-
silent 31C3 preroll titles
-
applause
-
Roger: Okay, hi everybody! I’m Roger
Dingledine, and this is Jake Appelbaum.
-
And we’re here to tell you more
about what’s going on with Tor
-
over the past year. We actually wanted
to start out asking Laura to give us
-
a little bit of context from her
perspective, about Citizenfour,
-
and the value of these sorts
of tools to journalists.
-
applause
-
Laura: So. Am I live? Okay. Roger and Jake
asked me to say a few things about Tor,
-
and what does it mean for investigative
journalists. And I can say that certainly
-
the work that I’ve done, on working with
disclosures by Edward Snowden, and
-
first communicating with him would not
have been possible. Without the work
-
that these 2 people do. And that everybody
[does] who contributes to the Tor network.
-
So I’m deeply grateful to everyone here.
-
applause
-
When I was communicating with Snowden
for several months before I met him
-
in Hongkong we talked often about the Tor
network, and it’s something that actually
-
he feels is vital for online
privacy. And, to sort of
-
defeat surveillance. It’s really our
only tool to be able to do that. And
-
I just wanted to tell one story about what
happens when journalists don’t use it.
-
I can’t go into lots of details, but
there’s a very well known investigative
-
journalist who was working on a story.
He had a source. And the source was
-
in the Intelligence community. And he had
done some research on his computer,
-
not using Tor. And I was with him when
he got a phone call. And on the phone,
-
the person was saying: “What the fuck were
you doing looking up this, this and this?”
-
And this is an example of what
happens when Intelligence agencies
-
target journalists. So without Tor
we literally can’t do the work that
-
we need to do. So thank you,
and please support Tor! Thanks!
-
applause
-
Roger: Well, thank you!
continued applause
-
Jacob: So to follow-up on what Laura
has just said: We think it’s important
-
to really expand, not just into the
technical world, or to talk about
-
the political issues in some abstract
sense. But also to reach out to culture.
-
So in this case, this is a picture in the
Reina Sofia which is one of the largest
-
museums in Spain. And that in the middle
is Mason Juday, and Trevor Paglen,
-
and that’s me on the right. And the only
time you’ll ever find me on the right!
-
And so it is the case that this is
a Tor relay. It’s actually 2 Tor relays
-
running on the open hardware device
Novena, made by bunny and Sean.
-
And it’s actually running as a middle
relay now, but it may in some point
-
with one configuration change become
an exit relay. And it is the case that
-
the Reina Sofia is hosting this Tor relay.
So, now, if… so we live in capitalism…
-
applause
-
So it is the case that if the Police wanna
seize this relay they got to buy it
-
like every other piece
of art in the museum.
-
laughter and applause
-
And part of the reason that we’re
doing this kind of stuff – at least
-
that piece of art which I did with Trevor
and Mason and Leif Ryge who is also
-
in this room, and Aaron Gibson, also in
this room – is because we think that
-
culture is important. And we think that
it’s important to tie the issue of anonymity
-
not just as an abstract idea but as an
actual thing that is representative
-
not only of our culture but of the world
we want to live in, overall. For all the
-
cultures of the world. And so, for that
reason we also have quite recently
-
been thinking a lot about social norms.
And it is the case that there’s a person
-
in our community, and many persons in our
community that have come under attack.
-
And have been deeply harassed.
And we think that that sucks!
-
And we don’t like that. Even though we
promote anonymity without any question,
-
i.e. no backdoors ever, and we’ll
get back to that in a minute,
-
it is the case that we really
want to promote ‘being
-
excellent to each other’. In the
sort of spirit of Noisebridge!
-
applause
-
And it’s still a little bit American-centric
but you can get the basic idea.
-
It applies to Europe as well. Just replace
‘First Amendment’ with some of your local law.
-
Or a local constitutional right. It isn’t
the case that we’re saying that you
-
shouldn’t have the right to say things.
But we are saying “Get the fuck out
-
of our community if you’re going
to be abusive to women!”
-
applause and cheers
-
And you’ll note that I used the word
‘Fuck’ to say it. And I’m sorry about that.
-
Because the point is we all make mistakes.
And we want to make sure that while
-
it’s true that we have transgressions we
want to make sure that we can find
-
a place of reconciliation, and we can
work towards conflict resolution.
-
And it’s important at the same time to
recognize that there are people who’s
-
real lives are harmed by harassment
online. In this case one of the people
-
is in this audience. And I hope that they
won’t mind being named. But we want
-
to give her a shoutout and say
that we stand behind her 100%.
-
Roger: Yeah, so, …
-
applause
-
So one of our developers on core Tor,
Andrea, has been harassed on Twitter
-
and elsewhere, really a lot more
than should happen to anybody.
-
And there are a couple of points
to make here. One of them is:
-
She’s a woman, and women online
have been harassed for basically
-
since ‘online’ has existed. Not just
women, other minorities, pretty much
-
all over the place. Especially recently
things have been getting worse.
-
The other important point to realize:
she’s not just being attacked because
-
she happens to be there. She’s being
attacked because they’re trying to attack
-
the Tor project and all the other people
in Tor. So, yes, she may be the focus
-
of some of the attacks but we - the rest
of the Tor community, the rest of the
-
security community - need to stand up
and take on some of this burden of
-
communicating and interacting,
and talking about these issues.
-
We can’t just leave it
to her to defend herself.
-
applause
-
Jacob: And so we want to set a particular
standard which is that there are
-
lots of journalists that have a lot of
questions. And we really think that
-
there are a lot of legitimate questions to
ask. E.g. I think it sucks that we take
-
Department of Defense money, sometimes.
And sometimes I also think it’s good that
-
people have the ability to feed
themselves, and have the ability
-
to actually have a home and a family. Now,
I don’t have those things, really. I mean
-
I can feed myself, but I don’t have a home
or a family in the same way that, say,
-
the family people on side of Tor do. And
they need to be paid. It is the case that
-
that is true. And that raises questions.
Like I, personally, wouldn’t ever take
-
CIA money. And I think that nobody should.
And I don’t think the CIA should exist.
-
But we have a diversity…
-
applause
-
…we have a diversity of funding because
we have a diversity of users. And so that
-
raises a lot of questions. And I think
people should ask those questions.
-
And Roger, and the rest of the Tor
community feels that way, too. But
-
it’s important that we don’t single out
a specific person. And, in particular,
-
to single out Andrea, again. She
does not deserve all the heat about
-
some of the decisions that the
Tor project as a non-profit makes.
-
She is a developer who is integral to
Tor. If it was not for her a significant
-
portion of Tor would not exist. It
would not be as bug free as it is.
-
And it would not be getting better all the
time. So we want people to reach out
-
to this alias, if they actually want
to talk, and have a forum where
-
the whole of Tor can really respond, and
think about these things in a positive way,
-
and really engage with the press. In a way
that we can manage; because at the moment
-
we get, I would say, 5 (on
average) press requests every day.
-
That’s really a lot. And it is also the
case that 4 of those requests
-
are very well phrased, extremely
reasonable questions. And one of them is,
-
you know: “Why to
choose to run Tor?” And
-
we should address all of them. We
really should. And at the same time
-
we have to recognize that some of these
people that are kind of harassing,
-
they might trigger me. That one will
trigger me, and I would probably
-
write back with something kind of shitty.
So we want to distribute the work in a way
-
where people will be nice. Even to the
people that are unreasonable. Because
-
at the core – we need to be held to
account, and we need people to look to us
-
about these things, and to ask us these
hard questions. And so this is the address
-
to reach out to: [press@torproject.org].
Not harassing Andrea online on Twitter.
-
Not coming after individual developers.
Not posting crazy stuff on the mailing list.
-
Wait until we’ve actually talked to you,
then post the crazy stuff on the mailing list.
-
Or wherever you’re going to post it. And
then hopefully we can actually answer
-
the questions in a good faith-, helpful
way. There’s no reason to talk about
-
conspiracy theories, we can just
talk about the business plans.
-
And into that point wanna make it clear:
-
stop being an asshole to people in the
community. But this is not negotiable.
-
We’re not saying because we don’t want
you to harass people that we’re going
-
to backdoor Tor. That will never happen.
