Return to Video

https:/.../30c3-5423-en-The_Tor_Network_h264-hd.mp4

  • 0:10 - 0:13
    Herald: So now, the next talk that
    we have here for one hour from 8:30
  • 0:13 - 0:18
    ’til 9:30 PM is “The Tor Network
    – we’re living in interesting times”.
  • 0:18 - 0:21
    I don’t know how many of you are familiar
    with the works of Terry Pratchett.
  • 0:21 - 0:27
    But anyways, in the novels of Terry
    Pratchett there is the saying:
  • 0:27 - 0:31
    “And may you live in interesting
    times!” that is actually a curse
  • 0:31 - 0:34
    for someone that you especially
    dislike; because it usually means
  • 0:34 - 0:37
    that you’re in a lot of trouble. So
    I guess we’re all very excited
  • 0:37 - 0:41
    for this year’s ‘Tor Talk’ by the
    everlasting Dream Team:
  • 0:41 - 0:44
    Jacob Appelbaum and Roger
    Dingledine! There you go!
  • 0:44 - 0:47
    cheers and applause
    Give it up!
  • 0:47 - 0:55
    huge applause
  • 0:55 - 0:58
    Jacob Appelbaum: So, thanks very much
    to the guy who brought me a Mate.
  • 0:58 - 1:01
    I learned his name is Alexander. It’s
    never a good idea to take drugs
  • 1:01 - 1:05
    from strangers, so I introduced
    myself before I drank it. Thank you.
  • 1:05 - 1:07
    laughter
  • 1:07 - 1:11
    First I wanted to say that following up
    after Glenn Greenwald is a great honor
  • 1:11 - 1:15
    and a really difficult thing to do, that’s
    a really tough act to follow, and
  • 1:15 - 1:19
    he’s pretty much one of,
    I think, our heroes. So, it’s
  • 1:19 - 1:23
    really great to be able to share the stage
    with him, even for just a brief moment.
  • 1:23 - 1:26
    And I wanted to do something a little
    unconventional when we started
  • 1:26 - 1:29
    and Roger agreed. Which is that we
    want people who have questions
  • 1:29 - 1:32
    – since I suspect some things happened
    this year that arouse a lot of questions
  • 1:32 - 1:37
    in people – we’d like you to write those
    questions down, pass them to an Angel
  • 1:37 - 1:41
    or to just bring them to the front
    of the stage as soon as possible
  • 1:41 - 1:45
    during the talk, so that we can answer as
    many of your questions as is possible.
  • 1:45 - 1:48
    This is a lot of stuff that happened,
    there’s a lot of confusion, and we wanna
  • 1:48 - 1:52
    make sure that people feel like
    we are actually answering
  • 1:52 - 1:56
    those questions in a useful way.
    And if you wanna do that, it’d be great,
  • 1:56 - 1:59
    and otherwise, we’re gonna try to have
    the second half of our talk be mostly
  • 1:59 - 2:03
    space for questioning.
    So with that, here is Roger.
  • 2:03 - 2:07
    Roger Dingledine: Okay, so, a lot of
    things have happened over this past year,
  • 2:07 - 2:09
    and we’re gonna try to cover
    as many of them as we can.
  • 2:09 - 2:13
    Here’s a great quote
    from either NSA or GCHQ,
  • 2:13 - 2:15
    I’m actually not sure which one it is.
  • 2:15 - 2:18
    But we’re gonna start a little bit
    earlier in the process than this
  • 2:18 - 2:21
    and work our way up to that.
    So, we’re in a war,
  • 2:21 - 2:24
    or rather, conflict of perception here.
  • 2:24 - 2:26
    There are a lot – I mean,
    you saw Glenn’s talk earlier
  • 2:26 - 2:29
    – there are a lot of large media
    organizations out there
  • 2:29 - 2:32
    that are trying to present Tor
    in lots of different ways,
  • 2:32 - 2:36
    and we all here understand
    the value that Tor provides
  • 2:36 - 2:39
    to the world, but there are a growing
    number of people around the world
  • 2:39 - 2:42
    who are learning about Tor
    not from our website, or from
  • 2:42 - 2:45
    seeing one of these talks or from
    learning it from somebody who uses it
  • 2:45 - 2:49
    and teaches them how to use it.
    But they read the Time Magazine
  • 2:49 - 2:53
    or Economist or whatever the
    mainstream newspapers are,
  • 2:53 - 2:57
    and part of our challenge is how do we
    help you, and help the rest of the world
  • 2:57 - 3:01
    do outreach and education, so that
    people can understand what Tor is for
  • 3:01 - 3:05
    and how it works and what
    sorts of people actually use it.
  • 3:05 - 3:09
    So, e.g. GCHQ has been given instructions
  • 3:09 - 3:13
    to try to kill Tor by, I mean, who knows,
    maybe they thought of it on their own,
  • 3:13 - 3:18
    maybe we can imagine some nearby
    governments asked them to do it.
  • 3:18 - 3:21
    And part of the challenge…
    they say: “we have to kill it
  • 3:21 - 3:25
    because of child porn”. And it
    turns out that we actually do know
  • 3:25 - 3:29
    that some people around the
    world are using Tor for child porn.
  • 3:29 - 3:33
    E.g. we have talked to
    a lot of federal agencies
  • 3:33 - 3:36
    who use Tor to fetch child porn.
    subdued laughter
  • 3:36 - 3:38
    I talked to people in the
    FBI who use Tor every day
  • 3:38 - 3:43
    to safely reach the websites
    that they want to investigate.
  • 3:43 - 3:47
    The most crazy example of this is
    actually the Internet Watch Foundation.
  • 3:47 - 3:50
    How many people here have heard
    of the Internet Watch Foundation?
  • 3:50 - 3:54
    I see a very small number of hands.
    They are the censorship wing
  • 3:54 - 3:58
    of the British Government. They are the
    sort of quasi-government organization
  • 3:58 - 4:03
    who is tasked with coming up with the
    blacklist for the internet for England.
  • 4:03 - 4:07
    And, we got email from them a few years
    ago, saying – not what you’d expect,
  • 4:07 - 4:11
    you’d expect “Hey, can you please shut
    this thing down, can you turn it off,
  • 4:11 - 4:14
    it’s a big hassle for us!” – the
    question they asked me was:
  • 4:14 - 4:18
    “How can we make Tor faster?”
    laughter, applause
  • 4:18 - 4:21
    It turns out that they need Tor,
    because people report URLs to them,
  • 4:21 - 4:25
    they need to fetch them somehow.
    It turns out that when you go the URL
  • 4:25 - 4:28
    with the allegedly bad stuff on
    it and you’re coming from
  • 4:28 - 4:32
    the Internet Watch Foundation’s
    IP address, they give you kittens!
  • 4:32 - 4:36
    laughter
    Who would have known?
  • 4:36 - 4:40
    laughter, applause
  • 4:40 - 4:45
    So it turns out that these censors
    need an anonymity system
  • 4:45 - 4:50
    in order to censor their internet.
    laughter Fun times.
  • 4:53 - 4:57
    So another challenge here: at the
    same point, one of my side hobbies
  • 4:57 - 5:01
    is teaching law enforcement how the
    internet works, and how security works
  • 5:01 - 5:06
    and how Tor works. So, yeah, their job
    does suck, but it’s actually not our fault
  • 5:06 - 5:10
    that their job sucks. There are a lot
    of different challenges to successfully
  • 5:10 - 5:13
    being a good, honest law
    enforcement person these days.
  • 5:13 - 5:17
    So, e.g. I went to Amsterdam and Brussels
  • 5:17 - 5:21
    in January of this past year to try to
    teach various law enforcement groups.
  • 5:21 - 5:25
    And I ended up having a four-hour
    debate with the Dutch regional Police,
  • 5:25 - 5:29
    and then another four-hour debate
    with a Belgian cybercrime unit,
  • 5:29 - 5:32
    and then another four-hour debate
    with the Dutch national Police.
  • 5:32 - 5:36
    And there are a lot of good-meaning, smart
    people in each of these organizations,
  • 5:36 - 5:41
    but they end up, as a group, doing
    sometimes quite bad things.
  • 5:41 - 5:45
    So part of our challenge is: how do we
    teach them that Tor is not the enemy
  • 5:45 - 5:51
    for them? And there are a couple of
    stories that I’ve been trying to refine
  • 5:51 - 5:56
    using on them. One of them they always
    pull out, the “But what about child porn?
  • 5:56 - 6:00
    What about bad people? What about some
    creep using Tor to do bad things?”.
  • 6:00 - 6:05
    And one of the arguments that I tried on
    them was, “Okay, so on the one hand
  • 6:05 - 6:08
    we have a girl in Syria
    who is alive right now
  • 6:08 - 6:13
    because of Tor. Because her family
    was able to communicate safely
  • 6:13 - 6:17
    and the Syrian military didn’t
    break in and murder all of them.
  • 6:17 - 6:20
    On the other hand, we have a girl
    in America who is getting hassled
  • 6:20 - 6:24
    by some creep on the internet
    who is stalking her over Tor.”
  • 6:24 - 6:29
    So the question is, how do we balance,
    how do we value these things?
  • 6:29 - 6:31
    How do we assign a value
    to the girl in Syria?
  • 6:31 - 6:34
    How do we assign a value
    to the girl in America
  • 6:34 - 6:37
    so that we can decide which
    one of these is more important?
  • 6:37 - 6:40
    And actually the answer is, you
    don’t get to make that choice,
  • 6:40 - 6:43
    that’s not the right question to ask.
    Because if we take Tor away
  • 6:43 - 6:47
    from the girl in Syria, she’s
    going to die. If we take Tor away
  • 6:47 - 6:51
    from the creep in America, he’s got a lot
    of other options for how he can be a creep
  • 6:51 - 6:55
    and start stalking people.
    So if you’re a bad person,
  • 6:55 - 6:58
    for various definitions of ‘bad person’,
    and you’re willing to break laws
  • 6:58 - 7:02
    or go around social norms,
    you’ve got a lot of other options
  • 7:02 - 7:06
    besides what Tor provides. Whereas there
    are very few tools out there like Tor
  • 7:06 - 7:11
    for honest, I’d like to say law-abiding,
  • 7:11 - 7:16
    but let’s go with civilization-abiding
    citizens out there.
  • 7:16 - 7:21
    applause
  • 7:21 - 7:25
    Jacob: And it’s important to understand
    that this hypothetical thing is actually
  • 7:25 - 7:28
    also true for certain values.
    So at our Tor developer meeting
  • 7:28 - 7:34
    that we had in Munich recently,
    that Syrian woman came to us,
  • 7:34 - 7:38
    and thanked us for Tor. She said:
    “I’m from a city called Homs.
  • 7:38 - 7:42
    You might have heard about it,
    it’s not a city anymore. I used Tor.
  • 7:42 - 7:45
    My family used Tor. We were able to
    keep ourselves safe on the internet
  • 7:45 - 7:49
    thanks to Tor. So I wanted to come
    here to Munich to tell you this.
