silent 31C3 preroll titles
applause
Roger: Okay, hi everybody! I’m Roger
Dingledine, and this is Jake Appelbaum.
And we’re here to tell you more
about what’s going on with Tor
over the past year. We actually wanted
to start out asking Laura to give us
a little bit of context from her
perspective, about Citizenfour,
and the value of these sorts
of tools to journalists.
applause
Laura: So. Am I live? Okay. Roger and Jake
asked me to say a few things about Tor,
and what does it mean for investigative
journalists. And I can say that certainly
the work that I’ve done, on working with
disclosures by Edward Snowden, and
first communicating with him would not
have been possible. Without the work
that these 2 people do. And that everybody
[does] who contributes to the Tor network.
So I’m deeply grateful to everyone here.
applause
When I was communicating with Snowden
for several months before I met him
in Hongkong we talked often about the Tor
network, and it’s something that actually
he feels is vital for online
privacy. And, to sort of
defeat surveillance. It’s really our
only tool to be able to do that. And
I just wanted to tell one story about what
happens when journalists don’t use it.
I can’t go into lots of details, but
there’s a very well known investigative
journalist who was working on a story.
He had a source. And the source was
in the Intelligence community. And he had
done some research on his computer,
not using Tor. And I was with him when
he got a phone call. And on the phone,
the person was saying: “What the fuck were
you doing looking up this, this and this?”
And this is an example of what
happens when Intelligence agencies
target journalists. So without Tor
we literally can’t do the work that
we need to do. So thank you,
and please support Tor! Thanks!
applause
Roger: Well, thank you!
continued applause
Jacob: So to follow-up on what Laura
has just said: We think it’s important
to really expand, not just into the
technical world, or to talk about
the political issues in some abstract
sense. But also to reach out to culture.
So in this case, this is a picture in the
Reina Sofia which is one of the largest
museums in Spain. And that in the middle
is Mason Juday, and Trevor Paglen,
and that’s me on the right. And the only
time you’ll ever find me on the right!
And so it is the case that this is
a Tor relay. It’s actually 2 Tor relays
running on the open hardware device
Novena, made by bunny and Sean.
And it’s actually running as a middle
relay now, but it may in some point
with one configuration change become
an exit relay. And it is the case that
the Reina Sofia is hosting this Tor relay.
So, now, if… so we live in capitalism…
applause
So it is the case that if the Police wanna
seize this relay they got to buy it
like every other piece
of art in the museum.
laughter and applause
And part of the reason that we’re
doing this kind of stuff – at least
that piece of art which I did with Trevor
and Mason and Leif Ryge who is also
in this room, and Aaron Gibson, also in
this room – is because we think that
culture is important. And we think that
it’s important to tie the issue of anonymity
not just as an abstract idea but as an
actual thing that is representative
not only of our culture but of the world
we want to live in, overall. For all the
cultures of the world. And so, for that
reason we also have quite recently
been thinking a lot about social norms.
And it is the case that there’s a person
in our community, and many persons in our
community that have come under attack.
And have been deeply harassed.
And we think that that sucks!
And we don’t like that. Even though we
promote anonymity without any question,
i.e. no backdoors ever, and we’ll
get back to that in a minute,
it is the case that we really
want to promote ‘being
excellent to each other’. In the
sort of spirit of Noisebridge!
applause
And it’s still a little bit American-centric
but you can get the basic idea.
It applies to Europe as well. Just replace
‘First Amendment’ with some of your local law.
Or a local constitutional right. It isn’t
the case that we’re saying that you
shouldn’t have the right to say things.
But we are saying “Get the fuck out
of our community if you’re going
to be abusive to women!”
applause and cheers
And you’ll note that I used the word
‘Fuck’ to say it. And I’m sorry about that.
Because the point is we all make mistakes.
And we want to make sure that while
it’s true that we have transgressions we
want to make sure that we can find
a place of reconciliation, and we can
work towards conflict resolution.
And it’s important at the same time to
recognize that there are people who’s
real lives are harmed by harassment
online. In this case one of the people
is in this audience. And I hope that they
won’t mind being named. But we want
to give her a shoutout and say
that we stand behind her 100%.
Roger: Yeah, so, …
applause
So one of our developers on core Tor,
Andrea, has been harassed on Twitter
and elsewhere, really a lot more
than should happen to anybody.
And there are a couple of points
to make here. One of them is:
She’s a woman, and women online
have been harassed for basically
since ‘online’ has existed. Not just
women, other minorities, pretty much
all over the place. Especially recently
things have been getting worse.
The other important point to realize:
she’s not just being attacked because
she happens to be there. She’s being
attacked because they’re trying to attack
the Tor project and all the other people
in Tor. So, yes, she may be the focus
of some of the attacks but we - the rest
of the Tor community, the rest of the
security community - need to stand up
and take on some of this burden of
communicating and interacting,
and talking about these issues.
We can’t just leave it
to her to defend herself.
applause
Jacob: And so we want to set a particular
standard which is that there are
lots of journalists that have a lot of
questions. And we really think that
there are a lot of legitimate questions to
ask. E.g. I think it sucks that we take
Department of Defense money, sometimes.
And sometimes I also think it’s good that
people have the ability to feed
themselves, and have the ability
to actually have a home and a family. Now,
I don’t have those things, really. I mean
I can feed myself, but I don’t have a home
or a family in the same way that, say,
the family people on side of Tor do. And
they need to be paid. It is the case that
that is true. And that raises questions.
Like I, personally, wouldn’t ever take
CIA money. And I think that nobody should.
And I don’t think the CIA should exist.
But we have a diversity…
applause
…we have a diversity of funding because
we have a diversity of users. And so that
raises a lot of questions. And I think
people should ask those questions.
And Roger, and the rest of the Tor
community feels that way, too. But
it’s important that we don’t single out
a specific person. And, in particular,
to single out Andrea, again. She
does not deserve all the heat about
some of the decisions that the
Tor project as a non-profit makes.
She is a developer who is integral to
Tor. If it was not for her a significant
portion of Tor would not exist. It
would not be as bug free as it is.
And it would not be getting better all the
time. So we want people to reach out
to this alias, if they actually want
to talk, and have a forum where
the whole of Tor can really respond, and
think about these things in a positive way,
and really engage with the press. In a way
that we can manage; because at the moment
we get, I would say, 5 (on
average) press requests every day.
That’s really a lot. And it is also the
case that 4 of those requests
are very well phrased, extremely
reasonable questions. And one of them is,
you know: “Why to
choose to run Tor?” And
we should address all of them. We
really should. And at the same time
we have to recognize that some of these
people that are kind of harassing,
they might trigger me. That one will
trigger me, and I would probably
write back with something kind of shitty.
So we want to distribute the work in a way
where people will be nice. Even to the
people that are unreasonable. Because
at the core – we need to be held to
account, and we need people to look to us
about these things, and to ask us these
hard questions. And so this is the address
to reach out to: [press@torproject.org].
Not harassing Andrea online on Twitter.
Not coming after individual developers.
Not posting crazy stuff on the mailing list.
Wait until we’ve actually talked to you,
then post the crazy stuff on the mailing list.
Or wherever you’re going to post it. And
then hopefully we can actually answer
the questions in a good faith-, helpful
way. There’s no reason to talk about
conspiracy theories, we can just
talk about the business plans.
And into that point wanna make it clear:
stop being an asshole to people in the
community. But this is not negotiable.
We’re not saying because we don’t want
you to harass people that we’re going
to backdoor Tor. That will never happen.