You will find a bullet in the back of my head
-
before that happens. And maybe Roger’s,
too. Depending on the order of operations.
-
laughter and applause
-
Roger: Okay, so we’re going to talk
a little bit about the various things
-
we’ve done over the past year. To
give you a very brief introduction to Tor:
-
Tor is an anonymity system. You’ve got
Alice, the client over there. She builds
-
a path through 3 different relays
around the world. And the idea is
-
that somebody watching her local
network connection can’t figure out
-
what destination she’s going to. And
somebody watching the destinations
-
can’t figure out where she’s coming
from. And we have quite a few relays
-
at this point. Here’s a… the red line is
the graph of the number of relays
-
we’ve had over the past year. For those
of you who remember ‘Heartbleed’
-
you can see the big drop in April when
we removed a bunch of relays that
-
had insecure keys. But this is not the
interesting graph. The interesting graph
-
is ‘capacity over the past year’. And
we’ve gone from a little over 6 GBps
-
of capacity up to more
than 12 GBps of capacity.
-
applause
-
And as long as we can make the difference
between those 2 lines big enough then
-
Tor performance is pretty good. But we rely
on all of you to keep on running relays,
-
and make them faster etc. so that we
can handle all the users who need Tor.
-
Okay, another topic. Deterministic
builds. Mike Perry and Seth Schoen
-
did a great talk a few days ago. So you
should go watch the stream on that!
-
The very short version is: We have
a way of building Tor Browser so that
-
everybody can build Tor Browser
and produce the same binary.
-
And that way you don’t have to worry about
problems on your build machine and you can
-
actually check that the program we give
you, really is based on the source code
-
that we say that it is.
-
Jacob: And this is of course important
because we really don’t want to be
-
a focal point where someone comes
after us and says: “You have to produce
-
a backdoored version”. So it’s very
important because we do receive
-
a lot of pressure, from a lot of different
groups. And we never want to cave.
-
And here’s how we think it is the
case that we will never cave:
-
Free Software, open specifications,
reproducible builds,
-
things that can be verified
with cryptographic signatures.
-
That will not only keep us honest
against the – what do you call it –
-
the angels of our better nature.
I don’t believe in angels. But anyway.
-
The point is that it will keep us honest.
But it will also keep other people at bay.
-
From trying to do something harmful to
us. Because when something happens
-
you will be able to immediately find it.
And Mike Perry, by the way, is incredible.
-
He probably hates that I’m saying his name
right now. Sorry, Mike! Are you here?
-
laughter
Bastard! laughs
-
But Mike Perry is a machine. He also
has a heart! But he’s a machine.
-
And he’s incredible. And he has been
working non-stop on this. And he is really
-
ground-breaking in not only doing
this for Firefox but really thinking
-
about these hard problems, and
understanding that if he was just building
-
this browser by himself, and he was
doing it in a non-verifiable way
-
that it would really, actually be
a serious problem. Because we distribute
-
this software. And so, I mean
there is a reason that the NSA
-
calls Mike Perry a “worthy adversary”.
And it is because he’s amazing!
-
applause
So let’s give it up for Mike Perry!
-
ongoing applause
-
Roger: Not only that, but his work, along
with Bitcoin’s work has pushed Debian
-
and Fedora, and other groups to work
on reproducible builds as well. So,
-
hopefully the whole security
community will get better!
-
applause
-
Jacob: And to the point about Citizenfour.
One of the things that’s been happening
-
quite recently is that really respectable
nice people like the people at Mozilla
-
have decided that they really want
us to work together. Which is great.
-
Because we wanted to, and we have
respected their work for a very long time.
-
And so Tor is now partnering with Mozilla.
And that means that Mozilla, as a group,
-
will be running Tor relays. At first
middle nodes, and then, hopefully,
-
we believe, exit relays. And that is
huge because Mozilla is at the forefront
-
of doing a lot of work for end users. Just
everyday regular people wanting privacy.
-
Things like DoNotTrack e.g.
are a way to try to experiment.
-
Things like the Tor Browser a way to
experiment even further. To really bring
-
Privacy-by-Design. And it’s amazing
that Mozilla is doing that. And
-
we’ve made a partnership with them, and
we’re hopeful, cautiously optimistic even,
-
that this is going to produce some very
good results where our communities can
-
sort of fuse, and give Privacy-by-Design
software to every person on the planet
-
with no exceptions whatsoever.
-
applause
-
Now we also have a couple of things
that we would like to talk about,
-
just generally, that are a little bit
technical. But at the same time
-
we wanna keep it accessible because
we think that this talk, well, it’s useful
-
to talk about technical details. The most
important thing is somebody who has
-
never heard of the Tor community before,
who watches this video, we want them
-
to understand some of the
details, and enough, let’s say,
-
technical understanding that they’ll be
able to go and look it up if they want to,
-
but they’ll also understand we’re not
just glossing over, completely.
-
So, pluggable transports are very
important. Right now, the way
-
that Tor works is that we connect with an
SSL/TLS connection. The protocol SSL/TLS,
-
one of the 2, depending on the client
library, and the server library. And
-
that looks like an SSL connection, for
the most part. But as some of you know
-
there are people on this planet
they collect SSL and TLS data,
-
about everything flowing across the
internet. That’s really a problem.
-
It turns out we thought in some cases
that it was just censorship that mattered.
-
But it turns out broad classification
of traffic is really, actually, a problem
-
not just for blocking but also for later
doing identification of traffic flows.
-
So I’ve already lost the non-technical
people in the audience, so, let me
-
rephrase that and say: We have these other
ways of connecting to the Tor network.
-
And they don’t look just like a secure
banking transaction. They look instead
-
like DNS, or HTTP – that is your regular
web browsing or name resolution.
-
And we have a lot of different pluggable
transports. And some of them are cool.
-
Some of them make it look like you’re
connecting to Google. When in fact you’re
-
connecting to the Tor Project. And it’s
because you, in fact, are connecting
-
to Google. Leif Ryge, are you
in the room, here? Maybe, no?
-
This is really… you guys,
and your anonymity!
-
laughter
It is the case…
-
he showed this to me, I mentioned this to
some other people and David Fifield,
-
I think, either independently rediscovered
it. There’s also the GoAgent people
-
that discovered this. You can connect
to Google with an SSL connection,
-
and the certificate will say:
dadada.google.com. And you of course
-
verify it. And it is of course signed,
probably by Adam Langley, personally.
-
And… maybe it’s just the Google
CAs. And then you give it a different
-
HTTP host header. So you say: actually
I wanna talk to Appspot. I wanna talk
-
to torbridge.appspot.com.
And inside of the TLS connection,
-
which looks like it’s a connection to
Google which is one of the most popular
-
websites on the internet you then make
essentially an encrypted connection
-
through that. And then from there
to the Tor network. Using Google,
-
but also Cloudflare – they don’t
just provide you with captchas!
-
laughter and applause
laughs
-
Poor Cloudflare guy! We were joking
we should stand outside his office
-
and make him answer
captchas to get in the door!
-
laughter and applause
-
All of those people clapping wish you
would solve the Cloudflare captcha issue!
-
So it also works with other compute
clusters. And other CDNs.
-
And so this is really awesome because
it means that now you can connect
-
through those CDNs to the Tor network,
using Meek (?) and other pluggable transports
-
like that. So that’s a huge win.
And deploying it by default
-
– I think we have another slide for that…
-
Roger: Nope, that’s it!
We’ve got a different one, yes.
-
So, one of the neat things about Meek (?) is:
because it works on all these different
-
sorts of providers – Akamai
and all the CDNs out there –
-
a lot of those are still reachable from
places like China. Lots of our pluggable
-
transports don’t work so well in China,
but meek does, at this point.
-
So there are a lot of happy users.
Here’s a graph of an earlier
-
pluggable transport that we had,
called ‘obfs3’. It still works in China,
-
and Iran, and Syria and lots
of places around the world.
-
But the sort of blue/aqua line is
-
how much use we’ve seen of
obfs3. And you can tell exactly
-
when we put out the new Tor browser
release that had obfs3 built-in
-
and easy-to-use by ordinary people.
