 support, initial IPv6 support to the Tor network. So, e.g. you can, in fact, exit through the Tor network with IPv4 or IPv6. It is the case that the Tor relays in the network still all need IPv4, not just IPv6. My Tor directory authority which runs in California, it has an IPv4 and an IPv6 address, so if you have an IPv6 address you can bootstrap, you can connect to that. You could do some interesting pluggable-transport stuff as well. So that is on the road map. This is another example of: If you really care about that issue please send us your Bitcoins! And it would be really fantastic because we really want that! But right now, you can use Tor as a v4-v6 gateway. You really can do that, and we would encourage that. It’s another example of some kind of neat feature of Tor which you would never think an anonymity system would have. Roger: And in Iran, right now, where IPv6 is not censored because the soft… the censorship stuff they have from America and Europe didn’t think to censor IPv6… laughter and applause applause so you can use a bridge right now in Iran that connects over IPv6. Works great. Jacob: Yeah. Next question? Herald: Alright, microphone 4! Question: So we heard lots of really encouraging success stories about Tor working against a global passive adversary. But we know that Tor wasn’t designed for this use case. The question is: What needs to happen in order for Tor to actually being able to handle this, officially? Is this just research, or some more development work? Roger: There’s a lot of really hard open research questions there. So if you’re… so, I get… basically one of the issues is what we call the end-to-end traffic correlation attack. So if you can see the flow over here coming into the Tor network, and you can see the corresponding flow over here, coming out of it, then you do some simple statistics, and you say: “Hey, wait a minute, these line up!” And there are a bunch of different directions on how to make that harder. Basically what you want to do is drive up the false-positive rate. So you see a flow here, and there are actually 1000 flows that look like they sort of match. And maybe you can do that by adding a little bit of padding, or delays, or batching or something. The research, as we understand it right now, means that you have to add hours of delay, not seconds of delay. That’s kind of crummy. So another way of phrasing that: Imagine a graph, the X axis is how much overhead we’re adding. And the Y axis is how much security we get against the end-to-end correlation attack. We have zero data points on that graph. We have no idea what the curve looks like. Jacob: There’s also another point which is: Roger has an assumption. He says if we have a high false-positive rate, that that’s a good thing. Well, maybe, maybe actually, that’s exactly the wrong thing. Maybe the result is that 1000 people get rounded up instead of 1. The reality is that there is no system that – as far as we know – is actually safer than that. Of course we would say that, we work on Tor. But as an example: One of the XKeyscore things that I’ve seen in this research which we published in the NDR story is that they were doing an attack on Hotspot Shield where they were actually doing traffic correlation where they were able to de-anonymize VPN users because of it’s a single hop. And then they were also able to do Quantuminsert to attack specific users using the VPN. We haven’t seen evidence of them doing that to Tor. That also doesn’t mean that every VPN is broken. It just means that VPN has a different threat model. There’s lot of attacks that are like that, and the problem is the internet is a dangerous place. So, I mean, Banksy said it best: He said, in the future people will be anonymous for 15 minutes. And I think he may have over-estimated that. Depending on the attacker. Roger: There’s a conference called the Privacy Enhancing Technology Symposium, petsymposium.org where all of the Anonymous Communications researchers get together each year to consider exactly these sorts of research questions. So, it’s not just an engineering question, there’s a lot of basic science left in terms of how to make these things harder. Herald: Alright, the last question is one from the internet. Signal Angel: Okay, so, does running a Ooniprobe involve any legal risks? Jacob: Okay, so, great! We can take different questions, cause we’re gonna say “Talk to Arturo!” Herald: Alright, so, microphone 3! Question: Okay, as a new Tor relay operator I’ve got… applause Jacob: Take a bow! Question: So, since about 2 months I run 3 relays, rather high bandwidth, and on 2 of these I had quite strange things happen. One case: A kernel crash in the Intel e1000 driver, the other one having the top-of-the-rack switch just reboot, which is by the way a Juniper switch. So I’m kind of concerned about this operational security. You know, could you trust that? Jacob: Yeah, absolutely. So the short version of it is: Agencies like the NSA, depending on where you’re located, might compromise something like your Juniper switch upstream. They sit on Zerodays for critical infrastructure, that includes core routers, and switches. But it may not be such a big thing. It really depends on where you’re located. It could also be that the hardware sucks. laughter And that the software is not good. And when you, of course, are pushing, let’s say gigabits of traffic through it it falls over. It’s really hard to know. That’s a really good question, which is very specific, and kind of hard for us to address without data. Question: Sorry, I’m concerned that the attack, like this, you know, they could, actually, compromise the machine without knowing, or compromise the exact uplink. And this would actually be a viable attack, like very low-key, you don’t see it, as [an] operator, maybe, if you’re not very careful. And you can watch all the traffic going inside, going outside the box. Jacob: It would be fantastic if you can prove that theory. Because, of course, if you can, maybe we can find other information that allows us