You will find a bullet in the back of my head
before that happens. And maybe Roger’s,
too. Depending on the order of operations.
laughter and applause
Roger: Okay, so we’re going to talk
a little bit about the various things
we’ve done over the past year. To
give you a very brief introduction to Tor:
Tor is an anonymity system. You’ve got
Alice, the client over there. She builds
a path through 3 different relays
around the world. And the idea is
that somebody watching her local
network connection can’t figure out
what destination she’s going to. And
somebody watching the destinations
can’t figure out where she’s coming
from. And we have quite a few relays
at this point. Here’s a… the red line is
the graph of the number of relays
we’ve had over the past year. For those
of you who remember ‘Heartbleed’
you can see the big drop in April when
we removed a bunch of relays that
had insecure keys. But this is not the
interesting graph. The interesting graph
is ‘capacity over the past year’. And
we’ve gone from a little over 6 GBps
of capacity up to more
than 12 GBps of capacity.
applause
And as long as we can make the difference
between those 2 lines big enough then
Tor performance is pretty good. But we rely
on all of you to keep on running relays,
and make them faster etc. so that we
can handle all the users who need Tor.
Okay, another topic. Deterministic
builds. Mike Perry and Seth Schoen
did a great talk a few days ago. So you
should go watch the stream on that!
The very short version is: We have
a way of building Tor Browser so that
everybody can build Tor Browser
and produce the same binary.
And that way you don’t have to worry about
problems on your build machine and you can
actually check that the program we give
you, really is based on the source code
that we say that it is.
Jacob: And this is of course important
because we really don’t want to be
a focal point where someone comes
after us and says: “You have to produce
a backdoored version”. So it’s very
important because we do receive
a lot of pressure, from a lot of different
groups. And we never want to cave.
And here’s how we think it is the
case that we will never cave:
Free Software, open specifications,
reproducible builds,
things that can be verified
with cryptographic signatures.
That will not only keep us honest
against the – what do you call it –
the angels of our better nature.
I don’t believe in angels. But anyway.
The point is that it will keep us honest.
But it will also keep other people at bay.
From trying to do something harmful to
us. Because when something happens
you will be able to immediately find it.
And Mike Perry, by the way, is incredible.
He probably hates that I’m saying his name
right now. Sorry, Mike! Are you here?
laughter
Bastard! laughs
But Mike Perry is a machine. He also
has a heart! But he’s a machine.
And he’s incredible. And he has been
working non-stop on this. And he is really
ground-breaking in not only doing
this for Firefox but really thinking
about these hard problems, and
understanding that if he was just building
this browser by himself, and he was
doing it in a non-verifiable way
that it would really, actually be
a serious problem. Because we distribute
this software. And so, I mean
there is a reason that the NSA
calls Mike Perry a “worthy adversary”.
And it is because he’s amazing!
applause
So let’s give it up for Mike Perry!
ongoing applause
Roger: Not only that, but his work, along
with Bitcoin’s work has pushed Debian
and Fedora, and other groups to work
on reproducible builds as well. So,
hopefully the whole security
community will get better!
applause
Jacob: And to the point about Citizenfour.
One of the things that’s been happening
quite recently is that really respectable
nice people like the people at Mozilla
have decided that they really want
us to work together. Which is great.
Because we wanted to, and we have
respected their work for a very long time.
And so Tor is now partnering with Mozilla.
And that means that Mozilla, as a group,
will be running Tor relays. At first
middle nodes, and then, hopefully,
we believe, exit relays. And that is
huge because Mozilla is at the forefront
of doing a lot of work for end users. Just
everyday regular people wanting privacy.
Things like DoNotTrack e.g.
are a way to try to experiment.
Things like the Tor Browser a way to
experiment even further. To really bring
Privacy-by-Design. And it’s amazing
that Mozilla is doing that. And
we’ve made a partnership with them, and
we’re hopeful, cautiously optimistic even,
that this is going to produce some very
good results where our communities can
sort of fuse, and give Privacy-by-Design
software to every person on the planet
with no exceptions whatsoever.
applause
Now we also have a couple of things
that we would like to talk about,
just generally, that are a little bit
technical. But at the same time
we wanna keep it accessible because
we think that this talk, well, it’s useful
to talk about technical details. The most
important thing is somebody who has
never heard of the Tor community before,
who watches this video, we want them
to understand some of the
details, and enough, let’s say,
technical understanding that they’ll be
able to go and look it up if they want to,
but they’ll also understand we’re not
just glossing over, completely.
So, pluggable transports are very
important. Right now, the way
that Tor works is that we connect with an
SSL/TLS connection. The protocol SSL/TLS,
one of the 2, depending on the client
library, and the server library. And
that looks like an SSL connection, for
the most part. But as some of you know
there are people on this planet
they collect SSL and TLS data,
about everything flowing across the
internet. That’s really a problem.
It turns out we thought in some cases
that it was just censorship that mattered.
But it turns out broad classification
of traffic is really, actually, a problem
not just for blocking but also for later
doing identification of traffic flows.
So I’ve already lost the non-technical
people in the audience, so, let me
rephrase that and say: We have these other
ways of connecting to the Tor network.
And they don’t look just like a secure
banking transaction. They look instead
like DNS, or HTTP – that is your regular
web browsing or name resolution.
And we have a lot of different pluggable
transports. And some of them are cool.
Some of them make it look like you’re
connecting to Google. When in fact you’re
connecting to the Tor Project. And it’s
because you, in fact, are connecting
to Google. Leif Ryge, are you
in the room, here? Maybe, no?
This is really… you guys,
and your anonymity!
laughter
It is the case…
he showed this to me, I mentioned this to
some other people and David Fifield,
I think, either independently rediscovered
it. There’s also the GoAgent people
that discovered this. You can connect
to Google with an SSL connection,
and the certificate will say:
dadada.google.com. And you of course
verify it. And it is of course signed,
probably by Adam Langley, personally.
And… maybe it’s just the Google
CAs. And then you give it a different
HTTP host header. So you say: actually
I wanna talk to Appspot. I wanna talk
to torbridge.appspot.com.
And inside of the TLS connection,
which looks like it’s a connection to
Google which is one of the most popular
websites on the internet you then make
essentially an encrypted connection
through that. And then from there
to the Tor network. Using Google,
but also Cloudflare – they don’t
just provide you with captchas!
laughter and applause
laughs
Poor Cloudflare guy! We were joking
we should stand outside his office
and make him answer
captchas to get in the door!
laughter and applause
All of those people clapping wish you
would solve the Cloudflare captcha issue!
So it also works with other compute
clusters. And other CDNs.
And so this is really awesome because
it means that now you can connect
through those CDNs to the Tor network,
using Meek (?) and other pluggable transports
like that. So that’s a huge win.
And deploying it by default
– I think we have another slide for that…
Roger: Nope, that’s it!
We’ve got a different one, yes.
So, one of the neat things about Meek (?) is:
because it works on all these different
sorts of providers – Akamai
and all the CDNs out there –
a lot of those are still reachable from
places like China. Lots of our pluggable
transports don’t work so well in China,
but meek does, at this point.
So there are a lot of happy users.
Here’s a graph of an earlier
pluggable transport that we had,
called ‘obfs3’. It still works in China,
and Iran, and Syria and lots
of places around the world.
But the sort of blue/aqua line is
how much use we’ve seen of
obfs3. And you can tell exactly
when we put out the new Tor browser
release that had obfs3 built-in
and easy-to-use by ordinary people.