So one of the really important pushes
-
we’ve been doing is trying to make
– rather than trying to explain
-
how pluggable transports work, and
teach you everything – just make them
-
really simple. Make them part of Tor
browser, you just click on “My Tor
-
isn’t working so I wanna use some
other way to make my Tor work”.
-
And we’ve got 10.000 people at this
point who are happily using obfs3.
-
I think a lot of them are in
Syria and Iran at this point.
-
applause
-
Something else we’ve been doing over
the past year is working really hard
-
on improving the robustness,
and testing infrastructure,
-
and unit tests for the core Tor
source code. So Nick Mathewson
-
and Andrea Shepard in particular
have been really working on robustness
-
to make this something we can rely
on, as a building block in tails,
-
in Tor browser, in all the other
applications that rely on Tor.
-
So in the background things were
getting a lot stronger. Hopefully that
-
will serve us very well
in the battles to come.
-
applause
-
Jacob: So this fine gentleman
who was a teen heartthrob
-
on Italian television many years ago…
-
Arturo: Thank you for doxing me!
Jacob: Sorry.
-
both laugh
-
If only you’d been using Tor!
-
Arturo: Yeah, TV over Tor. So…
A project that we started a couple
-
of years ago with Jake is sort of related
I guess to the Tor project’s goals of
-
increasing privacy and having a better
understanding on how people’s lives
-
are impacted through technology. And this
project is called OONI, or the ‘Open
-
Observatory of Network Interference’. And
what it is, before being a piece of software
-
is a set of principles, and best practices
and specifications written in English
-
for how it is best to conduct network
related measurements. That sort of
-
measurements that we’re interested in
running have to do with identifying
-
network irregularities. These are symptoms
that can be a sign of presence of
-
surveillance or censorship, on the network
that you’re testing. And we use
-
a methodology that has been peer-reviewed,
of which we have published a paper.
-
It’s implemented using free software. And
all of the data that we collect is made
-
available to the public. So that you can
look at it, analyze it and draw your
-
own conclusions from it.
applause
-
And so we believe that this effort is
something that is helpful and useful
-
to people such as journalists, researchers,
activists or just simple citizens that are
-
interested in being more aware, and have
a better understanding that is based
-
on facts instead of just anecdotes, on
what is the reality of internet censorship
-
in their country. And we believe that
historical data is especially important
-
because it gives us an understanding of
how these censorship and surveillance
-
apparatuses evolve over time. So
I would like to invite you all to run
-
Ooniprobe today, if you copy and paste
this command line inside of a Debian-based
-
system. Obviously… perhaps you should
read what is inside it before running it.
-
applause
-
But once you do that you will have
a Ooniprobe setup and you will be
-
collecting measurements for your country.
If instead you would like to have
-
an actual hardware device we have a very
limited number of them. But if you’re
-
from an interesting country and you’re
interested in running Ooniprobe
-
we can give you a little Raspberry Pi with
an LCD screen that you can take home,
-
connect to your network and adopt
a Ooniprobe in your home network.
-
To learn more about this you should come
later today at Noisy Square, at 6 P.M.
-
to learn more about it.
-
Roger: Thank you!
-
applause
-
Jacob: And, just to finish up here,
I mean, OONI is a human rights
-
observation project which Arturo and
Aaron Gibson – also somewhere in the room,
-
I’m sure he won’t stand up so I won’t even
ask him. It’s great! Because we went from
-
a world where there was no open
measurement, with only secret tools,
-
essentially, where people acted like
secret agents, going in the countries
-
to do measurements. There wasn’t really
an understanding of the risks that
-
were involved, how the tests function,
where non-technical people could have
-
reasonable explanations. And now we have
open measurement tools, we have open data
-
standards, we have really like a framework
for understanding this as a human right
-
to observe the world around you. And then
also to share that data, and to actually
-
discuss that data, what it means. And to
be able to set standards for it.
-
And hopefully that means that people have
informed consent when they engage
-
in something that could be risky, like running
Ooni in a place like… that is dangerous
-
like the United States or Cuba,
or something like China.
-
applause
And so, Arturo personally though, is
-
the heart and soul of Ooni. And it is
really important that we see that
-
the Tor community is huge. It’s really
huge, it’s made up of a lot of people
-
doing a lot of different things. And part
of Ooni is Tor. We need Tor to be able
-
to have a secure communications channel
back to another system, we need that
-
so that people can log into these
Ooniprobes e.g. over Tor Hidden Services.
-
That kind of fusion of things where we
have anonymity but at the same time
-
we have this data set that is in some
cases identifying, in some cases
-
it’s not identifying, depending on the
test. We need an anonymous communications
-
channel to do that kind of human rights
observation. And so… just so we can
-
make Arturo a little… feel a little
appreciated I just wanna give him
-
another round of applause, for making this
human rights observation project.
-
applause
Jacob joins the applause
-
Roger: So I encourage all of you not only
to run Ooniprobe in interesting places,
-
and in boring places because they might
become interesting. But also to help write
-
new tests, and work on the design of these
things, so that we can detect and notice
-
new problems on the internet more quickly.
Something else we’ve been up to over
-
the past year is Tor Weekly News. We were
really excited by Linux Weekly News etc.
-
and… so every week there’s a new
blog post and mail that summarizes
-
what’s happened over the past week.
We encourage you to look at all these.
-
A special shout-out to harmony and
lunar for helping to make this happen
-
over the past year. Thank you!
-
applause
-
Jacob: Finally there’s a Tor list you can
be on, that you really wanna be on!
-
Roger: Being on lists is good. One of the
other features we’ve been really excited
-
about over the past year: EFF has been
helping with Outreach. EFF ran
-
a Tor relay challenge to try to get a lot
of people running relays. And I think
-
they have several thousand relays that
signed up because of the relay challenge.
-
Pushing a lot of traffic.
So that’s really great!
-
applause
-
And at the same time not only did they
get a lot of more people running relays
-
but they also did some great advocacy
and outreach for getting more exit relays
-
in universities, and basically teaching
people why Tor is important. We all need
-
to be doing more of that! We’ll
touch on that a little bit more later.
-
So you all I hope remember what was
going on in Turkey, earlier this year.
-
Here’s a cool graph of Tor use in Turkey
when they started to block Youtube
-
and other things. Then people realized,
I need to get some tools to get around
-
that censorship. But you probably
weren’t paying attention when Iraq
-
filtered Facebook, and suddenly a lot of
people in Iraq needed to get some sort
-
of way to get around their censorship. So
there are a bunch of interesting graphs
-
like this on the Tor Metrics project, of
what’s been going on over the past year.
-
Jacob: And we actually…
– if you could go back, yeah.
-
One thing that’s really interesting about
this is: Karsten Loesing who is, I think,
-
also not going to stand up, maybe you
will? Are you here? I don’t see you,
-
Karsten? No? No, okay. He does all
the metrics, this anonymous, shadowy
-
metrics figure. And if you go to
metrics.torproject.org you’ll see
-
open data that is properly anonymized
– you would expect that from us –
-
as well as actual documents that explain
the anonymity, the counting techniques,
-
that explain the privacy conserving
statistics. And you can see these graphs,
-
you can generate them based on certain
parameters. If you are interested
-
in seeing e.g. geopolitical events,
and how they tie in to the internet,
-
this project is part of what inspired
Ooni. This is how we get statistics
-
and interesting things about the Tor
network itself. From Tor clients,
-
from Tor relays, from Tor bridges.
And it tells you all sorts of things.
-
Platform information, version number of
the software, which country someone
-
might be connecting from etc. Where
they’re hosted… If you are interested
-
looking at this website and finding spikes
like this you may in fact be able to
-
find out that there is a censorship event
in that country, and we haven’t noticed it.
-
There are a lot of countries in the world
if we split it up by country. And sometimes
-
50.000 Tor users fall off the Tor network
because another American company has sold
-
that country censorship equipment. We
need help finding these events, and then
-
understanding their context. So if in your
country something like that happens
-
looking at this data can help us not only
to advocate for anonymity in such a place
-
but it can help us to also technically
realize we need to fix a thing,
-
change a thing… And it’s through this
data that we can have a dialog
-
about those things. So if you have no
technical ability at all but you’re
-
interested and understand where you
come from – look at this data set, try
-
to understand it, and then reach out to us
and hopefully we can learn about that.