  • 7:49 - 7:53
    Thank you for the work that you’re
    doing.” And for people who
  • 7:53 - 7:56
    – this was their first dev meeting –
    they were completely blown away
  • 7:56 - 7:59
    to meet this person. “Wow,
    the stuff that we’re working on,
  • 7:59 - 8:03
    it really does matter, there
    are real people behind it”.
  • 8:03 - 8:06
    And we were all, I think, very touched
    by it, and all of us know someone
  • 8:06 - 8:10
    who has been on the receiving end
    of people being jerks on the internet.
  • 8:10 - 8:13
    So this is a real thing where there
    are real people involved, and
  • 8:13 - 8:16
    it’s really important to understand
    that if you remove the option
  • 8:16 - 8:20
    for that woman in Syria – or you
    here in Germany, now that we know
  • 8:20 - 8:23
    what Edward Snowden has told the world…
  • 8:23 - 8:27
    Those bad guys, those jerks
    – for different values of that –
  • 8:27 - 8:31
    they always have options. But very
    rarely do all of us have options
  • 8:31 - 8:35
    that will actually keep us safe.
    And Tor is certainly not the only one,
  • 8:35 - 8:39
    but right now, and we hope in this
    talk you’ll see that we’re making
  • 8:39 - 8:42
    the right trade-off by working on Tor.
  • 8:42 - 8:45
    Roger: One of the other talks that I give
    to them, one of the other stories
  • 8:45 - 8:50
    that I give to them, one of the big
    questions they always ask me is:
  • 8:50 - 8:54
    “But what about terrorists?
    Aren’t you helping terrorists?”
  • 8:54 - 8:58
    And we can and we should talk about
    “What do you mean by terrorists?”
  • 8:58 - 9:01
    because in China they have a very
    different definition of terrorists
  • 9:01 - 9:04
    and in Gaza they have a very
    different definition of terrorists, and
  • 9:04 - 9:07
    in America, they are always thinking
    of a small number of people
  • 9:07 - 9:11
    in some Middle-Eastern country who are
    trying to blow up buildings or something –
  • 9:11 - 9:13
    Jacob: Mohammed Badguy,
    I think is his name.
  • 9:13 - 9:16
    Roger: Yes, that –
    Jacob: In the NSA slides.
  • 9:16 - 9:20
    Roger: Yes. So, scenario 1:
  • 9:20 - 9:23
    I want to build a tool that
    works for millions of people,
  • 9:23 - 9:27
    it will work for the next year,
    and I can tell you how it works,
  • 9:27 - 9:30
    so you can help me evaluate
    it. That’s Tor’s problem.
  • 9:30 - 9:35
    Scenario 2: I want to build a tool that
    will work for the next 2 weeks,
  • 9:35 - 9:38
    it will work for 20 people and I’m
    not going to tell you about it.
  • 9:38 - 9:42
    There are so many more
    ways of solving scenario 2
  • 9:42 - 9:45
    than solving scenario 1. The bad
    guys – for all sorts of definitions –
  • 9:45 - 9:50
    the bad guys have a lot more
    options on how they can keep safe.
  • 9:50 - 9:52
    They don’t have to scale,
    it doesn’t have to last forever,
  • 9:52 - 9:55
    they don’t want peer review, they
    don’t want anybody to even know
  • 9:55 - 9:59
    that it’s happening. So the
    challenge that Tor has is
  • 9:59 - 10:03
    we wanna build something that works for
    everybody and that everybody can analyze
  • 10:03 - 10:07
    and learn about. That’s a much harder
    problem, there are far fewer ways
  • 10:07 - 10:12
    of solving that. So, the terrorists,
    they got a lot of options.
  • 10:12 - 10:16
    That sucks. We need to build tools that
    can keep the rest of the world safe.
  • 10:16 - 10:19
    Jacob: And it’s important, really, to try
    to have some good rhetorical arguments,
  • 10:19 - 10:23
    I think. I mean, we sort of
    put a few facts up here.
  • 10:23 - 10:27
    One interesting point to mention
    is that people who really
  • 10:27 - 10:30
    don’t want anonymity to exist
    in a practical sense, maybe
  • 10:30 - 10:33
    not even in a theoretical, Human
    Rights sense either, but definitely
  • 10:33 - 10:37
    in a practical sense, they’re not really
    having honest conversations about it.
  • 10:37 - 10:40
    E.g. this DoJ study – the Department
    of Justice in the United States – they
  • 10:40 - 10:44
    actually started to do a study where they
    classified traffic leaving Tor exit nodes.
  • 10:44 - 10:48
    Which… it’s interesting that they
    were basically probably wiretapping
  • 10:48 - 10:51
    an exit node to do that study. And
    I wonder how they went about that – but
  • 10:51 - 10:55
    nonetheless, they came up with the
    number 3% of the traffic being bad.
  • 10:55 - 10:58
    And then they aborted the study because
    they received many DMCA takedown notices.
  • 10:58 - 11:00
    laughter
    Roger: Yes, they –
  • 11:00 - 11:03
    Jacob: Apparently even the DMCA
    is a problem to finding out answers!
  • 11:03 - 11:04
    That plague of society! (?)
  • 11:04 - 11:06
    Roger: interrupts They asked a
    university to run the Tor exit for them
  • 11:06 - 11:08
    and they were just starting out
    doing their study, and then
  • 11:08 - 11:12
    the university started getting
    DMCA takedowns and said:
  • 11:12 - 11:15
    “Well, we have to stop, the
    lawyers told us to stop!”,
  • 11:15 - 11:19
    and the Department of Justice said:
    “We’re the Department of Justice,
  • 11:19 - 11:21
    keep doing it”, and then they
    turned it off. laughter
  • 11:21 - 11:25
    So, not sure how the balance of power
    goes there, but the initial results
  • 11:25 - 11:28
    they were looking towards
    were about 3% of the traffic
  • 11:28 - 11:31
    coming out of that Tor exit node was bad,
  • 11:31 - 11:35
    but I haven’t figured out what they mean
    by ‘bad’. But I’ll take it if it’s 3%.
  • 11:35 - 11:41
    Jacob: And I personally don’t
    like to use the word ‘war’
  • 11:41 - 11:46
    when talking about the internet.
    And I particularly dislike
  • 11:46 - 11:49
    when we talk about actual
    issues of terrorism.
  • 11:49 - 11:52
    And I think that we should talk about it
    in terms of perception and conflict.
  • 11:52 - 11:55
    And one of the most frustrating
    things is: the BBC
  • 11:55 - 11:58
    actually has articles on their
    website instructing people
  • 11:58 - 12:02
    how to use the Silk Road and
    Tor together to buy drugs.
  • 12:02 - 12:07
    We very, very seriously do
    not ever advocate that,
  • 12:07 - 12:10
    for a bunch of reasons… Not the
    least of which is that even though
  • 12:10 - 12:13
    Bitcoin is amazing, it’s not
    an anonymous currency.
  • 12:13 - 12:16
    And it isn’t the case that these websites
    are necessarily a good idea and…
  • 12:16 - 12:20
    but it won’t be Tor, I think, that will be
    the weakest link. But the fact that
  • 12:20 - 12:25
    the BBC promotes that – it’s because
    they generally have “A man bites dog”.
  • 12:25 - 12:29
    You could say that that’s their
    entire Tor related ecosystem.
  • 12:29 - 12:32
    Anything that could be just
    kind of a little bit interesting,
  • 12:32 - 12:34
    they’ll run with it. So they have
    something to say about it.
  • 12:34 - 12:37
    And in this case they literally were
    promoting and pushing for people
  • 12:37 - 12:42
    to buy drugs. Which is crazy to me, to
    imagine that. And that really impacts
  • 12:42 - 12:46
    the way that people perceive the
    Tor Project and the Tor Network.
  • 12:46 - 12:48
    And what we’re trying to do
    is not that particular thing.
  • 12:48 - 12:52
    That is a sort of side effect that occurs.
    What we want is for every person
  • 12:52 - 12:56
    to have the right to speak freely and the
    right to read anonymously on the internet.
  • 12:56 - 13:00
    Roger: And we also need to keep in
    mind the different incentive structures
  • 13:00 - 13:05
    that they have. So BBC posted their
    first article about Silk Road and Tor.
  • 13:05 - 13:08
    And the comment section was
    packed with “Oh, wow, thanks!
  • 13:08 - 13:11
    Oh, this is great! Oh, I don’t have to go
    to the street corner and getting shot!
  • 13:11 - 13:15
    Oh! Wow! Thanks! This is great!” Just
    comment after comment, of people saying:
  • 13:15 - 13:18
    “Thank you for telling me about this!”
    And then a week later they posted
  • 13:18 - 13:23
    a follow-up article saying “And we
    bought some, and it was really good!”
  • 13:23 - 13:26
    laughter and applause
  • 13:26 - 13:30
    So what motivation are they doing here?
  • 13:30 - 13:33
    So their goal in this case is: “Let’s get
    more clicks. Doesn’t matter what it takes,
  • 13:33 - 13:36
    doesn’t matter what we
    destroy while we’re doing it.”
  • 13:36 - 13:40
    Jacob: So that has some serious problems,
    obviously. Because then there are
  • 13:40 - 13:44
    different structures that exist to attack
    – as part of the War on Some Drugs –
  • 13:44 - 13:48
    and they want to show that their
    mission is of course impacted by Tor.
  • 13:48 - 13:50
    They want to have an enemy that
    they can paint a target on. They want
  • 13:50 - 13:55
    something sexy that they can get funding
    for. So here’s a little funny story
  • 13:55 - 13:59
    about an agent, as it says in the last
    point, who showed this massive drop
  • 13:59 - 14:02
    in the Tor Network load after Silk
    Road was busted. Right? Because
  • 14:02 - 14:05
    everybody realizes of course that all
    of the anonymity traffic in the world
  • 14:05 - 14:06
    must be for elicit (?) things.
  • 14:06 - 14:08
    Roger: So this was at a particular meeting
  • 14:08 - 14:12
    where they were trying to get more funding
    for this. This is a US Government person
  • 14:12 - 14:16
    who basically said: “I evaluated
    the Tor Network load
  • 14:16 - 14:20
    during the Silk Road bust. And
    I saw 50% network load drop
  • 14:20 - 14:24
    when the Silk Road bust happened.”
    So I started out with him
  • 14:24 - 14:28
    arguing: “Actually, you know, when
    there’s a huge amount of publicity about
  • 14:28 - 14:31
    – I don’t know – if Tor is broken, we can
    understand, that would be reasonable,
  • 14:31 - 14:35
    that some Tor people would stop using
    Tor for a little while, in order to wait
  • 14:35 - 14:38
    for more facts to come out and then will
    be more prepared for it.” But then
  • 14:38 - 14:42
    I thought: “You know, wait a minute, we
    got the Tor Metrics database. We have
  • 14:42 - 14:45
    all of this data of load on the network.”