So one of the really important pushes
we’ve been doing is trying to make
– rather than trying to explain
how pluggable transports work, and
teach you everything – just make them
really simple. Make them part of Tor
browser, you just click on “My Tor
isn’t working so I wanna use some
other way to make my Tor work”.
And we’ve got 10.000 people at this
point who are happily using obfs3.
I think a lot of them are in
Syria and Iran at this point.
applause
Something else we’ve been doing over
the past year is working really hard
on improving the robustness,
and testing infrastructure,
and unit tests for the core Tor
source code. So Nick Mathewson
and Andrea Shepard in particular
have been really working on robustness
to make this something we can rely
on, as a building block in tails,
in Tor browser, in all the other
applications that rely on Tor.
So in the background things were
getting a lot stronger. Hopefully that
will serve us very well
in the battles to come.
applause
Jacob: So this fine gentleman
who was a teen heartthrob
on Italian television many years ago…
Arturo: Thank you for doxing me!
Jacob: Sorry.
both laugh
If only you’d been using Tor!
Arturo: Yeah, TV over Tor. So…
A project that we started a couple
of years ago with Jake is sort of related
I guess to the Tor project’s goals of
increasing privacy and having a better
understanding on how people’s lives
are impacted through technology. And this
project is called OONI, or the ‘Open
Observatory of Network Interference’. And
what it is, before being a piece of software
is a set of principles, and best practices
and specifications written in English
for how it is best to conduct network
related measurements. That sort of
measurements that we’re interested in
running have to do with identifying
network irregularities. These are symptoms
that can be a sign of presence of
surveillance or censorship, on the network
that you’re testing. And we use
a methodology that has been peer-reviewed,
of which we have published a paper.
It’s implemented using free software. And
all of the data that we collect is made
available to the public. So that you can
look at it, analyze it and draw your
own conclusions from it.
applause
And so we believe that this effort is
something that is helpful and useful
to people such as journalists, researchers,
activists or just simple citizens that are
interested in being more aware, and have
a better understanding that is based
on facts instead of just anecdotes, on
what is the reality of internet censorship
in their country. And we believe that
historical data is especially important
because it gives us an understanding of
how these censorship and surveillance
apparatuses evolve over time. So
I would like to invite you all to run
Ooniprobe today, if you copy and paste
this command line inside of a Debian-based
system. Obviously… perhaps you should
read what is inside it before running it.
applause
But once you do that you will have
a Ooniprobe setup and you will be
collecting measurements for your country.
If instead you would like to have
an actual hardware device we have a very
limited number of them. But if you’re
from an interesting country and you’re
interested in running Ooniprobe
we can give you a little Raspberry Pi with
an LCD screen that you can take home,
connect to your network and adopt
a Ooniprobe in your home network.
To learn more about this you should come
later today at Noisy Square, at 6 P.M.
to learn more about it.
Roger: Thank you!
applause
Jacob: And, just to finish up here,
I mean, OONI is a human rights
observation project which Arturo and
Aaron Gibson – also somewhere in the room,
I’m sure he won’t stand up so I won’t even
ask him. It’s great! Because we went from
a world where there was no open
measurement, with only secret tools,
essentially, where people acted like
secret agents, going in the countries
to do measurements. There wasn’t really
an understanding of the risks that
were involved, how the tests function,
where non-technical people could have
reasonable explanations. And now we have
open measurement tools, we have open data
standards, we have really like a framework
for understanding this as a human right
to observe the world around you. And then
also to share that data, and to actually
discuss that data, what it means. And to
be able to set standards for it.
And hopefully that means that people have
informed consent when they engage
in something that could be risky, like running
Ooni in a place like… that is dangerous
like the United States or Cuba,
or something like China.
applause
And so, Arturo personally though, is
the heart and soul of Ooni. And it is
really important that we see that
the Tor community is huge. It’s really
huge, it’s made up of a lot of people
doing a lot of different things. And part
of Ooni is Tor. We need Tor to be able
to have a secure communications channel
back to another system, we need that
so that people can log into these
Ooniprobes e.g. over Tor Hidden Services.
That kind of fusion of things where we
have anonymity but at the same time
we have this data set that is in some
cases identifying, in some cases
it’s not identifying, depending on the
test. We need an anonymous communications
channel to do that kind of human rights
observation. And so… just so we can
make Arturo a little… feel a little
appreciated I just wanna give him
another round of applause, for making this
human rights observation project.
applause
Jacob joins the applause
Roger: So I encourage all of you not only
to run Ooniprobe in interesting places,
and in boring places because they might
become interesting. But also to help write
new tests, and work on the design of these
things, so that we can detect and notice
new problems on the internet more quickly.
Something else we’ve been up to over
the past year is Tor Weekly News. We were
really excited by Linux Weekly News etc.
and… so every week there’s a new
blog post and mail that summarizes
what’s happened over the past week.
We encourage you to look at all these.
A special shout-out to harmony and
lunar for helping to make this happen
over the past year. Thank you!
applause
Jacob: Finally there’s a Tor list you can
be on, that you really wanna be on!
Roger: Being on lists is good. One of the
other features we’ve been really excited
about over the past year: EFF has been
helping with Outreach. EFF ran
a Tor relay challenge to try to get a lot
of people running relays. And I think
they have several thousand relays that
signed up because of the relay challenge.
Pushing a lot of traffic.
So that’s really great!
applause
And at the same time not only did they
get a lot of more people running relays
but they also did some great advocacy
and outreach for getting more exit relays
in universities, and basically teaching
people why Tor is important. We all need
to be doing more of that! We’ll
touch on that a little bit more later.
So you all I hope remember what was
going on in Turkey, earlier this year.
Here’s a cool graph of Tor use in Turkey
when they started to block Youtube
and other things. Then people realized,
I need to get some tools to get around
that censorship. But you probably
weren’t paying attention when Iraq
filtered Facebook, and suddenly a lot of
people in Iraq needed to get some sort
of way to get around their censorship. So
there are a bunch of interesting graphs
like this on the Tor Metrics project, of
what’s been going on over the past year.
Jacob: And we actually…
– if you could go back, yeah.
One thing that’s really interesting about
this is: Karsten Loesing who is, I think,
also not going to stand up, maybe you
will? Are you here? I don’t see you,
Karsten? No? No, okay. He does all
the metrics, this anonymous, shadowy
metrics figure. And if you go to
metrics.torproject.org you’ll see
open data that is properly anonymized
– you would expect that from us –
as well as actual documents that explain
the anonymity, the counting techniques,
that explain the privacy conserving
statistics. And you can see these graphs,
you can generate them based on certain
parameters. If you are interested
in seeing e.g. geopolitical events,
and how they tie in to the internet,
this project is part of what inspired
Ooni. This is how we get statistics
and interesting things about the Tor
network itself. From Tor clients,
from Tor relays, from Tor bridges.
And it tells you all sorts of things.
Platform information, version number of
the software, which country someone
might be connecting from etc. Where
they’re hosted… If you are interested
looking at this website and finding spikes
like this you may in fact be able to
find out that there is a censorship event
in that country, and we haven’t noticed it.
There are a lot of countries in the world
if we split it up by country. And sometimes
50.000 Tor users fall off the Tor network
because another American company has sold
that country censorship equipment. We
need help finding these events, and then
understanding their context. So if in your
country something like that happens
looking at this data can help us not only
to advocate for anonymity in such a place
but it can help us to also technically
realize we need to fix a thing,
change a thing… And it’s through this
data that we can have a dialog
about those things. So if you have no
technical ability at all but you’re
interested and understand where you
come from – look at this data set, try
to understand it, and then reach out to us
and hopefully we can learn about that.