-
That’s how we learn about this, that’s how
we learned about the previous thing.
-
And many years ago we gave a Tor talk
about how countries and governments
-
and corporations try to censor Tor. And
of course, a lot has happened since then.
-
There’s a lot of those things, and very
difficult to keep up with them. So
-
we really need the community’s help to
contextualize, to explain and define
-
these things.
-
Roger: Okay. Next section of the talk,
‘things that excited journalists over
-
the past year’. That actually turned out
to be not-so-big a deal. And we’re gonna
-
try to blow through a lot of them quickly,
so that we can get to the stuff that
-
actually was a big deal. So I guess in
August or something there was going to be
-
a Blackhat talk about how you can
just totally break Tor, and then
-
the Blackhat talk got pulled. Turns out
that it was a group at CMU who were
-
doing some research on Tor. And I begged
them for a long time to get a little bit
-
of information about what attack they had.
Eventually they sent me a little bit of
-
information. And then we were all
thinking about how to fix it. And then
-
Nick Mathewson, one of the Tor developers,
said: “Why don’t I just deploy
-
a detection thing on the real Tor network,
just in case somebody is doing this?” And
-
then it turns out somebody was doing this.
And then I sent mail to the Cert (?) people
-
saying: “Hey, are you, like, are you like
running those 100 relays that are doing
-
this attack on Tor users right now?” And
I never heard back from them after that.
-
So that’s sort of a… this is a sad
story for a lot of different reasons.
-
But I guess the good news is we identified
the relays that were doing the attack,
-
we cut them out of the network, and we
deployed a defense that will first of all
-
make that particular attack not
work anymore. And also detect it
-
when somebody else is trying
to do an attack like this.
-
Jacob: This, of course, is…
-
applause
-
This is a hard lesson, for 2 reasons.
The first reason is that that it’s awful
-
to do those kinds of attacks on the real
Tor network. And there’s a question about
-
responsibility. But the second lesson is
that when these kinds of things happen,
-
and we have the ability to actually
understand them we can respond to them.
-
It’s really awful that the talk
was pulled, and it is really awful
-
that these people were not able to give
us more information. And it’s also really
-
awful that they were apparently carrying
out the attack. And there were lots
-
of open questions about it. But in general
we believe that we’ve mitigated the attack
-
which is important. But we also
advocated for that talk to go forward.
-
Because we think that, of course, the
answer to even really frustrating speech
-
is more speech! So we wanna know more
about it. It somehow is very disturbing
-
that that talk was pulled. And they should
be able to present their research,
-
even if there’s anger on our face it’s
important for our users to know as much
-
as we can, so that we can move
forward with protecting Tor users.
-
Roger: Okay, so, another exciting
topic from a couple of months ago:
-
Russia apparently put out
a call-for-research work…
-
loud splashing noise from Jake
opening a loaded water bottle
-
…to come up with attacks on Tor.
Jacob: It’s another attack on Tor!
-
Roger: Enjoy your water, Jake.
I hope that was worth it. laughs
-
Jacob: laughs It was really
worth it. Was very thirsty.
-
Roger: So Russia put out a
call-for-research proposals
-
on attacking Tor. Somebody mistranslated
that phrase from Russian into ‘prize’,
-
or ‘bounty’, or ‘contest’. And then we had
all these articles, saying “Russia is
-
holding a contest to break Tor” when
actually, no, they just wanted somebody
-
to work on research on Tor attacks.
So this would be like the U.S. National
-
Science Foundation holds a contest
for Tor research. That’s not actually
-
how government funding works.
Mistranslations cause a lot of
-
exciting journalist articles but as
far as I can tell it turned out to be
-
basically nothing. Also it was basically
‘no money’. So, maybe something
-
will come of this, we’ll see. Something
else that’s been bothering me a lot,
-
lately: Cryptowall, now called
‘Cryptolocker’. So, there are jerks
-
out there who break into your
mobile phone of some sort,
-
give you malware, viruses, something
like that. They encrypt your files,
-
and then they send you basically a ransom
note saying “We’ve encrypted your file,
-
if you want it back send some Bitcoin over
here!” So this is bad, so far. But then
-
the part that really upsets me is they
say: “And if you don’t know how to do this
-
go to our website torproject.org and
download the Tor Browser in order
-
to pay us”. Fuck them! I do not want
people doing this with our software!
-
applause
-
Jacob: Yeah, fuck them. I mean I don’t
really have a lot to contribute to that.
-
I mean it’s really… Hidden Services have
a really bad rap, and it’s frustrating,
-
right? There’s a… of course this
quantitative and qualitative analysis
-
that we can have here. And the reality
of the situation is that one Globaleaks
-
leaking interface is ‘one.onion’ (?), for
example. What is the value of that?
-
Versus 10.000 Hidden Services run by these
jerks? And it’s very hard to understand
-
the social value of these things, except
to say that we really need things like
-
Hidden Services. And jackasses like this
are really making it hard for us to defend
-
the right to publish anonymously. And so,
if you know who these people are please
-
ask them to stop! I don’t even know
what the ask is there. But they really
-
should stop. Or maybe there’s some
interesting things that you can do.
-
I don’t know. But we really, really
don’t like that this is someone’s
-
first introduction to Tor! That they think
that we’re responsible for this. We
-
most certainly are not responsible for
these things. We certainly do not deploy
-
malware. And Hidden Services are actually
very important for a lot of people.
-
These people are not those people!
-
applause
-
Roger: Another ‘exciting’ story,
a month or 2 ago, was,
-
“81% of Tor users can be de-anonymized…”
and then some more words, depending on
-
which article you read. So it turns out
that one of our friends, Sambuddho, who is
-
a professor in India now, did some work
on analyzing traffic correlation attacks
-
in the lab. He found, in the lab, that
some of his attacks worked sometime,
-
great… And then some journalists found it,
and said: “Ah! This must be the reason why
-
Tor is insecure today”. So he wrote
an article, it got Slashdot, it got
-
all the other news stories. And suddenly
everybody knew that Tor was broken
-
because “81% of Tor users…”.
So it turns out that Sambuddho himself
-
stood up and said actually: “No, you
misunderstood my article”. But
-
that didn’t matter because nobody listened
to the author of the paper at that point.
-
So I guess there’s a broader issue that
we’re struggling with here, in terms of
-
how to explain the details of these
things because traffic correlation attacks
-
are a big deal. They probably do work
if you have enough traffic around
-
the internet, and you’re looking at the
right places. You probably can do
-
the attack. But that paper did not do the
attack. So I keep finding myself saying:
-
“No no no, you’re misunderstanding the
paper, the paper doesn’t tell us anything,
-
but the attack is real! But the paper
doesn’t tell us anything”. And this is
-
really confusing to journalists because
it sounds like I’m disagreeing with myself
-
with these 2 different sentences. So we
need to come up with some way to
-
be able to explain: “Here are all of the
real attacks, that are really actually
-
worrisome, and it’s great that researchers
are working on them. And they probably
-
are a big deal, in some way. But no, that
paper that you’re pointing at right now
-
is not the reason why they’re a big
deal”. We also saw this in the context
-
of an NSA paper which was published
a couple of days ago, thanks to
-
some other folks.
Jacob: Sad, ‘some other folks’!
-
Roger: ‘Some other folks’. I won’t specify
-
exactly which other folks. And they
similarly had a traffic correlation attack.
-
And in the paper it’s really a bad one.
It’s the same as the paper that was
-
published in 2003, in the open literature.
There was a much better paper
-
published in 2004, in the open literature,
that apparently these folks didn’t read.
-
So I don’t wanna say traffic correlation
attacks don’t work, but all these papers
-
that we’re looking at don’t show…
aren’t very good papers.
-
Jacob: So one of the solutions to a lot
of journalists that don’t understand
-
technology is that it’s actually quite
easy to be a journalist by comparison
-
to being a technologist. It’s possible
to write about things in a factually
-
correct way, sometimes you don’t always
reach the right audiences, that can
-
actually be difficult. It depends. So you
have to write for different reading
-
comprehension levels, e.g. And we tried
to write for people who understand
-
the internet. At least when I write as
a journalist. And so, when I sometimes
-
take off my Tor hat I put on my journalistic
hat. And part of the reason is that
-
in order to even tell you about some
of the things that we learn, if I don’t
-
put on my journalistic hat I get a nice
pair of handcuffs. So it’s very important
-
to have journalistic protection so that we
can inform you about these things.