to stop those types of things to happen, or e.g. can in some way allow us to fix the problems that are being exploited. The reality is that general purpose computers are quite frankly not very secure, and special purpose computers aren’t doing much better. Roger: I worry not only about active attacks like that but about passive attacks where they already have some sort of surveillance device up-stream from you in you co-location facility, or something like that. So, yes. These are all really big concerns. One of the defenses that Tor has is diversity around the world. So, hopefully they won’t be able to do that to all of the relays. But yeah, this is a big issue. We should keep talking about it. Herald: Alright, I just wanna come back to the question before, for a second. Because there was a question from the internet. So the people are not able to talk. Ooniprobe guy, hey, could you maybe answer the question, like, right now, or maybe on Twitter, or post a link or something? Because I happen to believe that it’s a very important question. You remember the question? If there are legal restric… Arturo: Yeah well, I mean the thing is that we don’t really know like what are the… who was it that was asking the question? Jacob: The internet? Arturo: Ah, the internet. Okay. laughter and applause Jacob laughs So I guess we can’t know all of the legal risks involved in every country. It is definitely the case that in some countries you may get in trouble for visiting some websites that are considered illegal. So, I can go in more detail into this if you come later to Noisy Square at 6. Herald: The internet can’t come, that’s the problem! Arturo: Ah, the internet can’t come, shit! Okay! laughter So,… laughs applause Jacob: There’re a lot of jokes in that! Arturo: The short answer is that you should look at the test specifications, that are written in English, and they have at the bottom some notes that detail what can be some of the risks involved. But we are not lawyers. So we don’t know what are the risks for all of the countries. So you should probably speak to somebody that knows about these things in your country. And it’s experimental software, and there are not many people that are doing this. So we generally can’t say. Hope that answers your question. Question: Thanks a lot, yeah, thanks. Herald: Alright, I guess, just to sum it up: Be careful whatever you do. laughter and applause Alright, so, Jake was just asking if maybe we could just gather a couple of questions, and then ask about them outside. Did I get that right? Jacob: Yeah, so if everyone who is at a microphone, disperse to the correct microphone, if you could just ask all your questions, then everyone else who’s here that wants to hear the answers will know that you should stick around and talk to us afterwards. We won’t answer all these questions unless there’s a really burning one. But that way the guys that are standing at the microphone, or the gals that are standing at the microphone or other, can actually ask them right now, and if you’re interested come and find us right afterwards. We’re going to probably go to the tea house upstairs, or maybe I shouldn’t have said that. laughter Herald: Alright, so we’re gonna do it like this. We’re gonna rush through this. And we’re just gonna hear a lot of interesting questions, but no answers. If you wanna hear the answers stay tuned and don’t switch the channel. So we take a couple of questions. Microphone 5. And be quick about it. Question: In regards to robustness and the Mozilla partnership: Are there any thoughts about incrementally replacing the C++ infrastructure with Rust? Eventually? Herald: Microphone 4! Is it open, microphone 4? Question: Can you compare Tor with JAP from TU Dresden in aspects of anonymity? Herald: Okay, the other guy at microphone 4! Question: To your knowledge has anyone got into trouble for running a non-exit relay? And do you have any tips for people that wanna help by running a non-exit relay? Herald: Okay, microphone 1, 2 guys. Question: I have a question, or a suggestion for the funding problematic. Have you… you’re teaming up with Mozilla, have you ever considered like producing own smartphones, because there’s a huge margin. I also think there’s a problem like… why most people don’t use cryptography is because there’s no easy-to-use, out-of-the-box, cool product that’s like… that goes out and has a story or anything, like the marketing on Apple. Herald: Alright, the other guy at microphone 1. Question: So a couple of minutes before the talk started someone did a Sibyl (?) attack on Tor. And we should fix that a.s.a.p. So please don’t disappear for the next few hours. Jacob rages, laughing, theatrically Thanks! Roger: It never ends. Jacob: It never ends! Herald: Alright. Two questions from microphone 3. Question: So when they took down Silkroad they took a lot of Bitcoins with them. I wonder what the [U.S.] Government is doing with the large amount of anonymized cash. Roger: They auctioned it off. Jacob: They sell it. Next question. Question: And I think they should give it to you. Herald: Alright. Last question! Jacob: I fully agree! Question: So to combat against the ‘misinformed journalists’ thing why not have a dashboard, very prominently displayed on the Tor Project listing all of the academic, open like known problems with Tor, and always have the journalists go there first to get the source of information, rather than misunderstanding academic research. Jacob: Fantastic, so if you wanna know… Herald: Alright, if you found any of these questions interesting, and you’re also interested in the answers stick around, go to Noisy Square, speak to these two guys, and get all your answers. Other than that, you heard it a Brillion times, but: go home, start a relay! My friends and I did two years ago, after Jake’s keynote. It’s really not that hard. You can make a difference. And thank you so much, for Roger and Jake, as every year! applause silent postroll titles subtitles created by c3subtitles.de in the year 2017. Join, and help us!