That’s how we learn about this, that’s how
we learned about the previous thing.
And many years ago we gave a Tor talk
about how countries and governments
and corporations try to censor Tor. And
of course, a lot has happened since then.
There’s a lot of those things, and very
difficult to keep up with them. So
we really need the community’s help to
contextualize, to explain and define
these things.
Roger: Okay. Next section of the talk,
‘things that excited journalists over
the past year’. That actually turned out
to be not-so-big a deal. And we’re gonna
try to blow through a lot of them quickly,
so that we can get to the stuff that
actually was a big deal. So I guess in
August or something there was going to be
a Blackhat talk about how you can
just totally break Tor, and then
the Blackhat talk got pulled. Turns out
that it was a group at CMU who were
doing some research on Tor. And I begged
them for a long time to get a little bit
of information about what attack they had.
Eventually they sent me a little bit of
information. And then we were all
thinking about how to fix it. And then
Nick Mathewson, one of the Tor developers,
said: “Why don’t I just deploy
a detection thing on the real Tor network,
just in case somebody is doing this?” And
then it turns out somebody was doing this.
And then I sent mail to the Cert (?) people
saying: “Hey, are you, like, are you like
running those 100 relays that are doing
this attack on Tor users right now?” And
I never heard back from them after that.
So that’s sort of a… this is a sad
story for a lot of different reasons.
But I guess the good news is we identified
the relays that were doing the attack,
we cut them out of the network, and we
deployed a defense that will first of all
make that particular attack not
work anymore. And also detect it
when somebody else is trying
to do an attack like this.
Jacob: This, of course, is…
applause
This is a hard lesson, for 2 reasons.
The first reason is that that it’s awful
to do those kinds of attacks on the real
Tor network. And there’s a question about
responsibility. But the second lesson is
that when these kinds of things happen,
and we have the ability to actually
understand them we can respond to them.
It’s really awful that the talk
was pulled, and it is really awful
that these people were not able to give
us more information. And it’s also really
awful that they were apparently carrying
out the attack. And there were lots
of open questions about it. But in general
we believe that we’ve mitigated the attack
which is important. But we also
advocated for that talk to go forward.
Because we think that, of course, the
answer to even really frustrating speech
is more speech! So we wanna know more
about it. It somehow is very disturbing
that that talk was pulled. And they should
be able to present their research,
even if there’s anger on our face it’s
important for our users to know as much
as we can, so that we can move
forward with protecting Tor users.
Roger: Okay, so, another exciting
topic from a couple of months ago:
Russia apparently put out
a call-for-research work…
loud splashing noise from Jake
opening a loaded water bottle
…to come up with attacks on Tor.
Jacob: It’s another attack on Tor!
Roger: Enjoy your water, Jake.
I hope that was worth it. laughs
Jacob: laughs It was really
worth it. Was very thirsty.
Roger: So Russia put out a
call-for-research proposals
on attacking Tor. Somebody mistranslated
that phrase from Russian into ‘prize’,
or ‘bounty’, or ‘contest’. And then we had
all these articles, saying “Russia is
holding a contest to break Tor” when
actually, no, they just wanted somebody
to work on research on Tor attacks.
So this would be like the U.S. National
Science Foundation holds a contest
for Tor research. That’s not actually
how government funding works.
Mistranslations cause a lot of
exciting journalist articles but as
far as I can tell it turned out to be
basically nothing. Also it was basically
‘no money’. So, maybe something
will come of this, we’ll see. Something
else that’s been bothering me a lot,
lately: Cryptowall, now called
‘Cryptolocker’. So, there are jerks
out there who break into your
mobile phone of some sort,
give you malware, viruses, something
like that. They encrypt your files,
and then they send you basically a ransom
note saying “We’ve encrypted your file,
if you want it back send some Bitcoin over
here!” So this is bad, so far. But then
the part that really upsets me is they
say: “And if you don’t know how to do this
go to our website torproject.org and
download the Tor Browser in order
to pay us”. Fuck them! I do not want
people doing this with our software!
applause
Jacob: Yeah, fuck them. I mean I don’t
really have a lot to contribute to that.
I mean it’s really… Hidden Services have
a really bad rap, and it’s frustrating,
right? There’s a… of course this
quantitative and qualitative analysis
that we can have here. And the reality
of the situation is that one Globaleaks
leaking interface is ‘one.onion’ (?), for
example. What is the value of that?
Versus 10.000 Hidden Services run by these
jerks? And it’s very hard to understand
the social value of these things, except
to say that we really need things like
Hidden Services. And jackasses like this
are really making it hard for us to defend
the right to publish anonymously. And so,
if you know who these people are please
ask them to stop! I don’t even know
what the ask is there. But they really
should stop. Or maybe there’s some
interesting things that you can do.
I don’t know. But we really, really
don’t like that this is someone’s
first introduction to Tor! That they think
that we’re responsible for this. We
most certainly are not responsible for
these things. We certainly do not deploy
malware. And Hidden Services are actually
very important for a lot of people.
These people are not those people!
applause
Roger: Another ‘exciting’ story,
a month or 2 ago, was,
“81% of Tor users can be de-anonymized…”
and then some more words, depending on
which article you read. So it turns out
that one of our friends, Sambuddho, who is
a professor in India now, did some work
on analyzing traffic correlation attacks
in the lab. He found, in the lab, that
some of his attacks worked sometime,
great… And then some journalists found it,
and said: “Ah! This must be the reason why
Tor is insecure today”. So he wrote
an article, it got Slashdot, it got
all the other news stories. And suddenly
everybody knew that Tor was broken
because “81% of Tor users…”.
So it turns out that Sambuddho himself
stood up and said actually: “No, you
misunderstood my article”. But
that didn’t matter because nobody listened
to the author of the paper at that point.
So I guess there’s a broader issue that
we’re struggling with here, in terms of
how to explain the details of these
things because traffic correlation attacks
are a big deal. They probably do work
if you have enough traffic around
the internet, and you’re looking at the
right places. You probably can do
the attack. But that paper did not do the
attack. So I keep finding myself saying:
“No no no, you’re misunderstanding the
paper, the paper doesn’t tell us anything,
but the attack is real! But the paper
doesn’t tell us anything”. And this is
really confusing to journalists because
it sounds like I’m disagreeing with myself
with these 2 different sentences. So we
need to come up with some way to
be able to explain: “Here are all of the
real attacks, that are really actually
worrisome, and it’s great that researchers
are working on them. And they probably
are a big deal, in some way. But no, that
paper that you’re pointing at right now
is not the reason why they’re a big
deal”. We also saw this in the context
of an NSA paper which was published
a couple of days ago, thanks to
some other folks.
Jacob: Sad, ‘some other folks’!
Roger: ‘Some other folks’. I won’t specify
exactly which other folks. And they
similarly had a traffic correlation attack.
And in the paper it’s really a bad one.
It’s the same as the paper that was
published in 2003, in the open literature.
There was a much better paper
published in 2004, in the open literature,
that apparently these folks didn’t read.
So I don’t wanna say traffic correlation
attacks don’t work, but all these papers
that we’re looking at don’t show…
aren’t very good papers.
Jacob: So one of the solutions to a lot
of journalists that don’t understand
technology is that it’s actually quite
easy to be a journalist by comparison
to being a technologist. It’s possible
to write about things in a factually
correct way, sometimes you don’t always
reach the right audiences, that can
actually be difficult. It depends. So you
have to write for different reading
comprehension levels, e.g. And we tried
to write for people who understand
the internet. At least when I write as
a journalist. And so, when I sometimes
take off my Tor hat I put on my journalistic
hat. And part of the reason is that
in order to even tell you about some
of the things that we learn, if I don’t
put on my journalistic hat I get a nice
pair of handcuffs. So it’s very important
to have journalistic protection so that we
can inform you about these things.