-
So e.g. it is the case that XKeyscore
rules – we published some of them.
-
Not ‘we’, Tor. But me and this set of
people at the top, of this by-line here.
-
In NDR. Some of you know NDR, it’s a very
large German publication. I also publish
-
with Der Spiegel, as a journalist. In this
case we published XKeyscore rules.
-
Where we specifically learned an important
lesson. And the important lesson was,
-
even if you’re a journalist explaining
things exactly technically correctly
-
– people will still get it wrong. It’s just
not the journalists that get it wrong.
-
It’s the readers. Very frustrating.
-
People decided that because the NSA
definitely has XKeyscore rules that is
-
rules for surveilling the internet, where
they’re looking at big traffic buffers.
-
TEMPORA e.g. the British surveillance
system that is built on XKeyscore.
-
With a – probably – week-long buffer of
all internet traffic. That’s a big buffer,
-
by the way. Doing these XKeyscore
rules, running across that traffic set,
-
they would find that people were
connecting to directory authorities.
-
One of those directory authorities is
mine, actually, quite ironically. And
-
then Sebastian Hahn, and other people
in this audience. And some people said:
-
“Oh, don’t use Tor because the NSA will
be monitoring you!” That is exactly
-
the wrong take-away. Because there are
XKeyscore rules on the order of tens of
-
thousands, from what we can tell.
So everything you do is going through
-
these giant surveillance systems. And
what you’ll learn when you monitor
-
someone using Tor is that they’re
using Tor potentially, in that buffer.
-
Which is different than ‘they learn
for sure that you were going to
-
the Chaos Computer Club’s web site’,
or that you were going to a dating site.
-
So it’s the difference between ‘they learn
some keeny (?) bit of information about you’,
-
that you’re using an anonymity
system, versus ‘they learned exactly
-
what you were doing on the internet’. Now
if there were only a few XKeyscore rules
-
at all, and it was just that about Tor
then that conclusion people reach
-
would be correct. But it’s exactly not
true. The XKeyscore system is so powerful
-
that if you have a logo for a company,
so anyone here that runs a company,
-
and you put a logo inside of a document,
the XKeyscore system can find that logo
-
in all of the documents flowing across the
internet in real-time. And alert someone
-
that someone has sent a .DOC or a PDF with
that image inside of it. And alert them.
-
So that they can intercept it. So the
lesson is not “Don’t use Tor because
-
XKeyscore may put your metadata into
a database, in the so-called ‘corporate
-
repositories’”. The lesson is “Holy shit,
there’s this gigantic buffering system
-
which has search capabilities that even
allow you to search inside of documents.
-
Really, really advanced capabilities where
they can select that traffic and put it
-
somewhere else”. “Use an anonymity
system!” And also: “Look, they’re
-
targeting anonymity systems, even in the
United States, which, at least for the NSA
-
they’re not supposed to be doing those
kinds of things”. They literately were
-
caught lying here. They’re doing
bulk internet surveillance even
-
in the United States. Using these
kinds of systems. That’s really scary.
-
But the real big lesson to take away from
that is, actually, that they’re doing this
-
for all the protocols that they can
write fingerprints for. And they have
-
a generic language where they can actually
describe protocols. And so we published
-
a number of those, we = NDR. And I would
really recommend you read and understand
-
that. But the lesson, again, is not
“Oh no, they’re going to detect you’re
-
using Tor”. We have never said that Tor
can e.g. protect you against someone
-
seeing that you’re using it. Especially in
the long term. But rather the point is
-
exactly the scariest point. This mass
internet surveillance is real. And
-
it is the case that it is real-time.
And it’s a real problem.
-
applause
-
Roger: If you’re using Tor they see that
you’re using Tor. If you’re not using Tor
-
they see exactly where you’re going.
You end up in a list of people who went
-
to ‘this’ website, or ‘this’ website,
or used ‘this’ service, or sent
-
‘this’ document. And the diversity of
Tor users is part of the safety, where,
-
just because they know you’re using
Tor doesn’t tell them that much.
-
One of the other things I’ve been
wrestling with after looking at a bunch
-
of these documents lately is the whole
‘how do we protect against pervasive
-
surveillance’. And this is an entire talk
on its own. We’ve been doing some
-
design changes. We pushed out some changes
in Tor that protect you more against
-
pervasive surveillance. We – for the
technical people out there – we’ve reduced
-
the number of guard relays that you use
by default from 3 to 1. So there are
-
fewer places on the internet that get to
see your Tor traffic. That’s a good start.
-
One of the other lessons we’ve been
realizing: The internet is more centralized
-
than we’d like. So it’s easy to say
“Oh, we just need more exit relays,
-
and then we’ll have more protection
against these things”. But if we put
-
another exit relay in that same data
sensor (?) in Frankfurt that they’re
-
already watching that’s not actually going
to give us more safety against these
-
pervasive surveillance adversaries.
Something else I realized: so we used
-
to talk about how Tor does these two
different things. We’ve got anonymity,
-
we’re trying to protect against somebody
trying to learn what you’re doing, and
-
we’ve got circumvention, censorship
circumvention. We’re trying to protect
-
against somebody trying to prevent
you from going somewhere.
-
But it turns out in the surveillance
case they do deep packet inspection
-
to figure out what protocol you’re
doing, to find out what you’re up to.
-
And in the censorship case they do
deep packet inspection to figure out
-
what protocol you’re using, to decide
whether to block it. So it’s actually…
-
these fields are much more related
than we had realized before. And
-
it took us a while, I’m really happy that
we have these documents to look at,
-
so that we have a better understanding
of how this global surveillance
-
and censorship works. Long ago, so in
2007, I ended up doing a talk at the NSA,
-
to try to convince them that we were not
the bad guys. And you can read the notes
-
that they took about my talk at the
NSA. Because they’re published
-
in the Washington Post. So I encourage you
to go read what the NSA thought of my talk
-
to them. That same year I ended up going
to GCHQ, to give a talk to them, to try
-
to convince them that we were not the
bad people. And I thought to myself:
-
“I don’t want to give them anything
useful. I don’t want to talk about
-
anonymity, because I know they’re going
to try to break anonymity. So I’m going
-
to give them a talk that has nothing to do
with anything that they should care about.
-
I’m going to talk about the censorship
arms race in China, and DPI, and stuff
-
like that, that they shouldn’t care
about at all”. Boy, were we wrong!
-
applause
-
So the other thing to think about here,
there are a bunch of different pluggable
-
transports that could come in handy
against the surveillance adversary.
-
We have, so far, been thinking of
pluggable transports in terms of
-
‘there’s somebody trying to censor your
connection, they’re doing DPI, or they’re
-
looking for addresses, and they’re trying
to block things’. One of the things
-
we learned from this past summer’s
documents: imagine an adversary
-
who builds a list of all the public Tor
relays. And then they build a list of
-
all of the IP addresses that connect
to those Tor relays. Now they know
-
all the bridges, and many of the users.
And now they build a list of all the
-
IP addresses that connect to those IP
addresses. And they go a few hops out,
-
and now they know all the public relays,
all the bridges, all the users, all of
-
the other things that are connected to
Tor. And they can keep track of which ones
-
they should log traffic for, for the next
6 months, rather than the next week.
-
That’s a really scary adversary. Some of
the pluggable transports we’ve been
-
working on could actually come in handy
here. So ‘Flash proxy’ is one of the ones
-
you heard about in last year’s talk. The
basic idea of a Flash proxy is to get
-
users running web browsers to volunteer
running web-RTC, or something like that
-
to basically be a short-lived bridge
between the censored user and
-
the Tor Network. So the idea is that you
get millions of people running browsers,
-
and then you can proxy from inside China,
or Syria, or America, or wherever
-
the problem is, through the browser into
the Tor Network. But from the surveillance
-
perspective suddenly they end up with
an enormous list of millions of people
-
around the world that are
basically buffering the Tor user
-
from the Tor Network. So if they
start with this list of IP addresses,
-
and they’re trying to build a list of
everything, now they end up
-
with millions of IP addresses
that have nothing to do with Tor.