  • 14:45 - 14:49
    So then I went: “Let’s go actually
    see if there was a 50% drop on
  • 14:49 - 14:53
    the Tor Network!” So the green
    line here is the capacity
  • 14:53 - 14:57
    of the Tor Network over time. So the
    amount of bytes that relays can push
  • 14:57 - 15:00
    if we were loading it down
    completely. And the purple line is
  • 15:00 - 15:04
    the number of bytes that are actually
    handled on the network over time.
  • 15:04 - 15:09
    Jacob: Can you guess? If you don’t
    look at the date at the bottom,
  • 15:09 - 15:12
    can you show what that
    agent was talking about?
  • 15:12 - 15:16
    Or is the agent totally full of shit?
    laughter
  • 15:16 - 15:22
    Just a… hypothetical question, but if you
    have a theo… anyone? Shout it out! Yeah!
  • 15:22 - 15:23
    [unintelligible from audience]
  • 15:23 - 15:30
    Oh that’s right! It didn’t go down by 50%!
    laughter
  • 15:30 - 15:34
    Wow! He was completely wrong!
  • 15:34 - 15:37
    But just for the record, that’s
    where he said there was a drop!
  • 15:37 - 15:46
    laughter and applause
  • 15:46 - 15:49
    Roger: And while we’ve talked you had
    to read these graphs. Here is a graph
  • 15:49 - 15:52
    of the overall network growth
    over the past 3 or 4 years.
  • 15:52 - 15:56
    So the green line, again, is the amount of
    capacity. And we’ve seen a bunch of people
  • 15:56 - 16:00
    adding fast relays recently,
    after the Snowden issues.
  • 16:00 - 16:04
    And we’ll talk a little bit later about
    what other reasons people are running
  • 16:04 - 16:10
    more capacity lately, as the
    load on the network goes up.
  • 16:10 - 16:14
    Okay. And then there is the
    ‘Dark Web’. Or the ‘Deep Web’.
  • 16:14 - 16:18
    Or the Whatever-else-the-hell-you-call-it
    Web. And again,
  • 16:18 - 16:22
    this comes back to media trying to
    produce as many articles as they can.
  • 16:22 - 16:27
    So here’s the basic… I’ll give you
    the primer on this ‘Dark Web’ thing.
  • 16:27 - 16:33
    Statement 1: “The Dark Web is every web
    page out there that Google can’t index.”
  • 16:33 - 16:37
    That’s the definition of the Dark Web.
    laughter and applause
  • 16:37 - 16:40
    applause
  • 16:40 - 16:45
    So every Corporate database,
    every Government database,
  • 16:45 - 16:49
    everything that you access with a
    web browser at work or whatever,
  • 16:49 - 16:52
    all those things that Google can’t get to,
    that is the Dark Web. That’s statement 1.
  • 16:52 - 16:58
    Statement 2: “90+X% of web
    pages are in the Dark Web.”
  • 16:58 - 17:01
    So these were both well-known
    facts a year ago.
  • 17:01 - 17:05
    Statement 3, that the media has
    added this year: “The only way
  • 17:05 - 17:10
    to access the Dark Web is through Tor.”
    laughter, some applause
  • 17:10 - 17:14
    These 3 statements together
    sell more and more articles
  • 17:14 - 17:17
    because it’s great, people buy them,
    they’re all shocked: “Oh my god,
  • 17:17 - 17:20
    the web is bigger than I thought,
    and it’s all because of Tor”.
  • 17:20 - 17:25
    laughter and applause
  • 17:25 - 17:30
    Jacob: So, really… the reality of this
    is that it’s not actually the case.
  • 17:30 - 17:34
    Obviously that’s a completely laughable
    thing. And for everyone that’s here –
  • 17:34 - 17:37
    not necessarily people watching on the
    video stream – but for everyone here,
  • 17:37 - 17:41
    I think, you realize how ridiculous
    that is. That entire setup
  • 17:41 - 17:45
    is obviously a kind of ‘clickbait’, if
    you would call it something like that.
  • 17:45 - 17:49
    There are a few high-profile Hidden
    Services. And actually, this is
  • 17:49 - 17:52
    a show of hands: raise your hand
    if you run a Tor Hidden Service!
  • 17:52 - 17:53
    few hands go up
  • 17:53 - 17:57
    Right. So, no one’s ever heard of your
    Tor Hidden Service. Almost certainly.
  • 17:57 - 18:01
    And these are the ones that people have
    heard of. And this is something which is
  • 18:01 - 18:06
    kind of a fascinating reality
    which is that these 4 sites,
  • 18:06 - 18:10
    or these 4 entities have
    produced most of the stories
  • 18:10 - 18:14
    related to the deep gaping
    whatever web, that
  • 18:14 - 18:19
    if you wanna call it the Dark Web. And,
    in fact, for the most part, it’s been…
  • 18:19 - 18:22
    I would say the Top one
    e.g., with Wikileaks,
  • 18:22 - 18:26
    it’s a positive example. And,
    in fact, with GlobaLeaks,
  • 18:26 - 18:29
    which is something that Arturo Filastò
    and a number of other really great
  • 18:29 - 18:33
    Italian hackers here have been working
    on, GlobaLeaks, they’re deploying
  • 18:33 - 18:36
    more and more Hidden Services that you
    also haven’t heard about. For localized
  • 18:36 - 18:40
    corruption, reporting and whistleblowing.
    But the news doesn’t report about
  • 18:40 - 18:44
    Arturo’s great work. The news
    reports are on The Farmer’s Market,
  • 18:44 - 18:48
    on Freedom Hosting and
    on Silk Road. And those things
  • 18:48 - 18:52
    also bring out a disproportionate
    amount of incredible negative attention.
  • 18:52 - 18:55
    In the case of freedom hosting, we
    have a developer, Mike Perry, who’s
  • 18:55 - 18:58
    kind of the most incredible
    evil genius alive today.
  • 18:58 - 19:03
    I think he’s probably at about 2 Mike
    Perrys right now. That’ll be my guess.
  • 19:03 - 19:06
    And he was relentlessly attacked.
  • 19:06 - 19:10
    Because he happened to have
    a registration for a company
  • 19:10 - 19:15
    which had an F and an H in the name.
  • 19:15 - 19:18
    Wasn’t actually even close
    to what’s up there now.
  • 19:18 - 19:22
    And he was relentlessly attacked because
    the topics that the other sites have
  • 19:22 - 19:26
    as part of their customer base or as part
    of the things that they’re pushing online,
  • 19:26 - 19:29
    they really pull on people’s
    hearts in a big way.
  • 19:29 - 19:32
    And that sort of created
    a lot of stress. I mean,
  • 19:32 - 19:35
    the first issue, Wikileaks, created a
    lot of stress for people working on Tor
  • 19:35 - 19:39
    in various different ways. But for Mike
    Perry, he was personally targeted,
  • 19:39 - 19:43
    in sort of Co-Intel-Pro style
    harassment. And really sad,
  • 19:43 - 19:47
    in a really sad series of events.
    And of course, the news
  • 19:47 - 19:50
    also picked up on that, in some
    negative ways. And they really, really
  • 19:50 - 19:53
    picked up on that. And that’s a really
    big part of I think you could call it
  • 19:53 - 19:57
    a kind of cultural conflict
    that we’re in, right now.
  • 19:57 - 19:59
    The farmer’s market has also
    quite an interesting story.
  • 19:59 - 20:01
    Which I think you wanted to tell.
  • 20:01 - 20:05
    Roger: Yeah, so, I actually heard from
    a DEA person who was involved
  • 20:05 - 20:09
    in the eventual bust of
    the Farmer’s Market story.
  • 20:09 - 20:13
    Long ago there was a website on
    the internet, and they sold drugs.
  • 20:13 - 20:17
    Oh my god. And there were people
    who bought drugs from this website
  • 20:17 - 20:21
    and Tor was nowhere in the story. It
    was some website in South East Asia.
  • 20:21 - 20:25
    And the DEA wanted to take
    it down. So they learned…
  • 20:25 - 20:28
    I mean the website was public. It was
    a public web server. So they sent
  • 20:28 - 20:32
    some sort of letter to the country that it
    was in. And the country that it was in
  • 20:32 - 20:35
    said: “Screw you!”. And then they said:
    “Okay, well, I guess we can’t take down
  • 20:35 - 20:39
    the web server”. So then they started to
    try to investigate the people behind it.
  • 20:39 - 20:43
    And it turns out the people
    behind it used Hushmail.
  • 20:43 - 20:47
    So they were happily communicating
    with each other very safely.
  • 20:47 - 20:50
    So the folks in the US
    sent a letter to Canada.
  • 20:50 - 20:53
    And then Canada made Hushmail basically
    give them the entire database
  • 20:53 - 20:58
    of all the emails that these people
    had sent. And then, a year or 2 later,
  • 20:58 - 21:01
    these people discovered Tor. And they’re
    like: “Hey we should switch our website
  • 21:01 - 21:05
    over to Tor and then it will be safe.
    That sounds good!”. The DEA people
  • 21:05 - 21:09
    were watching them the whole time
    looking for a good time to bust them.
  • 21:09 - 21:11
    And then they switched over to Tor, and
    then 6 months later it was a good time
  • 21:11 - 21:15
    to bust them. So then there were all
    these newspaper articles about how
  • 21:15 - 21:19
    Tor Hidden Services are
    obviously broken. And
  • 21:19 - 21:22
    the first time I heard the story
    I was thinking in myself:
  • 21:22 - 21:26
    “Idiot drug sellers use Paypal
    – get busted – end of story”.
  • 21:26 - 21:27
    laughing
  • 21:27 - 21:30
    But they were actually using Paypal
    correctly. They had innocent people
  • 21:30 - 21:34
    around the world who were receiving
    Paypal payments and turning it into some
  • 21:34 - 21:38
    Panama based e-currency or
    something. So the better lesson
  • 21:38 - 21:42
    of the story is: “Idiot drug sellers
    use Hushmail – get busted”.
  • 21:42 - 21:45
    So there are a lot of different
    pieces of all of these.
  • 21:45 - 21:48
    Jacob: Don’t use Hushmail!
    laughter
  • 21:48 - 21:52
    Seriously! It’s a bad idea! And
    don’t use things where they have
  • 21:52 - 21:55
    a habit of backdooring their
    service or cooperating
  • 21:55 - 21:58
    with so called ‘lawful interception
    orders’. Because it tells you that
  • 21:58 - 22:03
    their system is not secure. And it’s clear
    that Hushmail falls into that category.
  • 22:03 - 22:07
    They fundamentally have chosen that
    that is what they would like to do.
  • 22:07 - 22:11
    And they should have that reputation.
    And we should respect them exactly
  • 22:11 - 22:14
    as much as they deserve for that. So
    don’t use their service. If you can.
  • 22:14 - 22:17
    Especially if you’re gonna do
    this kind of stuff. laughter
  • 22:17 - 22:20
    Or maybe what I mean is: guys,
    do that – use Hushmail.
  • 22:20 - 22:26
    But everybody else, protect yourself!
    laughter
  • 22:26 - 22:30
    So, the thing is that
    not every single person
  • 22:30 - 22:33
    is actually stupid enough to use Hushmail.