So e.g. it is the case that XKeyscore
rules – we published some of them.
Not ‘we’, Tor. But me and this set of
people at the top, of this by-line here.
In NDR. Some of you know NDR, it’s a very
large German publication. I also publish
with Der Spiegel, as a journalist. In this
case we published XKeyscore rules.
Where we specifically learned an important
lesson. And the important lesson was,
even if you’re a journalist explaining
things exactly technically correctly
– people will still get it wrong. It’s just
not the journalists that get it wrong.
It’s the readers. Very frustrating.
People decided that because the NSA
definitely has XKeyscore rules that is
rules for surveilling the internet, where
they’re looking at big traffic buffers.
TEMPORA e.g. the British surveillance
system that is built on XKeyscore.
With a – probably – week-long buffer of
all internet traffic. That’s a big buffer,
by the way. Doing these XKeyscore
rules, running across that traffic set,
they would find that people were
connecting to directory authorities.
One of those directory authorities is
mine, actually, quite ironically. And
then Sebastian Hahn, and other people
in this audience. And some people said:
“Oh, don’t use Tor because the NSA will
be monitoring you!” That is exactly
the wrong take-away. Because there are
XKeyscore rules on the order of tens of
thousands, from what we can tell.
So everything you do is going through
these giant surveillance systems. And
what you’ll learn when you monitor
someone using Tor is that they’re
using Tor potentially, in that buffer.
Which is different than ‘they learn
for sure that you were going to
the Chaos Computer Club’s web site’,
or that you were going to a dating site.
So it’s the difference between ‘they learn
some keeny (?) bit of information about you’,
that you’re using an anonymity
system, versus ‘they learned exactly
what you were doing on the internet’. Now
if there were only a few XKeyscore rules
at all, and it was just that about Tor
then that conclusion people reach
would be correct. But it’s exactly not
true. The XKeyscore system is so powerful
that if you have a logo for a company,
so anyone here that runs a company,
and you put a logo inside of a document,
the XKeyscore system can find that logo
in all of the documents flowing across the
internet in real-time. And alert someone
that someone has sent a .DOC or a PDF with
that image inside of it. And alert them.
So that they can intercept it. So the
lesson is not “Don’t use Tor because
XKeyscore may put your metadata into
a database, in the so-called ‘corporate
repositories’”. The lesson is “Holy shit,
there’s this gigantic buffering system
which has search capabilities that even
allow you to search inside of documents.
Really, really advanced capabilities where
they can select that traffic and put it
somewhere else”. “Use an anonymity
system!” And also: “Look, they’re
targeting anonymity systems, even in the
United States, which, at least for the NSA
they’re not supposed to be doing those
kinds of things”. They literately were
caught lying here. They’re doing
bulk internet surveillance even
in the United States. Using these
kinds of systems. That’s really scary.
But the real big lesson to take away from
that is, actually, that they’re doing this
for all the protocols that they can
write fingerprints for. And they have
a generic language where they can actually
describe protocols. And so we published
a number of those, we = NDR. And I would
really recommend you read and understand
that. But the lesson, again, is not
“Oh no, they’re going to detect you’re
using Tor”. We have never said that Tor
can e.g. protect you against someone
seeing that you’re using it. Especially in
the long term. But rather the point is
exactly the scariest point. This mass
internet surveillance is real. And
it is the case that it is real-time.
And it’s a real problem.
applause
Roger: If you’re using Tor they see that
you’re using Tor. If you’re not using Tor
they see exactly where you’re going.
You end up in a list of people who went
to ‘this’ website, or ‘this’ website,
or used ‘this’ service, or sent
‘this’ document. And the diversity of
Tor users is part of the safety, where,
just because they know you’re using
Tor doesn’t tell them that much.
One of the other things I’ve been
wrestling with after looking at a bunch
of these documents lately is the whole
‘how do we protect against pervasive
surveillance’. And this is an entire talk
on its own. We’ve been doing some
design changes. We pushed out some changes
in Tor that protect you more against
pervasive surveillance. We – for the
technical people out there – we’ve reduced
the number of guard relays that you use
by default from 3 to 1. So there are
fewer places on the internet that get to
see your Tor traffic. That’s a good start.
One of the other lessons we’ve been
realizing: The internet is more centralized
than we’d like. So it’s easy to say
“Oh, we just need more exit relays,
and then we’ll have more protection
against these things”. But if we put
another exit relay in that same data
sensor (?) in Frankfurt that they’re
already watching that’s not actually going
to give us more safety against these
pervasive surveillance adversaries.
Something else I realized: so we used
to talk about how Tor does these two
different things. We’ve got anonymity,
we’re trying to protect against somebody
trying to learn what you’re doing, and
we’ve got circumvention, censorship
circumvention. We’re trying to protect
against somebody trying to prevent
you from going somewhere.
But it turns out in the surveillance
case they do deep packet inspection
to figure out what protocol you’re
doing, to find out what you’re up to.
And in the censorship case they do
deep packet inspection to figure out
what protocol you’re using, to decide
whether to block it. So it’s actually…
these fields are much more related
than we had realized before. And
it took us a while, I’m really happy that
we have these documents to look at,
so that we have a better understanding
of how this global surveillance
and censorship works. Long ago, so in
2007, I ended up doing a talk at the NSA,
to try to convince them that we were not
the bad guys. And you can read the notes
that they took about my talk at the
NSA. Because they’re published
in the Washington Post. So I encourage you
to go read what the NSA thought of my talk
to them. That same year I ended up going
to GCHQ, to give a talk to them, to try
to convince them that we were not the
bad people. And I thought to myself:
“I don’t want to give them anything
useful. I don’t want to talk about
anonymity, because I know they’re going
to try to break anonymity. So I’m going
to give them a talk that has nothing to do
with anything that they should care about.
I’m going to talk about the censorship
arms race in China, and DPI, and stuff
like that, that they shouldn’t care
about at all”. Boy, were we wrong!
applause
So the other thing to think about here,
there are a bunch of different pluggable
transports that could come in handy
against the surveillance adversary.
We have, so far, been thinking of
pluggable transports in terms of
‘there’s somebody trying to censor your
connection, they’re doing DPI, or they’re
looking for addresses, and they’re trying
to block things’. One of the things
we learned from this past summer’s
documents: imagine an adversary
who builds a list of all the public Tor
relays. And then they build a list of
all of the IP addresses that connect
to those Tor relays. Now they know
all the bridges, and many of the users.
And now they build a list of all the
IP addresses that connect to those IP
addresses. And they go a few hops out,
and now they know all the public relays,
all the bridges, all the users, all of
the other things that are connected to
Tor. And they can keep track of which ones
they should log traffic for, for the next
6 months, rather than the next week.
That’s a really scary adversary. Some of
the pluggable transports we’ve been
working on could actually come in handy
here. So ‘Flash proxy’ is one of the ones
you heard about in last year’s talk. The
basic idea of a Flash proxy is to get
users running web browsers to volunteer
running web-RTC, or something like that
to basically be a short-lived bridge
between the censored user and
the Tor Network. So the idea is that you
get millions of people running browsers,
and then you can proxy from inside China,
or Syria, or America, or wherever
the problem is, through the browser into
the Tor Network. But from the surveillance
perspective suddenly they end up with
an enormous list of millions of people
around the world that are
basically buffering the Tor user
from the Tor Network. So if they
start with this list of IP addresses,
and they’re trying to build a list of
everything, now they end up
with millions of IP addresses
that have nothing to do with Tor.