-
And they have to realize, at the time
they’re watching, that they want to go
-
one more hop out. So I don’t
know if that will work. But this is
-
an interesting research area that more
people need to look at: How can we,
-
against an adversary who’s trying to build
a list of everybody who has anything to do
-
with Tor, how can we have
Tor users not end up on that list.
-
What sort of transports or tunneling
through Google app spot (?),
-
or other tools like that can we use
to break that chain, so it’s not as easy
-
for them to track down
where all the users are.
-
Okay, Silk Road 2, we’ve had a lot
of questions about. I think it’s called
-
Operation Onimous (?). I actually talked
to an American law enforcement person
-
who was involved in this. And he
told me, from his perspective, exactly
-
how it happened. Apparently the
Silk Road 2 guy wrote his name down
-
somewhere. So they brought him in,
and started asking him questions. And
-
as soon as they started asking him
questions he started naming names.
-
And they counted up to 16 names, and
they went and arrested all those people,
-
and collected their computers. And then
they put out a press release, saying
-
that they had an amazing Tor attack.
-
applause
-
So there are a couple of lessons here. One
of them is: Yes, it’s another case where
-
opsec failed. But the other lesson that
we learn is: These large law enforcement
-
adversaries are happy to use press spin
and lies, and whatever else it takes
-
to try to scare people away from
having safety on the internet.
-
Jacob: This is a really… to me,
especially, if I take off my Tor hat
-
and put on my journalistic hat, as if
I can actually take off hats etc., but
-
it’s really terrifying that journalists
don’t actually ask hard questions
-
about that. You know, the Europol people
that spoke to the press, they talked
-
about this as if they had some incredible
attack, they talked about 0-day,
-
they talked about how, you know,
they had broken Tor, “You’re not safe
-
on the Dark Web”. We don’t even use the
term ‘Dark Web’. That’s how you know
-
that they’re full of shit. But it’s…
applause
-
That’s sort of like when people have Tor
in all caps (?)(?)(?)(?)(?)(?), dark web,
-
that kind of stuff, this is a bad sign. But
the way they talk about it, it was clear
-
that they, as far as we can tell, they
don’t have that. But they really hyped it.
-
As much as they possibly could. I mean,
it is, effectively, and I think it is even
-
technically a psychological operation
against the civilian population. They
-
want to scare you into believing that Tor
doesn’t work. Because, in fact, it does work,
-
and it is a problem for them. So any time
they can ever have some kind of win-it-all
-
they always spin it as if they’re great,
powerful adversaries, and it’s
-
us-versus-them. And that’s exactly wrong.
It is not us-versus-them. Because we all
-
need anonymity. We all absolutely need
that. And they shouldn’t be treating us
-
as adversaries. They, in fact, are also
Tor users, quite ironically. So it is
-
interesting though, because they know that
they haven’t done that. But they don’t
-
want you to know that they haven’t done
that. In fact, they want you to know
-
the opposite. Of course we could be
wrong. They could have some
-
super-secret exploit, but as far as we can
tell that just is not the case. So, what’s
-
to be learned from this? We used to think
it was just American law enforcement
-
that were scary jerks. Now it’s also
European. I don’t know if that’s
-
the right buzzing(?). But hopefully some
of you will go and work at Europol,
-
and tell us what’s really going on.
-
applause
-
Roger: Speaking of Hidden Services. We
have a new design in mind, that will have
-
some stronger crypto properties, and make
it harder to enumerate Hidden Services.
-
It won’t solve some of the big anonymity
questions that are still open research
-
questions. But there are a lot of
improvements we’d like to make,
-
to make the crypto more secure, and
performance changes etc. And we’d been
-
thinking about doing some sort of crowd
funding, kickstarter-like thing, to make
-
Hidden Services work better. We’ve got
a funder who cares about understanding
-
Hidden Services, but that’s not the same
as actually making them more secure.
-
So we’d love to chat with you after this
about how to make one of those
-
kickstarters actually work.
-
Jacob: Right, so, if you have questions
we have some amount of time for questions.
-
And while you line up at the microphone
I’ll tell you a quick story. So if you
-
have questions please line up at the
microphone, so we can do this.
-
This is a picture of a man who was
assassinated in San Francisco.
-
His name is Harvey Milk. Anybody
here – ever hear of Harvey Milk?
-
applause
-
Great. Harvey Milk was basically the
first out-gay politician in, I think,
-
the United States. He was a city council
member in San Francisco. And this was
-
during a huge fever pitch apora (?) where…
basically it was the battle between:
-
“Are people who are gay people or not?”
And what he said is: Go home and
-
tell your brothers, your mothers, your
sisters, your family members and
-
your co-workers that you’re gay. Tell
them that, so that when they advocate
-
for violence against gay people, when
they advocate for harm against you
-
that they know they’re talking about you.
Not an abstract boogieman. But someone
-
that they actually know, and that they
love. We need every person in this room,
-
every person watching this video later to
go home and talk about how you needed
-
anonymity, for 5 or 10 minutes. How you
needed it every day to do your job.
-
We need people to reach out. Now that’s
a sad story with Harvey Milk which is
-
that he and mayor Moscone of San
Francisco were actually killed by
-
a very crazy person, that was also in city
government, in the American traditional
-
extreme gun violence. He was shot and
killed. And that person actually got away
-
with it. The so-called ‘Twinkie defense’.
So we’re not trying to draw that parallel.
-
Just to be clear please don’t shoot us and
kill us! Not even funny, unfortunately.
-
But to understand that we are really
under threat, a lot of pressure. There’s
-
a lot of pressure. We get pressure from
law enforcement investigation agencies
-
to backdoor Tor, and we tell them:
“No”, and that takes a lot of stress
-
and dumps it on us. And we need support
from a lot of people, to tell them
-
to back off. It can’t just be us that
say that. Or we will lose some day.
-
And there are also very scary adversaries
that do not care at all about the law.
-
Not that those guys care about the law but
really don’t care about the law at all.
-
And we need people to understand how
important anonymity is, and make sure
-
that that goes into every conversation.
So really, go home and teach your friends
-
and your family members about your
need for anonymity. This lesson
-
from Harvey Milk was very useful. It is
the case that now, in California where
-
there is a huge fever pitch (?) battle about
this that you can e.g. be gay and be
-
a school teacher. That was one of the
battles that Harvey Milk helped win.
-
applause
-
So, with that I think
that we have time for…
-
Herald: Yeah, we have like 10 minutes left
for questions. So, thank you so much
-
for the talk! It’s really inspiring.
Thank you for keeping up the work!
-
applause
-
Really! Although you do this every year
it never gets old. And I think your…
-
every year you give people the chance to
leave the Congress with a feeling of hope
-
and purpose. So, thank you so much for
everything you do and every minute
-
you spend on this project. So we start
with a question from the internet.
-
applause
-
Jacob: We’d like to take a few questions
from the internet all at once,
-
if possible, so we can try to answer
them as quickly as possible.
-
Signal Angel: Okay.
Herald: Alright.
-
Signal Angel: So, the first one: Yesterday
you said that SSH is broken. So
-
what should we use to safely
administrate our Tor relays?
-
Jacob: Hah! That’s great. So,
first of all! Next set of questions!
-
Signal Angel: So the next one is: How much
money would be needed to get independent
-
from Government funding,
and is that even desired?
-
Jacob: Ah, do you want me to do both?
Roger: Sure.
-
Jacob: Okay.
Signal Angel: Hope so.
-
Jacob: Okay. First question: Consider
using a Tor Hidden Service, and then
-
SSH’ing into that Tor Hidden Service.
Composition of cryptographic components
-
is probably very important. A detail about
SSH: We don’t know what is going on.
-
We only know what was claimed in those
documents. That’s a really scary claim.
-
This creates a political problem. The U.S.
Congress and other political bodies
-
should really be asking the secret
services if they really have a database
-
called CAPRI OS where they store
SSH decrypts. And how they populate
-
that database. Because that is critical
infrastructure. We can’t solve that problem
-
with the knowledge that we have right now.