  • 22:33 - 22:37
    So as a result, we had started to
    see some pretty crazy stuff happen.
  • 22:37 - 22:40
    Which we of course knew would happen and
    we always understood that this would be
  • 22:40 - 22:44
    a vector. So, in this case,
    this year we saw,
  • 22:44 - 22:49
    I think, one of the probably not
    the most interesting exploits
  • 22:49 - 22:52
    that we’ve ever seen. But one
    of the most interesting exploits
  • 22:52 - 22:56
    we’ve ever seen deployed
    against a broad scale of users.
  • 22:56 - 23:00
    And we’re not exactly sure
    who was behind it. Though
  • 23:00 - 23:04
    there was an FBI person who went
    to court in Ireland and did in fact
  • 23:04 - 23:08
    claim that they were behind it. The IP
    space that the exploit connected back to
  • 23:08 - 23:14
    was either SAIC or NSA.
    And I had an exchange
  • 23:14 - 23:18
    with one of the guys behind the VUPEN
    exploit company. And he has
  • 23:18 - 23:22
    on a couple of occasions mentioned
    writing exploits for Tor Browser.
  • 23:22 - 23:25
    And what he really means is Firefox. And
  • 23:25 - 23:28
    this is a serious problem of course. If
    they want to target a person, though,
  • 23:28 - 23:33
    the first they have to actually find them.
    So traditionally, if you’re not using Tor,
  • 23:33 - 23:37
    they go to your house, they plug in some
    gear. They go to the ISP upstream,
  • 23:37 - 23:40
    and they plug in some gear. Or they do
    some interception with an IMSI catcher,
  • 23:40 - 23:43
    and things like that. Most of these
    techniques, I’ll talk about on Monday
  • 23:43 - 23:48
    with Claudio. If you’re interested.
    But basically it’s the same.
  • 23:48 - 23:51
    They find out who you are,
    then they begin to target you,
  • 23:51 - 23:55
    then they serve you an exploit.
    This year one of the differences is
  • 23:55 - 23:59
    that they had actually taken over a Tor
    Hidden Service. And started to serve up
  • 23:59 - 24:02
    an exploit from that. Just trying
    to exploit every single person
  • 24:02 - 24:05
    that visited the Hidden Service. So there
    was a period of time when you could
  • 24:05 - 24:09
    really badly troll all of your friends
    by just putting a link up where
  • 24:09 - 24:13
    it would load in an iFrame and they would
    have been exploited. If they were running
  • 24:13 - 24:16
    an old version of Firefox. And
    an old version of Tor Browser.
  • 24:16 - 24:20
    Which was an interesting twist. They
    didn’t actually, as far as we know,
  • 24:20 - 24:25
    use that exploit against anyone
    while it was a fresh Zeroday.
  • 24:25 - 24:28
    But they did write it. And they
    did serve it out. And they gave
  • 24:28 - 24:32
    the rest of the world the payload
    to use against whoever they’d like.
  • 24:32 - 24:36
    So, when the FBI did this, they basically
    gave an exploit against Firefox
  • 24:36 - 24:40
    and Tor Browser to the Syrian Electronic
    Army who couldn’t have written one,
  • 24:40 - 24:44
    even if they wanted to. This is
    a really interesting difference
  • 24:44 - 24:48
    between other ways that the FBI might
    try to bust you, where they can localize
  • 24:48 - 24:53
    the damage of hitting untargeted
    people who are otherwise innocent,
  • 24:53 - 24:57
    especially. But we’ve asked
    Firefox to try to integrate
  • 24:57 - 25:00
    some of these privacy-related things that
    we’ve done. We’d like to be able to be
  • 25:00 - 25:04
    more up-to-speed with Firefox and
    they generally seem premili, too (?)
  • 25:04 - 25:08
    and I think that’s a fair thing to say.
    But we have a de-synchronisation.
  • 25:08 - 25:12
    But even with that de-synchronisation we
    were still ahead of what they were doing
  • 25:12 - 25:16
    as far as we can tell. But they
    are actually at the point where
  • 25:16 - 25:21
    they have hired probably some people
    from this community – fuck you –
  • 25:21 - 25:25
    and they write those exploits.
    applause
  • 25:25 - 25:28
    And serve them up.
    And so that is a new turn.
  • 25:28 - 25:32
    We had not seen that before this year.
    And that’s a really serious change.
  • 25:32 - 25:35
    As a result we’ve obviously been
    looking into Chrome, which has
  • 25:35 - 25:38
    a very different architecture. And in some
    cases it’s significantly harder to exploit
  • 25:38 - 25:42
    than Firefox. Even with just very
    straight-forward bugs which should be
  • 25:42 - 25:45
    very easy to exploit the Chrome team
    has done a good job. We want to have
  • 25:45 - 25:48
    a lot of diversity in the different
    browsers. But we have a very strict
  • 25:48 - 25:51
    set of requirements for protecting
    Privacy with Tor Browser.
  • 25:51 - 25:54
    And there’s a whole design document
    out there. So just adding Tor
  • 25:54 - 25:59
    and a web browser together is not quite
    enough. You need some actual thoughts.
  • 25:59 - 26:03
    That have been – mostly by Mike Perry
    and Aron Clark (?) – have been elucidated
  • 26:03 - 26:07
    in the Tor Browser design document.
    So we’re hoping to work on that.
  • 26:07 - 26:09
    If anyone here would like to work on that:
    that’s really something where we really
  • 26:09 - 26:14
    need some help. Because there is
    really only one Mike Perry. Literately
  • 26:14 - 26:16
    and figuratively.
  • 26:16 - 26:20
    Roger: Okay. Another exciting topic
    people have been talking about lately
  • 26:20 - 26:25
    is the diversity of funding. A lot of our
    funding comes from governments.
  • 26:25 - 26:28
    US mostly but some other ones as
    well. Because they have things
  • 26:28 - 26:33
    that they want us to work on. So once upon
    a time when I was looking at fundraising
  • 26:33 - 26:37
    and how to get money I would go to places
    and I would say: “We’ve got 10 things
  • 26:37 - 26:41
    we want to work on. If you
    want to fund one of these 10,
  • 26:41 - 26:45
    you can help us set our priorities.
    We really want to work on
  • 26:45 - 26:48
    circumventing censorship, we really want
    to work on anonymity, we really want
  • 26:48 - 26:53
    to work on Tor Browser safety. So
    if you have funding for one of these
  • 26:53 - 26:57
    then we’ll focus on the one that
    you’re most interested in”.
  • 26:57 - 27:00
    So there’s some trade-offs here. On the
    one hand government funding is good
  • 27:00 - 27:04
    because we can do more things. That’s
    great. A lot of the stuff that you’ve seen
  • 27:04 - 27:08
    from Tor over the past couple of years
    comes from people who are paid full-time
  • 27:08 - 27:12
    to be able to work on Tor and focus
    on it and not have to worry about
  • 27:12 - 27:15
    where they’re gonna pay their rent
    or where they’re gonna get food.
  • 27:15 - 27:20
    On the other hand it’s bad because
    funders can influence our priorities.
  • 27:20 - 27:23
    Now, there’s no conspiracy. It’s not
    that people come to us and say:
  • 27:23 - 27:27
    “Here’s money, do a backdoor, etc.”
    We’re never gonna put any backdoors
  • 27:27 - 27:29
    in Tor, ever.
  • 27:29 - 27:30
    Jacob: Maybe you could tell the story
  • 27:30 - 27:33
    about that really high-pitched lady
    who tried to get you, to tell you that
  • 27:33 - 27:36
    that was your duty and then you explained…
  • 27:36 - 27:40
    Roger: Give me a few more details!
    laughter
  • 27:40 - 27:42
    Jacob: People have approached us,
    obviously, in order to try to get us
  • 27:42 - 27:45
    to do these types of things. And
    this is a serious commitment
  • 27:45 - 27:49
    that the whole Tor community gets behind.
    Which is that we will never ever
  • 27:49 - 27:53
    put in a backdoor. And any time that we
    can tell that something has gone wrong
  • 27:53 - 27:56
    we try to fix it as soon
    as is possible regardless
  • 27:56 - 28:00
    – actually I would say for myself – of any
    other consequences. That our commitment
  • 28:00 - 28:04
    to protecting anonymity
    of our user base extends
  • 28:04 - 28:08
    beyond any reasonable commitment,
    actually. And we really believe
  • 28:08 - 28:11
    that commitment. And there are people
    that have tried to get us to change that.
  • 28:11 - 28:15
    Tried to tell us that “oh, it’s only
    because you’re living in the free world,
  • 28:15 - 28:18
    and you’re able to have a company
    that (?) and make a profit
  • 28:18 - 28:21
    that you can even right the supper (?). So
    come on! Do your duty!” And of course
  • 28:21 - 28:24
    when we tell them we’re non-profit
    and that we’re not gonna do it,
  • 28:24 - 28:27
    they’re completely
    dumbfounded. For example.
  • 28:27 - 28:30
    Roger: Now I remember that discussion, yes!
    Jacob: Yeah!
  • 28:30 - 28:34
    applause
  • 28:34 - 28:39
    Roger: This was a discussion with
    a US Department of Justice person
  • 28:39 - 28:43
    who basically said: “It’s your…
    the Congress has given us,
  • 28:43 - 28:47
    the Department of Justice, the
    right to backdoor everything,
  • 28:47 - 28:51
    and you have a tool
    that you haven’t made
  • 28:51 - 28:55
    easy for us to backdoor. So
    it’s your responsibility to fix it
  • 28:55 - 28:59
    so that we can use the privileges
    and rights given us by Congress
  • 28:59 - 29:04
    on surveilling everybody. And
    you are taking advantage
  • 29:04 - 29:07
    of the situation that we’ve given you
    in America where you’ve got good
  • 29:07 - 29:11
    freedom of speech and you got other
    freedoms etc. You’re stealing
  • 29:11 - 29:15
    from the country. You’re cheating on the
    process by not giving us the backdoor
  • 29:15 - 29:19
    that Congress said we should have”. And
    then I said: “Actually we’re a non-profit.
  • 29:19 - 29:23
    We work for the public good”. And then
    the conversation basically ended.
  • 29:23 - 29:33
    She had no further thing to say.
    applause
  • 29:33 - 29:36
    So part of what we need to do is continue
    to make tools that are actually safe
  • 29:36 - 29:42
    as tools. Rather than a lot of the other
    systems out there. On the other hand,
  • 29:42 - 29:45
    every funder we’ve talked to
    lately has interesting priorities:
  • 29:45 - 29:49
    they wanna pay for censorship-resistance,
    they wanna pay for outreach, education,
  • 29:49 - 29:53
    training etc. We don’t have any
    funders right now who want to pay
  • 29:53 - 29:57
    for better anonymity. And it’s really
    important for some of the people
  • 29:57 - 30:01
    we heard about in the last talk that
    they have really good anonymity
  • 30:01 - 30:04
    against really large adversaries.