And they have to realize, at the time
they’re watching, that they want to go
one more hop out. So I don’t
know if that will work. But this is
an interesting research area that more
people need to look at: How can we,
against an adversary who’s trying to build
a list of everybody who has anything to do
with Tor, how can we have
Tor users not end up on that list.
What sort of transports or tunneling
through Google app spot (?),
or other tools like that can we use
to break that chain, so it’s not as easy
for them to track down
where all the users are.
Okay, Silk Road 2, we’ve had a lot
of questions about. I think it’s called
Operation Onimous (?). I actually talked
to an American law enforcement person
who was involved in this. And he
told me, from his perspective, exactly
how it happened. Apparently the
Silk Road 2 guy wrote his name down
somewhere. So they brought him in,
and started asking him questions. And
as soon as they started asking him
questions he started naming names.
And they counted up to 16 names, and
they went and arrested all those people,
and collected their computers. And then
they put out a press release, saying
that they had an amazing Tor attack.
applause
So there are a couple of lessons here. One
of them is: Yes, it’s another case where
opsec failed. But the other lesson that
we learn is: These large law enforcement
adversaries are happy to use press spin
and lies, and whatever else it takes
to try to scare people away from
having safety on the internet.
Jacob: This is a really… to me,
especially, if I take off my Tor hat
and put on my journalistic hat, as if
I can actually take off hats etc., but
it’s really terrifying that journalists
don’t actually ask hard questions
about that. You know, the Europol people
that spoke to the press, they talked
about this as if they had some incredible
attack, they talked about 0-day,
they talked about how, you know,
they had broken Tor, “You’re not safe
on the Dark Web”. We don’t even use the
term ‘Dark Web’. That’s how you know
that they’re full of shit. But it’s…
applause
That’s sort of like when people have Tor
in all caps (?)(?)(?)(?)(?)(?), dark web,
that kind of stuff, this is a bad sign. But
the way they talk about it, it was clear
that they, as far as we can tell, they
don’t have that. But they really hyped it.
As much as they possibly could. I mean,
it is, effectively, and I think it is even
technically a psychological operation
against the civilian population. They
want to scare you into believing that Tor
doesn’t work. Because, in fact, it does work,
and it is a problem for them. So any time
they can ever have some kind of win-it-all
they always spin it as if they’re great,
powerful adversaries, and it’s
us-versus-them. And that’s exactly wrong.
It is not us-versus-them. Because we all
need anonymity. We all absolutely need
that. And they shouldn’t be treating us
as adversaries. They, in fact, are also
Tor users, quite ironically. So it is
interesting though, because they know that
they haven’t done that. But they don’t
want you to know that they haven’t done
that. In fact, they want you to know
the opposite. Of course we could be
wrong. They could have some
super-secret exploit, but as far as we can
tell that just is not the case. So, what’s
to be learned from this? We used to think
it was just American law enforcement
that were scary jerks. Now it’s also
European. I don’t know if that’s
the right buzzing(?). But hopefully some
of you will go and work at Europol,
and tell us what’s really going on.
applause
Roger: Speaking of Hidden Services. We
have a new design in mind, that will have
some stronger crypto properties, and make
it harder to enumerate Hidden Services.
It won’t solve some of the big anonymity
questions that are still open research
questions. But there are a lot of
improvements we’d like to make,
to make the crypto more secure, and
performance changes etc. And we’d been
thinking about doing some sort of crowd
funding, kickstarter-like thing, to make
Hidden Services work better. We’ve got
a funder who cares about understanding
Hidden Services, but that’s not the same
as actually making them more secure.
So we’d love to chat with you after this
about how to make one of those
kickstarters actually work.
Jacob: Right, so, if you have questions
we have some amount of time for questions.
And while you line up at the microphone
I’ll tell you a quick story. So if you
have questions please line up at the
microphone, so we can do this.
This is a picture of a man who was
assassinated in San Francisco.
His name is Harvey Milk. Anybody
here – ever hear of Harvey Milk?
applause
Great. Harvey Milk was basically the
first out-gay politician in, I think,
the United States. He was a city council
member in San Francisco. And this was
during a huge fever pitch apora (?) where…
basically it was the battle between:
“Are people who are gay people or not?”
And what he said is: Go home and
tell your brothers, your mothers, your
sisters, your family members and
your co-workers that you’re gay. Tell
them that, so that when they advocate
for violence against gay people, when
they advocate for harm against you
that they know they’re talking about you.
Not an abstract boogieman. But someone
that they actually know, and that they
love. We need every person in this room,
every person watching this video later to
go home and talk about how you needed
anonymity, for 5 or 10 minutes. How you
needed it every day to do your job.
We need people to reach out. Now that’s
a sad story with Harvey Milk which is
that he and mayor Moscone of San
Francisco were actually killed by
a very crazy person, that was also in city
government, in the American traditional
extreme gun violence. He was shot and
killed. And that person actually got away
with it. The so-called ‘Twinkie defense’.
So we’re not trying to draw that parallel.
Just to be clear please don’t shoot us and
kill us! Not even funny, unfortunately.
But to understand that we are really
under threat, a lot of pressure. There’s
a lot of pressure. We get pressure from
law enforcement investigation agencies
to backdoor Tor, and we tell them:
“No”, and that takes a lot of stress
and dumps it on us. And we need support
from a lot of people, to tell them
to back off. It can’t just be us that
say that. Or we will lose some day.
And there are also very scary adversaries
that do not care at all about the law.
Not that those guys care about the law but
really don’t care about the law at all.
And we need people to understand how
important anonymity is, and make sure
that that goes into every conversation.
So really, go home and teach your friends
and your family members about your
need for anonymity. This lesson
from Harvey Milk was very useful. It is
the case that now, in California where
there is a huge fever pitch (?) battle about
this that you can e.g. be gay and be
a school teacher. That was one of the
battles that Harvey Milk helped win.
applause
So, with that I think
that we have time for…
Herald: Yeah, we have like 10 minutes left
for questions. So, thank you so much
for the talk! It’s really inspiring.
Thank you for keeping up the work!
applause
Really! Although you do this every year
it never gets old. And I think your…
every year you give people the chance to
leave the Congress with a feeling of hope
and purpose. So, thank you so much for
everything you do and every minute
you spend on this project. So we start
with a question from the internet.
applause
Jacob: We’d like to take a few questions
from the internet all at once,
if possible, so we can try to answer
them as quickly as possible.
Signal Angel: Okay.
Herald: Alright.
Signal Angel: So, the first one: Yesterday
you said that SSH is broken. So
what should we use to safely
administrate our Tor relays?
Jacob: Hah! That’s great. So,
first of all! Next set of questions!
Signal Angel: So the next one is: How much
money would be needed to get independent
from Government funding,
and is that even desired?
Jacob: Ah, do you want me to do both?
Roger: Sure.
Jacob: Okay.
Signal Angel: Hope so.
Jacob: Okay. First question: Consider
using a Tor Hidden Service, and then
SSH’ing into that Tor Hidden Service.
Composition of cryptographic components
is probably very important. A detail about
SSH: We don’t know what is going on.
We only know what was claimed in those
documents. That’s a really scary claim.
This creates a political problem. The U.S.
Congress and other political bodies
should really be asking the secret
services if they really have a database
called CAPRI OS where they store
SSH decrypts. And how they populate
that database. Because that is critical
infrastructure. We can’t solve that problem
with the knowledge that we have right now.