But we know now: There is a problem.
-
What is that problem? So, composition
of those systems: It seems to be,
-
the documents say that they haven’t broken
the crypto in Tor Hidden Services. So
-
put those two together. And also consider
that cryptography only buys you time.
-
It really isn’t the case that all the
crypto we have today is going to be good
-
maybe in 150 years. If Sci-Fi quantum
computers ever come out, and they
-
actually work, Shor’s algorithm and
other things really seem to suggest
-
we have a lot of trouble ahead. And the
second part, about money: Yeah, we would
-
love to replace Government funding. I mean
at least I would. But that isn’t to say
-
that we don’t respect that there are
people that do fund us to do good things.
-
We do take money from agencies who e.g.
the Department of Human Rights and Labor,
-
at the State Department. They’re sort of
like the advertising arm for the
-
gun-running part of the State Department,
as Julian Assange would say. And they
-
actually care about Human Rights. They
care that you have access to anonymity.
-
It’s weird because the State Department
– the rest of it – might not care. But,
-
we really, really would like to off-set
that money. But we’d like to grow.
-
We’d like to be able to hire 100 people
in this room to work on this full-time.
-
Because the planet needs anonymity. But
that requires that we find that money.
-
And the best place at the moment is by
writing grant proposals. And that is how
-
we have in fact done that. And that
allows us also to operate openly.
-
So we don’t have e.g. clearances. And we
try to publish everything we can about it.
-
And if you ever write a FOIA we always
tell the agency that has received the
-
Freedom Of Information request: Give the
requestor everything. Give it all to them.
-
We have nothing to hide about this, we
want you to see that. We want you to see
-
that when a government agency has paid
us money that we have done it for THIS
-
line item, and THIS line item. And we’ve
done it as well as we could do it, and
-
it is in line with the open research, and
we have really done a good thing,
-
that helps people.
-
Roger: So I’d love to diversify our
funding. I’d love to have foundations,
-
I’d love to have the EFF model where
individuals fund because we do great things
-
– look at what we did over the past year –
and in fact, right here: Look at what we
-
did over the past year. We’ve done so
amazing things, we’re gonna do some more
-
amazing things next year. We need your
help to actually make all of this happen.
-
Jacob: Anybody here
a Bitcoin millionaire?
-
Because we now take Bitcoin!
-
applause
-
Herald: Alright, let’s take
a question from microphone 1.
-
Question: Just a short question:
is there a follow-up on the
-
Thomas White tor-talk mailing list thing?
-
Roger: So, Thomas White runs a few exit
relays. Some of them are quite large,
-
I’m very happy he does that. It is quite
normal for exit relays to come and go.
-
He is in England, and as far as I can tell
England is not a very good place to be
-
these days. But he’s trying to fix his
country from inside which is really great.
-
Basically the short version is: It’s not
a big deal. He runs some exit relays,
-
somebody tries to take them down, there
are 6000 relays in the network right now,
-
they go up and down, it’s normal.
-
Question: Is this related to the Tor
blog post, that Thomas White thing,
-
where you said there’s an upcoming…
-
Roger: It is unrelated, except for the
fact that everybody was watching.
-
So then, when he wrote a tor-talk mail
saying “Hey, I’m concerned about my
-
exit relays”, suddenly all the journalists
said: “Oh my god, they must be
-
the same thing!” So, no, unrelated!
-
Jacob: There are a lot of people that
have been attacking the Tor network.
-
You’ve probably seen there’ve been
Denial-of-Service attacks, and things
-
like that on the Tor directory
authorities. This is what I was saying
-
one or two slides ago when I said “Please
tell people the value of Tor, and that
-
you need it”. Because when people do
Denial-of-Service attacks, when they see
-
servers, we really need, in a peer2peer
network way, to draw up more relays
-
to actually increase the bandwidth
capacity, to increase the exit capacity.
-
And it’s very important to do that. Right?
I mean it’s very, very serious that
-
those things happen. But it’s also
important that the design of the network
-
is designed with the expectation that
thieves will steal computer systems,
-
that jerks will denial-of-service them
etc. So if you can run an exit relay,
-
thank you! Thank you for doing that.
Next question?
-
applause
Herald: Yeah. Let’s take a question
-
from microphone 2.
-
Question: First of all a quick shoutout to
your Ooni friend. Please don’t ask people
-
to run arbitrary code over the internet.
Curl-piper’s age (?) is not good style.
-
Roger: There’s a deb (?) that we’re working
on also that should be a lot better.
-
Jacob: Yeah, ‘apt-get install ooniprobe’
will also work.
-
Question: Do you have any plans
of implementing IPv6, finally?
-
Jacob: So there is IPv6, so Linus
Nordberg, one of the finest Tor people
-
I’ve ever met, he, in fact, helped add
IPv6 support, initial IPv6 support
-
to the Tor network. So, e.g. you can,
in fact, exit through the Tor network
-
with IPv4 or IPv6. It is the case that the
Tor relays in the network still all need
-
IPv4, not just IPv6. My Tor directory
authority which runs in California,
-
it has an IPv4 and an IPv6 address,
so if you have an IPv6 address you can
-
bootstrap, you can connect to that.
You could do some interesting
-
pluggable-transport stuff as well. So
that is on the road map. This is another
-
example of: If you really care about that
issue please send us your Bitcoins!
-
And it would be really fantastic because
we really want that! But right now,
-
you can use Tor as a v4-v6 gateway.
You really can do that, and we would
-
encourage that. It’s another example
of some kind of neat feature of Tor
-
which you would never think an
anonymity system would have.
-
Roger: And in Iran, right now, where IPv6
is not censored because the soft…
-
the censorship stuff they have from
America and Europe didn’t think
-
to censor IPv6…
laughter and applause
-
applause
-
so you can use a bridge right now in Iran
that connects over IPv6. Works great.
-
Jacob: Yeah. Next question?
Herald: Alright, microphone 4!
-
Question: So we heard lots of really
encouraging success stories about Tor
-
working against a global passive
adversary. But we know that Tor
-
wasn’t designed for this use case.
The question is: What needs to happen
-
in order for Tor to actually being
able to handle this, officially?
-
Is this just research, or some
more development work?
-
Roger: There’s a lot of really hard open
research questions there. So if you’re…
-
so, I get… basically one of the
issues is what we call the
-
end-to-end traffic correlation attack. So
if you can see the flow over here coming
-
into the Tor network, and you can see the
corresponding flow over here, coming out
-
of it, then you do some simple statistics,
and you say: “Hey, wait a minute, these
-
line up!” And there are a bunch of
different directions on how to make that
-
harder. Basically what you want to
do is drive up the false-positive rate.
-
So you see a flow here, and there are
actually 1000 flows that look like they
-
sort of match. And maybe you can do
that by adding a little bit of padding,
-
or delays, or batching or something. The
research, as we understand it right now,
-
means that you have to add hours
of delay, not seconds of delay.
-
That’s kind of crummy. So another way
of phrasing that: Imagine a graph,
-
the X axis is how much overhead
we’re adding. And the Y axis is
-
how much security we get against the
end-to-end correlation attack. We have
-
zero data points on that graph. We have
no idea what the curve looks like.
-
Jacob: There’s also another point which
is: Roger has an assumption. He says
-
if we have a high false-positive rate,
that that’s a good thing. Well, maybe,
-
maybe actually, that’s exactly the
wrong thing. Maybe the result is
-
that 1000 people get rounded up instead
of 1. The reality is that there is
-
no system that – as far as we know –
is actually safer than that. Of course
-
we would say that, we work on Tor. But as
an example: One of the XKeyscore things
-
that I’ve seen in this research which
we published in the NDR story is that
-
they were doing an attack on Hotspot Shield
where they were actually doing
-
traffic correlation where they were able
to de-anonymize VPN users because of
-
it’s a single hop. And then they were
also able to do Quantuminsert to attack
-
specific users using the VPN. We haven’t
seen evidence of them doing that to Tor.