    And I’m not just talking about
  • 30:04 - 30:08
    American Intelligence Agencies. There
    are a lot of Intelligence Agencies
  • 30:08 - 30:13
    around the world who are trying
    to learn how to surveil everything.
  • 30:13 - 30:16
    So what should Tor’s role be here?
  • 30:16 - 30:20
    There are a lot of people in the Tor
    development community who say:
  • 30:20 - 30:23
    “What we really need to do is
    focus on writing good code,
  • 30:23 - 30:27
    and we’ll let the rest of the world
    take care of itself.” There is also
  • 30:27 - 30:30
    a trade-off from some of the
    funders we have right now.
  • 30:30 - 30:33
    Where I could go up and I could say
  • 30:33 - 30:37
    a lot of really outrageous
    things that I agree with
  • 30:37 - 30:41
    and that you agree with. But some
    of our funders might wonder
  • 30:41 - 30:45
    if they should keep funding us after
    that. So part of what we need to do
  • 30:45 - 30:49
    is get some funders who are more
    comfortable with the messages
  • 30:49 - 30:54
    that everybody here would like the
    world to hear. So if you know anybody
  • 30:54 - 30:59
    who wants to help provide actual
    freedom we’d love to hear from you.
  • 30:59 - 31:03
    Jacob: And it’s important to understand
    that we sort of have an interesting place
  • 31:03 - 31:07
    in the world at the moment
    where it’s easy to say
  • 31:07 - 31:12
    that we shouldn’t be political. And that
    in general, there shouldn’t be politics
  • 31:12 - 31:15
    in what we’re doing. And
    it’s also easy to understand
  • 31:15 - 31:19
    that that’s crazy when someone
    says that to an extent. Because
  • 31:19 - 31:23
    the idea of having free speech, having
    the right to read, having the ability
  • 31:23 - 31:28
    to reach a website that is beyond
    of the power of the state
  • 31:28 - 31:32
    – that is a very political thing for
    many people. And it is often the privilege
  • 31:32 - 31:35
    of some, where they don’t even
    realize that’s a political statement.
  • 31:35 - 31:38
    applause
    And they suggest…
  • 31:38 - 31:42
    and that they suggest that we don’t need
    to be political. We need to recognize the
  • 31:42 - 31:46
    political context that we exist in. And
    especially after the summer of Snowden,
  • 31:46 - 31:50
    understanding that there
    are almost no tools
  • 31:50 - 31:54
    that can resist the NSA
    and GCHQ. Almost none.
  • 31:54 - 31:57
    We did not survive completely
    in the summer of Snowden.
  • 31:57 - 32:02
    They were able to get some Tor users.
    But they couldn’t get all Tor users!
  • 32:02 - 32:05
    That’s really important. We change
    the economic game for them.
  • 32:05 - 32:09
    And that, fundamentally,
    is a political issue!
  • 32:09 - 32:18
    applause
  • 32:18 - 32:22
    But please note that the solution
    is not a Partisan solution.
  • 32:22 - 32:26
    Where we say: well, some people
    are good and some are bad.
  • 32:26 - 32:29
    You guys over there, on the left
    or on the right, you don’t deserve
  • 32:29 - 32:33
    to have freedom of speech. You
    don’t have the right to read.
  • 32:33 - 32:36
    We aren’t saying that. We’re saying that
    the common good of everyone having
  • 32:36 - 32:40
    these fundamental rights
    protected in a practical way
  • 32:40 - 32:43
    is an important thing for us to build
    and for all of us to contribute to,
  • 32:43 - 32:47
    and for every person to
    have. That is, I think,
  • 32:47 - 32:50
    the best kind of political solution
    we can come up with.
  • 32:50 - 32:54
    Though it is a very controversial
    one in some ways. I think that
  • 32:54 - 32:58
    we can’t actually do it unless everyone
    really starts to agree with us.
  • 32:58 - 33:02
    And we are making a lot of positive change
    in this. As we saw with the network graph.
  • 33:02 - 33:06
    But this comes from
    Mutual Aid and Solidarity.
  • 33:06 - 33:09
    Which most of the people
    in this room provide.
  • 33:09 - 33:13
    Roger: And that diversity of
    users is actually technically
  • 33:13 - 33:16
    what makes Tor safe. You need to have
  • 33:16 - 33:21
    activists in various countries,
    and folks in Russia right now,
  • 33:21 - 33:24
    and law enforcement around the
    world. You need to have them all
  • 33:24 - 33:28
    in the same network. Otherwise
    if I see that you’re using Tor,
  • 33:28 - 33:31
    I can start guessing why you’re using
    Tor. So we need that diversity
  • 33:31 - 33:35
    of users. Not just for
    a perception perspective
  • 33:35 - 33:39
    but for an actual technical perspective.
    We need to have all the different
  • 33:39 - 33:42
    types of users out there blending
    into the same system
  • 33:42 - 33:47
    so that they can keep each other
    safe. So part of the hobbies
  • 33:47 - 33:50
    that each Tor person has,
    we’re all getting better
  • 33:50 - 33:54
    at outreach to various communities.
    So, I mentioned earlier
  • 33:54 - 33:58
    that I talked to law enforcement to try
    to teach them how these things work.
  • 33:58 - 34:01
    Turns out that having Jake talk to
    law enforcement is not actually
  • 34:01 - 34:03
    the most effective way to
    convince them of things
  • 34:03 - 34:04
    laughter
    so…
  • 34:04 - 34:08
    Jacob: I’m, I’m, I’m, eh, you know, my
    lawyer gave me some great advice
  • 34:08 - 34:11
    which I can tell you without breaking the
    privilege of our other communications.
  • 34:11 - 34:14
    Which he says: “never miss the
    chance to shut the fuck up!”
  • 34:14 - 34:17
    laughter
    And that I think really really underscores
  • 34:17 - 34:20
    why I should not talk to the Police
    about why they also need
  • 34:20 - 34:24
    traffic analysis resistance, reachability,
    network security, privacy and anonymity.
  • 34:24 - 34:27
    Roger’s much much more diplomatic.
  • 34:27 - 34:31
    Roger: So at the same time we have
    people talking to domestic violence
  • 34:31 - 34:35
    and abuse groups and teaching them
    how to be safe. And at the same time
  • 34:35 - 34:38
    we have folks at corporations
    learning how to be safe online.
  • 34:38 - 34:42
    We hear from large companies
    who are saying: “I want to
  • 34:42 - 34:47
    put the entire corporate
    traffic over Tor
  • 34:47 - 34:50
    because we actually do have adversaries
    and they actually are spying on us
  • 34:50 - 34:54
    and they do want to learn what we’re
    doing. So how do we become safe
  • 34:54 - 34:57
    from these situations?” So part of
    what we need is help from all of you
  • 34:57 - 35:01
    to become outreach for all of your
    communities. And get better
  • 35:01 - 35:04
    at teaching people about why privacy
    is important for the communities
  • 35:04 - 35:09
    that you’re talking to and learn how to
    use their language and convince them
  • 35:09 - 35:11
    that these things are important.
    And at the same time teach them
  • 35:11 - 35:15
    about the other groups out there who
    care. So that they can understand
  • 35:15 - 35:21
    that it’s a bigger issue than just
    whatever they’re most focused on.
  • 35:21 - 35:26
    Okay, so, a while ago I wrote up
    a list of 3 ways to destroy Tor.
  • 35:26 - 35:29
    The first way – we have
    a handle on it for a while.
  • 35:29 - 35:34
    The first way is: change the laws
    or the policies or the cultures
  • 35:34 - 35:37
    so that anonymity is outlawed.
    And we’re pretty good
  • 35:37 - 35:41
    at fighting back in governments
    and policy and culture etc.
  • 35:41 - 35:45
    and saying: “No, there are good uses of
    these things, you can’t take them away
  • 35:45 - 35:50
    from the world”. The second way:
    Make ISPs hate hosting exit relays.
  • 35:50 - 35:54
    And if more and more ISPs say:
    “No, I’m not gonna do that”
  • 35:54 - 35:57
    then eventually the Tor Network
    shrinks reducing the anonymity
  • 35:57 - 36:01
    it can provide because there’s not as
    much diversity of where you might
  • 36:01 - 36:04
    pop out of the Tor Network to go to
    the websites. So I think we’re doing
  • 36:04 - 36:08
    pretty well fighting that fight.
    We’ve known about it for a while.
  • 36:08 - 36:11
    It’s one we’ve been focusing on
    for a long time. Torservers.net
  • 36:11 - 36:15
    and a lot of other groups are doing great
    work at building and maintaining
  • 36:15 - 36:19
    relationships with ISPs. But the third
    one is one that we haven’t focused on
  • 36:19 - 36:23
    as much as we should. Which is:
    make websites hate Tor users.
  • 36:23 - 36:27
    So a growing number of
    places are just refusing
  • 36:27 - 36:31
    to hear from Tor users
    at all. Wikipedia did it
  • 36:31 - 36:34
    a long time ago. Google gives
    you a captcha if you’re lucky…
  • 36:34 - 36:38
    Jacob: That’s the best question, ever!
    If you like, that’s a good setup!
  • 36:38 - 36:43
    Roger: I’ll cover this one next. So,
  • 36:43 - 36:47
    Skype is another interesting example
    here. If you run a Tor exit relay
  • 36:47 - 36:50
    and you try to skype with somebody
    Microsoft hangs up on you.
  • 36:50 - 36:53
    And the reason for that is not that
    they say: “Oh my god, Tor people
  • 36:53 - 36:58
    are abusing Skype!” – Microsoft pays
    some commercial company out there
  • 36:58 - 37:01
    to give them a blacklist, they don’t even
    know what’s on it, and the company
  • 37:01 - 37:05
    puts Tor exit IPs on it. And
    now Microsoft blacklists all the
  • 37:05 - 37:08
    Tor exit relays. And they don’t even know
    they’re doing it. They don’t even care.
  • 37:08 - 37:13
    So as more and more of these
    blacklisting companies exist
  • 37:13 - 37:17
    we’re more and more screwed.
    So we need help trying to
  • 37:17 - 37:20
    learn how to teach all of these
    companies how to accept
  • 37:20 - 37:25
    users without thinking that IP addresses
    are the right way to identify people.
  • 37:25 - 37:29
    Jacob: There might also be,
    on point 3, a relationship here
  • 37:29 - 37:32
    with some of the other
    points here. E.g. point 4.
  • 37:32 - 37:36
    Which is to say that when
    a company does not want to
  • 37:36 - 37:40
    give you location anonymity
    maybe there’s a reason for that.
  • 37:40 - 37:44
    I mean, I personally think that Wikipedia
    is great, I don’t feel so great
  • 37:44 - 37:48
    about yelp and about Google, most of
    the time. And I definitely don’t feel good
  • 37:48 - 37:52
    about Skype. Given what we’ve
    learned it makes sense
  • 37:52 - 37:57
    that they would demonstrate that
    they do not respect you as users.
  • 37:57 - 38:02
    And the Tor Network as a way to
    protect users from them, actually.