But we know now: There is a problem.
What is that problem? So, composition
of those systems: It seems to be,
the documents say that they haven’t broken
the crypto in Tor Hidden Services. So
put those two together. And also consider
that cryptography only buys you time.
It really isn’t the case that all the
crypto we have today is going to be good
maybe in 150 years. If Sci-Fi quantum
computers ever come out, and they
actually work, Shor’s algorithm and
other things really seem to suggest
we have a lot of trouble ahead. And the
second part, about money: Yeah, we would
love to replace Government funding. I mean
at least I would. But that isn’t to say
that we don’t respect that there are
people that do fund us to do good things.
We do take money from agencies who e.g.
the Department of Human Rights and Labor,
at the State Department. They’re sort of
like the advertising arm for the
gun-running part of the State Department,
as Julian Assange would say. And they
actually care about Human Rights. They
care that you have access to anonymity.
It’s weird because the State Department
– the rest of it – might not care. But,
we really, really would like to off-set
that money. But we’d like to grow.
We’d like to be able to hire 100 people
in this room to work on this full-time.
Because the planet needs anonymity. But
that requires that we find that money.
And the best place at the moment is by
writing grant proposals. And that is how
we have in fact done that. And that
allows us also to operate openly.
So we don’t have e.g. clearances. And we
try to publish everything we can about it.
And if you ever write a FOIA we always
tell the agency that has received the
Freedom Of Information request: Give the
requestor everything. Give it all to them.
We have nothing to hide about this, we
want you to see that. We want you to see
that when a government agency has paid
us money that we have done it for THIS
line item, and THIS line item. And we’ve
done it as well as we could do it, and
it is in line with the open research, and
we have really done a good thing,
that helps people.
Roger: So I’d love to diversify our
funding. I’d love to have foundations,
I’d love to have the EFF model where
individuals fund because we do great things
– look at what we did over the past year –
and in fact, right here: Look at what we
did over the past year. We’ve done so
amazing things, we’re gonna do some more
amazing things next year. We need your
help to actually make all of this happen.
Jacob: Anybody here
a Bitcoin millionaire?
Because we now take Bitcoin!
applause
Herald: Alright, let’s take
a question from microphone 1.
Question: Just a short question:
is there a follow-up on the
Thomas White tor-talk mailing list thing?
Roger: So, Thomas White runs a few exit
relays. Some of them are quite large,
I’m very happy he does that. It is quite
normal for exit relays to come and go.
He is in England, and as far as I can tell
England is not a very good place to be
these days. But he’s trying to fix his
country from inside which is really great.
Basically the short version is: It’s not
a big deal. He runs some exit relays,
somebody tries to take them down, there
are 6000 relays in the network right now,
they go up and down, it’s normal.
Question: Is this related to the Tor
blog post, that Thomas White thing,
where you said there’s an upcoming…
Roger: It is unrelated, except for the
fact that everybody was watching.
So then, when he wrote a tor-talk mail
saying “Hey, I’m concerned about my
exit relays”, suddenly all the journalists
said: “Oh my god, they must be
the same thing!” So, no, unrelated!
Jacob: There are a lot of people that
have been attacking the Tor network.
You’ve probably seen there’ve been
Denial-of-Service attacks, and things
like that on the Tor directory
authorities. This is what I was saying
one or two slides ago when I said “Please
tell people the value of Tor, and that
you need it”. Because when people do
Denial-of-Service attacks, when they see
servers, we really need, in a peer2peer
network way, to draw up more relays
to actually increase the bandwidth
capacity, to increase the exit capacity.
And it’s very important to do that. Right?
I mean it’s very, very serious that
those things happen. But it’s also
important that the design of the network
is designed with the expectation that
thieves will steal computer systems,
that jerks will denial-of-service them
etc. So if you can run an exit relay,
thank you! Thank you for doing that.
Next question?
applause
Herald: Yeah. Let’s take a question
from microphone 2.
Question: First of all a quick shoutout to
your Ooni friend. Please don’t ask people
to run arbitrary code over the internet.
Curl-piper’s age (?) is not good style.
Roger: There’s a deb (?) that we’re working
on also that should be a lot better.
Jacob: Yeah, ‘apt-get install ooniprobe’
will also work.
Question: Do you have any plans
of implementing IPv6, finally?
Jacob: So there is IPv6, so Linus
Nordberg, one of the finest Tor people
I’ve ever met, he, in fact, helped add
IPv6 support, initial IPv6 support
to the Tor network. So, e.g. you can,
in fact, exit through the Tor network
with IPv4 or IPv6. It is the case that the
Tor relays in the network still all need
IPv4, not just IPv6. My Tor directory
authority which runs in California,
it has an IPv4 and an IPv6 address,
so if you have an IPv6 address you can
bootstrap, you can connect to that.
You could do some interesting
pluggable-transport stuff as well. So
that is on the road map. This is another
example of: If you really care about that
issue please send us your Bitcoins!
And it would be really fantastic because
we really want that! But right now,
you can use Tor as a v4-v6 gateway.
You really can do that, and we would
encourage that. It’s another example
of some kind of neat feature of Tor
which you would never think an
anonymity system would have.
Roger: And in Iran, right now, where IPv6
is not censored because the soft…
the censorship stuff they have from
America and Europe didn’t think
to censor IPv6…
laughter and applause
applause
so you can use a bridge right now in Iran
that connects over IPv6. Works great.
Jacob: Yeah. Next question?
Herald: Alright, microphone 4!
Question: So we heard lots of really
encouraging success stories about Tor
working against a global passive
adversary. But we know that Tor
wasn’t designed for this use case.
The question is: What needs to happen
in order for Tor to actually being
able to handle this, officially?
Is this just research, or some
more development work?
Roger: There’s a lot of really hard open
research questions there. So if you’re…
so, I get… basically one of the
issues is what we call the
end-to-end traffic correlation attack. So
if you can see the flow over here coming
into the Tor network, and you can see the
corresponding flow over here, coming out
of it, then you do some simple statistics,
and you say: “Hey, wait a minute, these
line up!” And there are a bunch of
different directions on how to make that
harder. Basically what you want to
do is drive up the false-positive rate.
So you see a flow here, and there are
actually 1000 flows that look like they
sort of match. And maybe you can do
that by adding a little bit of padding,
or delays, or batching or something. The
research, as we understand it right now,
means that you have to add hours
of delay, not seconds of delay.
That’s kind of crummy. So another way
of phrasing that: Imagine a graph,
the X axis is how much overhead
we’re adding. And the Y axis is
how much security we get against the
end-to-end correlation attack. We have
zero data points on that graph. We have
no idea what the curve looks like.
Jacob: There’s also another point which
is: Roger has an assumption. He says
if we have a high false-positive rate,
that that’s a good thing. Well, maybe,
maybe actually, that’s exactly the
wrong thing. Maybe the result is
that 1000 people get rounded up instead
of 1. The reality is that there is
no system that – as far as we know –
is actually safer than that. Of course
we would say that, we work on Tor. But as
an example: One of the XKeyscore things
that I’ve seen in this research which
we published in the NDR story is that
they were doing an attack on Hotspot Shield
where they were actually doing
traffic correlation where they were able
to de-anonymize VPN users because of
it’s a single hop. And then they were
also able to do Quantuminsert to attack
specific users using the VPN. We haven’t
seen evidence of them doing that to Tor.