-
That also doesn’t mean that every VPN
is broken. It just means that VPN
-
has a different threat model. There’s
lot of attacks that are like that, and
-
the problem is the internet is a dangerous
place. So, I mean, Banksy said it best:
-
He said, in the future people will be
anonymous for 15 minutes. And
-
I think he may have over-estimated
that. Depending on the attacker.
-
Roger: There’s a conference called the
Privacy Enhancing Technology Symposium,
-
petsymposium.org where all of the
Anonymous Communications researchers
-
get together each year to consider exactly
these sorts of research questions. So,
-
it’s not just an engineering question,
there’s a lot of basic science left
-
in terms of how to make
these things harder.
-
Herald: Alright, the last question
is one from the internet.
-
Signal Angel: Okay, so, does running
a Ooniprobe involve any legal risks?
-
Jacob: Okay, so, great! We can take
different questions, cause we’re gonna say
-
“Talk to Arturo!”
-
Herald: Alright, so, microphone 3!
-
Question: Okay, as a new
Tor relay operator I’ve got…
-
applause
Jacob: Take a bow!
-
Question: So, since about 2 months I run
3 relays, rather high bandwidth, and
-
on 2 of these I had quite strange things
happen. One case: A kernel crash in the
-
Intel e1000 driver, the other one having
the top-of-the-rack switch just reboot,
-
which is by the way a Juniper switch.
So I’m kind of concerned about this
-
operational security. You
know, could you trust that?
-
Jacob: Yeah, absolutely. So the short
version of it is: Agencies like the NSA,
-
depending on where you’re located, might
compromise something like your Juniper
-
switch upstream. They sit on Zerodays
for critical infrastructure, that includes
-
core routers, and switches. But
it may not be such a big thing.
-
It really depends on where you’re located.
It could also be that the hardware sucks.
-
laughter
And that the software is not good. And
-
when you, of course, are pushing,
let’s say gigabits of traffic through it
-
it falls over. It’s really hard to know.
That’s a really good question,
-
which is very specific, and kind of
hard for us to address without data.
-
Question: Sorry, I’m concerned that the
attack, like this, you know, they could,
-
actually, compromise the machine without
knowing, or compromise the exact uplink.
-
And this would actually be a viable
attack, like very low-key,
-
you don’t see it, as [an] operator,
maybe, if you’re not very careful.
-
And you can watch all the traffic
going inside, going outside the box.
-
Jacob: It would be fantastic
if you can prove that theory.
-
Because, of course, if you can, maybe we
can find other information that allows us
-
to stop those types of things to
happen, or e.g. can in some way
-
allow us to fix the problems that are
being exploited. The reality is that
-
general purpose computers
are quite frankly not very secure,
-
and special purpose computers
aren’t doing much better.
-
Roger: I worry not only about active
attacks like that but about passive attacks
-
where they already have some sort of
surveillance device up-stream from you
-
in you co-location facility, or something
like that. So, yes. These are all
-
really big concerns. One of the defenses
that Tor has is diversity around the world.
-
So, hopefully they won’t be able to do
that to all of the relays. But yeah,
-
this is a big issue. We should
keep talking about it.
-
Herald: Alright, I just wanna come back
to the question before, for a second.
-
Because there was a question from the
internet. So the people are not able
-
to talk. Ooniprobe guy, hey, could you
maybe answer the question, like,
-
right now, or maybe on Twitter,
or post a link or something?
-
Because I happen to believe that
it’s a very important question.
-
You remember the question?
If there are legal restric…
-
Arturo: Yeah well, I mean the thing is
that we don’t really know like what are
-
the… who was it that
was asking the question?
-
Jacob: The internet?
Arturo: Ah, the internet. Okay.
-
laughter and applause
Jacob laughs
-
So I guess we can’t know all of the
legal risks involved in every country.
-
It is definitely the case that in some
countries you may get in trouble
-
for visiting some websites that are
considered illegal. So, I can go
-
in more detail into this if you
come later to Noisy Square at 6.
-
Herald: The internet can’t
come, that’s the problem!
-
Arturo: Ah, the internet can’t come, shit!
Okay! laughter
-
So,… laughs
applause
-
Jacob: There’re a lot of jokes in that!
-
Arturo: The short answer is that you
should look at the test specifications,
-
that are written in English, and they have
at the bottom some notes that detail
-
what can be some of the risks involved.
But we are not lawyers. So we don’t know
-
what are the risks for all of the
countries. So you should probably speak
-
to somebody that knows about these things
in your country. And it’s experimental
-
software, and there are not many people
that are doing this. So we generally can’t
-
say. Hope that answers your question.
Question: Thanks a lot, yeah, thanks.
-
Herald: Alright, I guess, just to sum
it up: Be careful whatever you do.
-
laughter and applause
Alright, so, Jake was just asking
-
if maybe we could just gather a couple
of questions, and then ask about them
-
outside. Did I get that right?
Jacob: Yeah, so if everyone who is
-
at a microphone, disperse to the correct
microphone, if you could just ask all your
-
questions, then everyone else who’s here
that wants to hear the answers will know
-
that you should stick around and talk
to us afterwards. We won’t answer
-
all these questions unless there’s
a really burning one. But that way
-
the guys that are standing at the
microphone, or the gals that are
-
standing at the microphone or other, can
actually ask them right now, and if you’re
-
interested come and find us right
afterwards. We’re going to probably
-
go to the tea house upstairs, or
maybe I shouldn’t have said that.
-
laughter
Herald: Alright, so we’re gonna do it
-
like this. We’re gonna rush through this.
And we’re just gonna hear a lot of
-
interesting questions, but no answers. If
you wanna hear the answers stay tuned
-
and don’t switch the channel. So we take
a couple of questions. Microphone 5.
-
And be quick about it.
Question: In regards to robustness and
-
the Mozilla partnership: Are there any
thoughts about incrementally replacing
-
the C++ infrastructure
with Rust? Eventually?
-
Herald: Microphone 4!
Is it open, microphone 4?
-
Question: Can you compare Tor with JAP
from TU Dresden in aspects of anonymity?
-
Herald: Okay, the other
guy at microphone 4!
-
Question: To your knowledge has anyone got
into trouble for running a non-exit relay?
-
And do you have any tips for people that
wanna help by running a non-exit relay?
-
Herald: Okay, microphone 1, 2 guys.
-
Question: I have a question, or
a suggestion for the funding problematic.
-
Have you… you’re teaming up with Mozilla,
have you ever considered like producing
-
own smartphones, because there’s a huge
margin. I also think there’s a problem
-
like… why most people don’t use
cryptography is because there’s no
-
easy-to-use, out-of-the-box, cool product
that’s like… that goes out and has a story
-
or anything, like the marketing on Apple.
-
Herald: Alright, the other
guy at microphone 1.
-
Question: So a couple of minutes before
the talk started someone did a Sibyl (?)
-
attack on Tor. And we should fix that
a.s.a.p. So please don’t disappear
-
for the next few hours.
Jacob rages, laughing, theatrically
-
Thanks!
-
Roger: It never ends.
Jacob: It never ends!
-
Herald: Alright. Two questions
from microphone 3.
-
Question: So when they took
down Silkroad they took
-
a lot of Bitcoins with them. I wonder
what the [U.S.] Government is doing
-
with the large amount of anonymized cash.
-
Roger: They auctioned it off.
Jacob: They sell it. Next question.
-
Question: And I think they
should give it to you.
-
Herald: Alright. Last question!
Jacob: I fully agree!
-
Question: So to combat against the
‘misinformed journalists’ thing
-
why not have a dashboard, very
prominently displayed on the Tor Project
-
listing all of the academic, open
like known problems with Tor,
-
and always have the journalists go there
first to get the source of information,
-
rather than misunderstanding
academic research.
-
Jacob: Fantastic, so if you wanna know…
-
Herald: Alright, if you found any of these
questions interesting, and you’re also
-
interested in the answers stick around, go
to Noisy Square, speak to these two guys,
-
and get all your answers. Other than
that, you heard it a Brillion times, but:
-
go home, start a relay! My friends and I
did two years ago, after Jake’s keynote.
-
It’s really not that hard. You can make
a difference. And thank you so much,
-
for Roger and Jake, as every year!
-
applause
-
silent postroll titles
-
subtitles created by c3subtitles.de
in the year 2017. Join, and help us!