  • 38:02 - 38:06
    And some of these places will
    say that it's basically only being
  • 38:06 - 38:10
    used for abuse. Often they won’t have
    metrics for it. And they will refuse
  • 38:10 - 38:14
    to work with us to come up with inventive
    solutions, like e.g. something
  • 38:14 - 38:18
    where you have to use a
    nym system of some kind,
  • 38:18 - 38:22
    in the case of Wikipedia, or something
    where you solve a captcha, something
  • 38:22 - 38:25
    where you have to have an account,
    something where you’re pseudononymous.
  • 38:25 - 38:29
    But you get to retain location privacy.
    And actually, in a few cases,
  • 38:29 - 38:33
    it’s probably better that Tor is blocked
    because they don’t even
  • 38:33 - 38:36
    provide secure logins when you’re not
    using Tor. So it’s not necessarily
  • 38:36 - 38:41
    always a good thing to use the services,
    anyway. So in a sort of funny sense
  • 38:41 - 38:44
    it could be helpful that they’re blocking
    Tor. But we would like to improve
  • 38:44 - 38:48
    those things. And one thing is
    to show that we need to build
  • 38:48 - 38:52
    some systems to get these properties. And
    we need to show that it is the best thing
  • 38:52 - 38:57
    right now that we all can use. And
    we need people that are working
  • 38:57 - 39:00
    with these companies, with these
    communities, to actually help us
  • 39:00 - 39:05
    to understand how we can
    better serve Tor community,
  • 39:05 - 39:09
    but also the Tor community that
    overlaps with their community.
  • 39:09 - 39:13
    Especially Wikipedia. For me personally,
    it kills me that the way that I get
  • 39:13 - 39:16
    to edit the Wikipedia, should I edit
    it, is that I have to send an email
  • 39:16 - 39:20
    to someone, tell them an account I already
    have, ask them to set a special flag
  • 39:20 - 39:25
    in the Wikipedia database,
    and then I can log in and edit.
  • 39:25 - 39:29
    That’s not really the ideal solution,
    I think. If I’m not being abusive
  • 39:29 - 39:33
    on Wikipedia I should be able to
    have a pseudononymous way to edit.
  • 39:33 - 39:35
    I should be able to anonymously connect.
    And I should be able to do that
  • 39:35 - 39:38
    from anywhere in the world, especially
    when the local network is censoring me
  • 39:38 - 39:43
    and my only way to get to the
    Wikipedia is to, in fact, use Tor
  • 39:43 - 39:53
    or something like it.
    applause
  • 39:53 - 39:57
    So, the last point on that is this one:
    I obviously joked the church man (?)
  • 39:57 - 40:02
    Roger: Yeah, so I was showing this to an
    anonymity researcher and he started
  • 40:02 - 40:06
    yelling: “IPO, IPO, IPO, IPO…” as
    soon as he saw this graph of Tor users
  • 40:06 - 40:11
    over time. So in the course of a week
    or so we added about 4 or 5 million
  • 40:11 - 40:15
    Tor clients to the network.
    And you’d think: “Oh wow,
  • 40:15 - 40:19
    this Snowden thing worked,
    it’s great!” But actually,
  • 40:19 - 40:24
    some jerk in the Ukraine signed
    up his 5 million node botnet.
  • 40:24 - 40:27
    Jacob: I mean, one of the good things
    about this is that we learned that
  • 40:27 - 40:31
    the Tor Network scales to
    more than 5 million users.
  • 40:31 - 40:34
    Roger: We’ve been working on
    scalability: it works!
  • 40:34 - 40:37
    applause
  • 40:37 - 40:42
    Jacob: We had to make some changes.
    There’s e.g. the NTor handshaking
  • 40:42 - 40:46
    which is using elliptic curves. That is
    something which really helps to reduce
  • 40:46 - 40:52
    the load on the relays. This is a pretty
    big change. But there’s a lot of work
  • 40:52 - 40:55
    that Mike Perry has done with load
    balancing, lots of work by Nick Mathewson.
  • 40:55 - 40:59
    Lots of changes in the Tor Network
    for scalability. But if this had been
  • 40:59 - 41:02
    like a real attacker, or if the botnet had
    been turned against the Tor Network,
  • 41:02 - 41:06
    it probably would have been fatal,
    I think. A really interesting detail is
  • 41:06 - 41:10
    that this was a botnet for Windows.
    And Microsoft has the ability to remove
  • 41:10 - 41:14
    things that they flag as malicious.
    And so they were going around
  • 41:14 - 41:18
    and removing Tor clients from
    Microsoft Windows users
  • 41:18 - 41:22
    that were part of this botnet. Now when we
    talked to them, my understanding is that
  • 41:22 - 41:25
    they only removed it when they were
    certain that is was a Tor that came
  • 41:25 - 41:29
    from this botnet. That’s a lot of power
    that Microsoft has there, though!
  • 41:29 - 41:34
    If you’re using Windows, trying to be
    anonymous, with the device. Bad idea.
  • 41:34 - 41:37
    Roger: They actually removed the
    bot and left the Tor client because
  • 41:37 - 41:39
    they weren’t sure whether they
    should remove it. So actually
  • 41:39 - 41:43
    all those 5 millions are
    still running Tor clients.
  • 41:43 - 41:48
    Jacob: Whhoops! So, interesting
    point here, summer of Snowden.
  • 41:48 - 41:52
    It’s hard to tell. There’s
    some piece of information
  • 41:52 - 41:55
    that we’re really missing here. Due to
    the botnet happening at the same time
  • 41:55 - 42:00
    it’s really difficult to understand the
    public response to the revelations
  • 42:00 - 42:03
    about NSA and spying.
    Especially now. I mean:
  • 42:03 - 42:07
    we think that most of that is
    botnet traffic. Over a million.
  • 42:07 - 42:11
    Over a million, where it goes
    up. Over almost a 6 million.
  • 42:11 - 42:15
    So that’s a serious amount
    of traffic, from that botnet.
  • 42:15 - 42:19
    And that is a really serious threat to
    the Tor Network. It can be (?)
  • 42:19 - 42:22
    a couple of different ways. One of
    these things, I mentioned before,
  • 42:22 - 42:26
    NTor handshake. But another thing
    is: if every person in this room
  • 42:26 - 42:29
    were to run a Tor relay, even
    a middle relay not an exit relay,
  • 42:29 - 42:33
    it would make it significantly harder to
    melt the Tor Network.
  • 42:33 - 42:34
    I actually think
  • 42:34 - 42:35
    that would be incredible if you guys
    would all do that.
  • 42:35 - 42:36
    I don’t think that
    all of you will.
  • 42:36 - 42:39
    But if you did that would
    make it so that we could survive
  • 42:39 - 42:42
    other events like this in the future.
  • 42:42 - 42:50
    applause
  • 42:50 - 42:53
    So someone sent a question which we’re
    just gonna go ahead and answer now.
  • 42:53 - 42:57
    “When talking of funding for better
    anonymity, what do you think,
  • 42:57 - 42:59
    in terms of money,
    how much could you need?”
  • 42:59 - 43:02
    Well here’s a thing:
  • 43:02 - 43:03
    if you were willing to fund us
    we would really like you.
  • 43:03 - 43:05
    Or I would really like it
  • 43:05 - 43:08
    especially, since I’m probably the one
    that threatens the US Government funding
  • 43:08 - 43:12
    of Tor, more than any person in this room.
  • 43:12 - 43:15
    I think that it would be great if you
    could match the Dollar-to-Dollar
  • 43:15 - 43:18
    that Government funders
    bring to the table.
  • 43:18 - 43:19
    We would really like that.
  • 43:19 - 43:22
    It would be amazing if that was possible.
  • 43:22 - 43:23
    So there’s actually a hard number
  • 43:23 - 43:24
    on the website.
  • 43:24 - 43:27
    Or if you wanted to
    – as much money as you have.
  • 43:27 - 43:28
    laughter
    Feel free!
  • 43:28 - 43:29
    Either way –
  • 43:29 - 43:33
    Roger: To give you a sense of
    scale: right now our 2014 budget
  • 43:33 - 43:37
    is looking like it will be somewhere
    between 2 Mio US and 3 Mio US,
  • 43:37 - 43:41
    which is great except we’re trying to
    do so many different things at once.
  • 43:41 - 43:45
    If it ends up on the 2 Mio US side
    we basically have no funding
  • 43:45 - 43:47
    for making anonymity better.
  • 43:47 - 43:49
    If it ends up
    more than that then
  • 43:49 - 43:52
    we’re in better shape and
    we can make people more safe.
  • 43:52 - 43:55
    Jacob: And part of the thing is that we
    have to build all sorts of tools that are
  • 43:55 - 43:57
    not directly related to Tor.
  • 43:57 - 43:58
    In many cases.
  • 43:58 - 44:00
    Especially because of the funding.
  • 44:00 - 44:03
    But because we want users to be
    able to actually use the software
  • 44:03 - 44:04
    with something else.
  • 44:04 - 44:06
    It’s not nearly
    enough to have a Tor.
  • 44:06 - 44:07
    You need to be able
  • 44:07 - 44:08
    to do something with the Tor.
  • 44:08 - 44:09
    You know?
  • 44:09 - 44:11
    And that’s a really difficult part.
  • 44:11 - 44:15
    But if there’s specific things we would
    also be open to alternate funding models
  • 44:15 - 44:19
    where we fund very specific tasks e.g.
    that would be a really great thing.
  • 44:19 - 44:21
    We haven’t really
    experimented with that.
  • 44:21 - 44:24
    But on that note I wanted to talk
    about classified information.
  • 44:24 - 44:27
    Everybody ready?
    It’s not classified any more,
  • 44:27 - 44:31
    it’s on the internet?
    I’m not sure. So,
  • 44:31 - 44:34
    this is probably the hot topic
    I would say.
  • 44:34 - 44:36
    Probably the one
    everyone wanted to know about.
  • 44:36 - 44:38
    So the NSA and GCHQ
  • 44:38 - 44:42
    have decided that they
    don’t like anonymity,
  • 44:42 - 44:45
    and they’re doing everything that
    they possibly can to attack it.
  • 44:45 - 44:47
    With a few exceptions.
  • 44:47 - 44:49
    So there’re
    a few different programs
  • 44:49 - 44:51
    – I’m gonna talk a lot about this
    on Monday. So I don’t wanna go
  • 44:51 - 44:55
    into too much detail about the
    non-Tor aspects of it. But
  • 44:55 - 45:01
    for the Tor side of it – Quick Ant is
    what’s called a question-filled data set.
  • 45:01 - 45:03
    This is a QFD.
  • 45:03 - 45:06
    What that means is it’s TLS related
    sessions, as I understand it.
  • 45:06 - 45:12
    And it is recording data, i.e.
    Data Retention about TLS sessions.
  • 45:12 - 45:15
    It’s pulled from a larger thing –
    Flying Pig.
  • 45:15 - 45:18
    Which was revealed on I think,
    a Brazilian Television clip, or someone
  • 45:18 - 45:22
    photographed a moving
    picture of Glenn’s screen.