That also doesn’t mean that every VPN
is broken. It just means that VPN
has a different threat model. There’s
lot of attacks that are like that, and
the problem is the internet is a dangerous
place. So, I mean, Banksy said it best:
He said, in the future people will be
anonymous for 15 minutes. And
I think he may have over-estimated
that. Depending on the attacker.
Roger: There’s a conference called the
Privacy Enhancing Technology Symposium,
petsymposium.org where all of the
Anonymous Communications researchers
get together each year to consider exactly
these sorts of research questions. So,
it’s not just an engineering question,
there’s a lot of basic science left
in terms of how to make
these things harder.
Herald: Alright, the last question
is one from the internet.
Signal Angel: Okay, so, does running
a Ooniprobe involve any legal risks?
Jacob: Okay, so, great! We can take
different questions, cause we’re gonna say
“Talk to Arturo!”
Herald: Alright, so, microphone 3!
Question: Okay, as a new
Tor relay operator I’ve got…
applause
Jacob: Take a bow!
Question: So, since about 2 months I run
3 relays, rather high bandwidth, and
on 2 of these I had quite strange things
happen. One case: A kernel crash in the
Intel e1000 driver, the other one having
the top-of-the-rack switch just reboot,
which is by the way a Juniper switch.
So I’m kind of concerned about this
operational security. You
know, could you trust that?
Jacob: Yeah, absolutely. So the short
version of it is: Agencies like the NSA,
depending on where you’re located, might
compromise something like your Juniper
switch upstream. They sit on Zerodays
for critical infrastructure, that includes
core routers, and switches. But
it may not be such a big thing.
It really depends on where you’re located.
It could also be that the hardware sucks.
laughter
And that the software is not good. And
when you, of course, are pushing,
let’s say gigabits of traffic through it
it falls over. It’s really hard to know.
That’s a really good question,
which is very specific, and kind of
hard for us to address without data.
Question: Sorry, I’m concerned that the
attack, like this, you know, they could,
actually, compromise the machine without
knowing, or compromise the exact uplink.
And this would actually be a viable
attack, like very low-key,
you don’t see it, as [an] operator,
maybe, if you’re not very careful.
And you can watch all the traffic
going inside, going outside the box.
Jacob: It would be fantastic
if you can prove that theory.
Because, of course, if you can, maybe we
can find other information that allows us
to stop those types of things to
happen, or e.g. can in some way
allow us to fix the problems that are
being exploited. The reality is that
general purpose computers
are quite frankly not very secure,
and special purpose computers
aren’t doing much better.
Roger: I worry not only about active
attacks like that but about passive attacks
where they already have some sort of
surveillance device up-stream from you
in you co-location facility, or something
like that. So, yes. These are all
really big concerns. One of the defenses
that Tor has is diversity around the world.
So, hopefully they won’t be able to do
that to all of the relays. But yeah,
this is a big issue. We should
keep talking about it.
Herald: Alright, I just wanna come back
to the question before, for a second.
Because there was a question from the
internet. So the people are not able
to talk. Ooniprobe guy, hey, could you
maybe answer the question, like,
right now, or maybe on Twitter,
or post a link or something?
Because I happen to believe that
it’s a very important question.
You remember the question?
If there are legal restric…
Arturo: Yeah well, I mean the thing is
that we don’t really know like what are
the… who was it that
was asking the question?
Jacob: The internet?
Arturo: Ah, the internet. Okay.
laughter and applause
Jacob laughs
So I guess we can’t know all of the
legal risks involved in every country.
It is definitely the case that in some
countries you may get in trouble
for visiting some websites that are
considered illegal. So, I can go
in more detail into this if you
come later to Noisy Square at 6.
Herald: The internet can’t
come, that’s the problem!
Arturo: Ah, the internet can’t come, shit!
Okay! laughter
So,… laughs
applause
Jacob: There’re a lot of jokes in that!
Arturo: The short answer is that you
should look at the test specifications,
that are written in English, and they have
at the bottom some notes that detail
what can be some of the risks involved.
But we are not lawyers. So we don’t know
what are the risks for all of the
countries. So you should probably speak
to somebody that knows about these things
in your country. And it’s experimental
software, and there are not many people
that are doing this. So we generally can’t
say. Hope that answers your question.
Question: Thanks a lot, yeah, thanks.
Herald: Alright, I guess, just to sum
it up: Be careful whatever you do.
laughter and applause
Alright, so, Jake was just asking
if maybe we could just gather a couple
of questions, and then ask about them
outside. Did I get that right?
Jacob: Yeah, so if everyone who is
at a microphone, disperse to the correct
microphone, if you could just ask all your
questions, then everyone else who’s here
that wants to hear the answers will know
that you should stick around and talk
to us afterwards. We won’t answer
all these questions unless there’s
a really burning one. But that way
the guys that are standing at the
microphone, or the gals that are
standing at the microphone or other, can
actually ask them right now, and if you’re
interested come and find us right
afterwards. We’re going to probably
go to the tea house upstairs, or
maybe I shouldn’t have said that.
laughter
Herald: Alright, so we’re gonna do it
like this. We’re gonna rush through this.
And we’re just gonna hear a lot of
interesting questions, but no answers. If
you wanna hear the answers stay tuned
and don’t switch the channel. So we take
a couple of questions. Microphone 5.
And be quick about it.
Question: In regards to robustness and
the Mozilla partnership: Are there any
thoughts about incrementally replacing
the C++ infrastructure
with Rust? Eventually?
Herald: Microphone 4!
Is it open, microphone 4?
Question: Can you compare Tor with JAP
from TU Dresden in aspects of anonymity?
Herald: Okay, the other
guy at microphone 4!
Question: To your knowledge has anyone got
into trouble for running a non-exit relay?
And do you have any tips for people that
wanna help by running a non-exit relay?
Herald: Okay, microphone 1, 2 guys.
Question: I have a question, or
a suggestion for the funding problematic.
Have you… you’re teaming up with Mozilla,
have you ever considered like producing
own smartphones, because there’s a huge
margin. I also think there’s a problem
like… why most people don’t use
cryptography is because there’s no
easy-to-use, out-of-the-box, cool product
that’s like… that goes out and has a story
or anything, like the marketing on Apple.
Herald: Alright, the other
guy at microphone 1.
Question: So a couple of minutes before
the talk started someone did a Sibyl (?)
attack on Tor. And we should fix that
a.s.a.p. So please don’t disappear
for the next few hours.
Jacob rages, laughing, theatrically
Thanks!
Roger: It never ends.
Jacob: It never ends!
Herald: Alright. Two questions
from microphone 3.
Question: So when they took
down Silkroad they took
a lot of Bitcoins with them. I wonder
what the [U.S.] Government is doing
with the large amount of anonymized cash.
Roger: They auctioned it off.
Jacob: They sell it. Next question.
Question: And I think they
should give it to you.
Herald: Alright. Last question!
Jacob: I fully agree!
Question: So to combat against the
‘misinformed journalists’ thing
why not have a dashboard, very
prominently displayed on the Tor Project
listing all of the academic, open
like known problems with Tor,
and always have the journalists go there
first to get the source of information,
rather than misunderstanding
academic research.
Jacob: Fantastic, so if you wanna know…
Herald: Alright, if you found any of these
questions interesting, and you’re also
interested in the answers stick around, go
to Noisy Square, speak to these two guys,
and get all your answers. Other than
that, you heard it a Brillion times, but:
go home, start a relay! My friends and I
did two years ago, after Jake’s keynote.
It’s really not that hard. You can make
a difference. And thank you so much,
for Roger and Jake, as every year!
applause
silent postroll titles
subtitles created by c3subtitles.de
in the year 2017. Join, and help us!