  • 45:22 - 45:26
    That program is kind of scary.
    But not too scary.
  • 45:26 - 45:29
    Just looks like after the fact (?) Data
    Retention.
  • 45:29 - 45:30
    Quantum Insert
  • 45:30 - 45:35
    on the other hand is a pretty
    straightforward man-on-the-side-attack.
  • 45:35 - 45:38
    Foxacid, which is another thing which
    we know that’s used against Tor users,
  • 45:38 - 45:42
    is basically just the ‘Tailored Access
    and Operations’ web server farm
  • 45:42 - 45:43
    where they serve out malware.
  • 45:43 - 45:46
    Sort of like a watering hole attack.
    Except
  • 45:46 - 45:48
    in this case they also combine it with
    Quantum Insert.
  • 45:48 - 45:49
    So that when you visit
  • 45:49 - 45:54
    your Yahoo mail
    – NSA and GCHQ love Yahoo –
  • 45:54 - 45:58
    even when you use Tor
    they basically redirect you
  • 45:58 - 46:01
    by just tagging a little bit of data
    into the TCP connection. And
  • 46:01 - 46:04
    of course Tor does its job, it flows all
    the way back to you.
  • 46:04 - 46:05
    Your web browser
    then loads it.
  • 46:05 - 46:06
    You’re now connected to
    their server.
  • 46:06 - 46:09
    Their server delivers
    malicious code.
  • 46:09 - 46:12
    And the use it
    is to pop somebody.
  • 46:12 - 46:17
    From what I understand it took
    them 8 months to hit one guy.
  • 46:17 - 46:22
    That’s fucking great, I think, that
    we went from ‘everybody all the time
  • 46:22 - 46:24
    applause
    being compromisable’ to ‘they have to
  • 46:24 - 46:29
    very carefully pick one person
    and work for a long time’.
  • 46:29 - 46:31
    They really believe that
    that’s the right target.
  • 46:31 - 46:32
    They really understand that
  • 46:32 - 46:36
    that is someone that they
    want to go after. And
  • 46:36 - 46:39
    if that person were to keep their browser
    up-to-date they probably would have been
  • 46:39 - 46:41
    ahead of the game.
    Not exactly sure.
  • 46:41 - 46:43
    But there are some other things
    that are really dangerous.
  • 46:43 - 46:46
    Which is
    Quantum Cookie, e.g. Quantum Cookie
  • 46:46 - 46:49
    is a program where basically
    they’re able to elicit
  • 46:49 - 46:53
    from a connection other connections
    from your web browser
  • 46:53 - 46:56
    which will get you to
    leak cookie information.
  • 46:56 - 46:58
    So let’s say you happen to
    log-in to a Yahoo account.
  • 46:58 - 47:01
    And that was a known
    selector for surveillance.
  • 47:01 - 47:04
    And then they thought you might also have
    a Gmail cookie that wasn’t marked secure
  • 47:04 - 47:08
    and you might also have another
    search engine; or you might have
  • 47:08 - 47:09
    some other cookies.
  • 47:09 - 47:11
    Then they would
    basically insert things that your browser
  • 47:11 - 47:15
    will then request insecurely over the same
    connection, to (?) tie them together,
  • 47:15 - 47:16
    correlate that.
  • 47:16 - 47:18
    And then they will extract
    it and they’ll be able to tell that
  • 47:18 - 47:20
    this selector is linked to
    these other selectors.
  • 47:20 - 47:22
    ’Cause they basically been able
    to actively probe.
  • 47:22 - 47:26
    A solution to that is
    ‘Https Everywhere’ which we already ship
  • 47:26 - 47:29
    in the Tor Browser Bundle
    but also to be aware about
  • 47:29 - 47:33
    session isolation to maybe
    even if you’re using things
  • 47:33 - 47:37
    where you’re trying to it as securely as
    possible – not every site will offer TLS
  • 47:37 - 47:41
    to actually make sure that the
    Tor browser only has the exact
  • 47:41 - 47:44
    set of credentials you need for the thing
    you’re doing at that time.
  • 47:44 - 47:46
    So that’s
  • 47:46 - 47:48
    incredibly straight-forward stuff.
  • 47:48 - 47:50
    In terms of the hacker
    community this is like
  • 47:50 - 47:52
    not even really interesting, actually.
  • 47:52 - 47:54
    The thing that makes it interesting is
  • 47:54 - 47:56
    that they do it at internet scale.
  • 47:56 - 47:57
    And that they’re trying to watch
  • 47:57 - 48:00
    the entire internet all the time.
  • 48:00 - 48:01
    Another interesting fact about this is
  • 48:01 - 48:05
    that you would imagine that not
    routing through Five Eyes countries
  • 48:05 - 48:06
    would make you safer in some way.
  • 48:06 - 48:09
    I don’t think that’s actually true.
  • 48:09 - 48:12
    From what I can tell they actually
    have some restrictions, if you route
  • 48:12 - 48:14
    through the Five Eyes countries.
  • 48:14 - 48:16
    And if you are not in
    a Five Eyes country,
  • 48:16 - 48:20
    like Germany, they have no restrictions.
  • 48:20 - 48:24
    So if you behave differently we know
    from an anonymity perspective
  • 48:24 - 48:26
    that that’s worse for you.
  • 48:26 - 48:28
    And if you behave differently
    in this particular way
  • 48:28 - 48:32
    then there are legal answers that
    show that you shouldn’t break out
  • 48:32 - 48:36
    from the regular way that Tor
    users and Tor clients behave.
  • 48:36 - 48:39
    But the key point to take home is
    that every single person here
  • 48:39 - 48:44
    has the same set of problems
    if they’re not using Tor.
  • 48:44 - 48:46
    And it is easier for them.
  • 48:46 - 48:48
    So that’s a huge,
    huge difference.
  • 48:48 - 48:53
    And the last point, I think is a key one
    which Roger has a great story for.
  • 48:53 - 48:57
    Roger: Yeah, so they… the story
    here is they look at Tor traffic
  • 48:57 - 48:59
    coming out of Tor exit relays.
  • 48:59 - 49:01
    They don’t know who the person is.
    And they have
  • 49:01 - 49:04
    to make a decision there: do I try the
    Quantum Insert and the Foxacid,
  • 49:04 - 49:07
    do I try to break into their browser?
    Or do I leave them alone.
  • 49:07 - 49:10
    And when they see the Tor flow
    they don’t know who it is.
  • 49:10 - 49:12
    So on the one hand, that’s great.
  • 49:12 - 49:14
    They can’t do target attacks.
  • 49:14 - 49:15
    They have to do broad
    attacks and then
  • 49:15 - 49:19
    check/wait (?) later to see whether
    they broke into the right person.
  • 49:19 - 49:23
    But as soon as the Guardian
    articles went up about this,
  • 49:23 - 49:27
    DNI – the something National Intelligence
    – put out a press release, saying:
  • 49:27 - 49:32
    “We’d like to assure everybody
    that we never attack Americans”.
  • 49:32 - 49:36
    Jacob: So first of all – on behalf of
    the American people and the US Government
  • 49:36 - 49:40
    which I do not represent:
    I’m so sorry that
  • 49:40 - 49:44
    my country keeps embarrassing the rest
    of the reasonable Americans, of which
  • 49:44 - 49:48
    there are plenty, many of us that are not
    James Clapper, that total fucking asshole.
  • 49:48 - 49:55
    applause
  • 49:55 - 49:56
    to Roger:
    We have 5 minutes.
  • 49:56 - 49:57
    applause
  • 49:57 - 50:02
    Roger: So the reason why that story is
    particularly interesting is that: I talked
  • 50:02 - 50:05
    to an actual NSA person a couple of weeks
    ago… and I’m like: “Wait, you never attack
  • 50:05 - 50:09
    Americans but you have to blank-and-attack
    everybody and then find out who it was”.
  • 50:09 - 50:13
    And he said: “Oh no no no no, we watch
    them log into Facebook and if they log in
  • 50:13 - 50:15
    as the user we’re trying to attack
    then we attack them.
  • 50:15 - 50:16
    No problem.”
  • 50:16 - 50:19
    Jacob: And they do the blanket
    dragnet surveillance. So,
  • 50:19 - 50:22
    an interesting point of course is that we
    always heard…
  • 50:22 - 50:24
    I once met someone
  • 50:24 - 50:26
    who explained to me: “The NSA obviously
    runs lots of Tor nodes like they were
  • 50:26 - 50:29
    like 90.000 Tor nodes”,
    I think was the number.
  • 50:29 - 50:32
    I wish we had 90.000 Tor nodes.
    That’d be incredible.
  • 50:32 - 50:35
    You know
    we’re like, what, at about 4..5000
  • 50:35 - 50:38
    at any given point in time, that are
    stable, of which are 1/3 are exit relays.
  • 50:38 - 50:39
    Right.
  • 50:39 - 50:43
    So it turns out when the NSA did
    run some, they ran half a dozen.. a dozen?
  • 50:43 - 50:45
    Roger: They ran about 10.
  • 50:45 - 50:46
    And they
    were small.
  • 50:46 - 50:47
    And short-lived.
  • 50:47 - 50:49
    On EC2.
  • 50:49 - 50:51
    But that should not
    make you happy.
  • 50:51 - 50:52
    It doesn’t matter
  • 50:52 - 50:55
    whether the NSA runs Tor relays.
  • 50:55 - 50:58
    They can watch your Tor relays.
  • 50:58 - 51:01
    If you run a Tor relay at a
    great place anywhere in the US
  • 51:01 - 51:06
    or Germany or wherever they’re good
    at spying on they watch the upstream
  • 51:06 - 51:09
    of your relay and they get almost
    what they would get from running
  • 51:09 - 51:10
    their own relay.
  • 51:10 - 51:12
    So what we should be
    worried about – we should not be worried
  • 51:12 - 51:14
    that they’re running relays.
  • 51:14 - 51:17
    It’s a concern, but the
    bigger concern is
  • 51:17 - 51:18
    that they’re watching the whole internet.
  • 51:18 - 51:21
    And the internet is much more centralized
  • 51:21 - 51:22
    than we think it is.
  • 51:22 - 51:24
    There are a lot more
    bottle-necks where if you watch them
  • 51:24 - 51:27
    you get to see a lot of
    different Tor traffic.
  • 51:27 - 51:30
    So the problem is not so much
  • 51:30 - 51:33
    “Are they running relays?” as “How
    many normal relays can they watch?”
  • 51:33 - 51:37
    And if you’re thinking about a large
    adversary like NSA: the answer could be:
  • 51:37 - 51:40
    “A third?”, “Half?”.
  • 51:40 - 51:42
    We don’t know
    how many deals they have.
  • 51:42 - 51:47
    Jacob: So, an interesting point here is
    that one-hop-proxies are… or VPN
  • 51:47 - 51:50
    – who here uses a VPN to some
    kind of commercial VPN service?
  • 51:50 - 51:52
    about 1/4 raised hands
    Right.
  • 51:52 - 51:55
    So this is a pretty big problem,
  • 51:55 - 51:56
    I think.
  • 51:56 - 51:58
    Which is that you end up with the
    hide-my-ass problem.
  • 51:58 - 51:59
    Which is that –
  • 51:59 - 52:01
    first of all that company, it’s a problem.
  • 52:01 - 52:02
    Second of all, what they do to their users
  • 52:02 - 52:03
    is also a problem.
  • 52:03 - 52:05
    Which is that they
    basically promote their service
  • 52:05 - 52:09
    for revolution in Egypt, e.g. but when
    someone used it because they disagreed
  • 52:09 - 52:13
    with the policies of the UK then
    they turned them over.
  • 52:13 - 52:14
    Interesting point.
  • 52:14 - 52:18
    We need to build decentralized systems
    where they can’t make that choice.
  • 52:18 - 52:21
    We need to make sure that that
    isn’t actually happening.
  • 52:21 - 52:22
    And one of the things
  • 52:22 - 52:26
    that we’re trying to drive home is
    that – and I really think it’s important
  • 52:26 - 52:30
    to take this to heart –
    one-hop-proxies or VPNs,
  • 52:30 - 52:34
    as we have said for more that a
    decade, are not safe. Especially
  • 52:34 - 52:38
    if you think about when they from the
    QuickANT and from the Flying Pig software,
  • 52:38 - 52:41
    they’re recording traffic
    information about connections.
  • 52:41 - 52:42
    And in some cases
  • 52:42 - 52:45
    we know – thanks to Laura Poitras
    and James Risen – that they have
  • 52:45 - 52:48
    Data Retention which is something
    like – what is it, 10..15 years,
  • 52:48 - 52:51
    5 years online, 10 years
    offline, is that right?
  • 52:51 - 52:54
    Right. Okay.
    That’s bad news.
  • 52:54 - 52:59
    We know that the math
    for VPNs is not in your favor.
  • 52:59 - 53:03
    So that said: What
    happens with this stuff?
  • 53:03 - 53:04
    Right?
  • 53:04 - 53:08
    What happens is what happened
    e.g. with the Silk Road fellow.
  • 53:08 - 53:10
    Or maybe not.
    It’s not clear.
  • 53:10 - 53:12
    It could be that the guy used a VPN.
  • 53:12 - 53:15
    Which is braindead.
    But it could also be that
  • 53:15 - 53:19
    the NSA has this data and tried
    to pull off a retractive attack
  • 53:19 - 53:24
    once they already had him from
    other things like auguring fake IDs.
  • 53:24 - 53:26
    We don’t know which in the case
    of Silk Road.
  • 53:26 - 53:27
    But we can tell you
  • 53:27 - 53:31
    that it’s pretty clearly a bad
    idea to do it if you’re going to
  • 53:31 - 53:32
    do something interesting.
  • 53:32 - 53:35
    It’s probably also a bad
    idea to do it just generally
  • 53:35 - 53:39
    because you don’t even know what
    ’interesting’ is in 5 or 10 years. So
  • 53:39 - 53:43
    parallel construction is a really
    serious problem, and we think,
  • 53:43 - 53:46
    probably, if we could expand the
    Tor Network, we would make it
  • 53:46 - 53:48
    significantly harder to do this.
  • 53:48 - 53:49
    It would
    make it significantly harder for them
  • 53:49 - 53:52
    to do it, especially if you replace your
    VPN with Tor.
  • 53:52 - 53:53
    There are some trade-offs
  • 53:53 - 53:54
    with that, though.
  • 53:54 - 53:56
    So the real question is
    what your threat model is.
  • 53:56 - 53:57
    And you really
    have to think about it.
  • 53:57 - 53:59
    And then also understand
    that we live in a world now
  • 53:59 - 54:03
    where Law Enforcement and
    Intelligence Services, they seem to be
  • 54:03 - 54:05
    blending together.
  • 54:05 - 54:07
    And they seem to be blending
    together across the whole planet
  • 54:07 - 54:08
    in secret.
  • 54:08 - 54:10
    Which is a serious problem
    for the threat model of Tor.
  • 54:10 - 54:13
    Roger: So I actually talked to
    some FBI people and I said:
  • 54:13 - 54:15
    So which one of these is it?
  • 54:15 - 54:18
    And they said: Well, we
    never get tips from the NSA.
  • 54:18 - 54:21
    We’re good, honest Law enforcement,
    they’re doing something bad,
  • 54:21 - 54:23
    but why should that affect us?
  • 54:23 - 54:26
    And my response was: “Well,
    NSA says they told you!
  • 54:26 - 54:30
    So, are you lying
    to me or are they lying to you?
  • 54:30 - 54:31
    Or what’s going on here?”
  • 54:31 - 54:34
    And I don’t actually
    know the right solution here.
  • 54:34 - 54:39
    So scenario 1: The NSA
    anonymously tips the FBI
  • 54:39 - 54:41
    and they go check something out and
    they say: “Well I need to build a case
  • 54:41 - 54:42
    that they do”.
  • 54:42 - 54:45
    Scenario 2: Some anonymous
    whistleblower tips off the FBI
  • 54:45 - 54:46
    and they go build a case.
  • 54:46 - 54:48
    From the FBI’s perspective
    these are the same:
  • 54:48 - 54:50
    “I got a tip, I build a case.
  • 54:50 - 54:52
    Why should I care where
    it came from?” And
  • 54:52 - 54:56
    so should we build a Know-your-customer
    Law so that the FBI has to know
  • 54:56 - 54:59
    their informers or whistleblowers?
  • 54:59 - 55:01
    Should we rely on the NSA
  • 55:01 - 55:02
    to regulate itself?
  • 55:02 - 55:05
    Should we rely
    on the Congress to regulate NSA?
  • 55:05 - 55:07
    None of these are good answers.
  • 55:07 - 55:09
    Jacob: So, we have a very
    limited amount of time.
  • 55:09 - 55:10
    And in order to be able
  • 55:10 - 55:14
    to address some questions we
    will probably skip a few things
  • 55:14 - 55:16
    and we’ll put these slides
    online.
  • 55:16 - 55:18
    But short/quick
  • 55:18 - 55:21
    summaries for a few of these slides, then
    we’re gonna address some questions.
  • 55:21 - 55:23
    One of them is that we want to improve
    Hidden Services.
  • 55:23 - 55:24
    Even though they
  • 55:24 - 55:26
    haven’t been broken as far as we
    understand from any of the documents
  • 55:26 - 55:28
    that have been released.
  • 55:28 - 55:29
    We still
    want to make them stronger,
  • 55:29 - 55:31
    because we wanna be ahead of the game.
  • 55:31 - 55:32
    We don’t want to play Catch-Up.
  • 55:32 - 55:35
    Roger: We especially need to improve
    the usability and performance of them.
  • 55:35 - 55:39
    Because right now they’re a toy
    that only really dedicated people
  • 55:39 - 55:40
    get working.
  • 55:40 - 55:43
    And the more
    mainstream we could make them
  • 55:43 - 55:45
    the more broad uses we are going to see.
  • 55:45 - 55:46
    The reason why people keep hearing
  • 55:46 - 55:50
    about high-profile bad Hidden Services
    is that we don’t have enough
  • 55:50 - 55:54
    good use cases in action yet that
    lots of people are experiencing.
  • 55:54 - 55:59
    Jacob: The most important thing for all of
    the – let’s say – Cypherpunks movement
  • 55:59 - 56:02
    to understand is that when
    you have usable crypto
  • 56:02 - 56:04
    you are doing the right thing.
  • 56:04 - 56:06
    When
    you have strong peer-reviewed
  • 56:06 - 56:10
    Free Software to implement that, and
    it’s built on a platform where you can
  • 56:10 - 56:14
    look at the whole stack you’re
    really ahead of the game.
  • 56:14 - 56:15
    There’s a lot to be done in that.
  • 56:15 - 56:18
    And if we do that
    for Hidden Services
  • 56:18 - 56:22
    I think we’ll have similar returns that
    you’ll see with other crypto projects.
  • 56:22 - 56:26
    Roger: So one of the other great things in
    the Tor world is the number of researchers
  • 56:26 - 56:31
    who are doing great work at evaluating
    and improving Tor’s anonymity.
  • 56:31 - 56:35
    So there are a couple of papers that were
    out over the past year talking about
  • 56:35 - 56:39
    how we didn’t actually choose the
    right guard rotation parameters.
  • 56:39 - 56:43
    I’m not going to get into that in detail
    in our last couple of minutes.
  • 56:43 - 56:46
    But the very brief version is:
  • 56:46 - 56:51
    if you can attack both sides of the
    network and they run 10% of the network
  • 56:51 - 56:55
    – they, the adversary run 10% of the
    network – the chance over time,
  • 56:55 - 56:59
    the blue line is the current situation,
    where you choose 3 first hops,
  • 56:59 - 57:02
    3 entry guards and you rotate every
    couple of months – over time
  • 57:02 - 57:06
    the chance that you get screwed by an
    adversary who runs 10% of the network
  • 57:06 - 57:07
    is pretty high.
  • 57:07 - 57:10
    But if we change it
    to 1 guard and you don’t rotate
  • 57:10 - 57:14
    then we’re at the green line which
    is a lot better against an adversary
  • 57:14 - 57:15
    who’s really quite large.
  • 57:15 - 57:18
    This is an adversary
    larger than torservers.net
  • 57:18 - 57:20
    e.g. So A...
  • 57:20 - 57:21
    Jacob: Arts (?) is no adversary, right?
  • 57:21 - 57:27
    Roger: So a pretty large attacker we
    need to move it from the blue line
  • 57:27 - 57:28
    down to the green line.
  • 57:28 - 57:31
    And that’s
    an example of the anonymity work
  • 57:31 - 57:32
    that we need to do.
  • 57:32 - 57:33
    -- So, what’s next?
  • 57:33 - 57:35
    Tor, endorsed by Egyptian activists,
  • 57:35 - 57:40
    Wikileaks, NSA, GCHQ, Chelsea
    Manning, Edward Snowden…
  • 57:40 - 57:43
    Different communities like
    Tor for different reasons.
  • 57:43 - 57:46
    Some of our funders we go to them with
    that sentence – basically everybody
  • 57:46 - 57:47
    we go to with that sentence.
  • 57:47 - 57:50
    It’s like:
    “I like those 3 examples but I don’t like
  • 57:50 - 57:52
    those 2 examples”.
  • 57:52 - 57:56
    So part of what we
    need to do is help them to understand
  • 57:56 - 58:02
    why all of these different
    examples matter.
  • 58:02 - 58:05
    Jacob: That said, I tend to believe
    that we need to be engaged
  • 58:05 - 58:09
    in a pretty big way and thanks
    to the people of Ecuador,
  • 58:09 - 58:13
    especially the people running the Minga-tec
    community events, they have actually
  • 58:13 - 58:17
    put together a real model which
    should be emulated probably
  • 58:17 - 58:21
    by the rest of the world where they really
    engage with civil society, and they’re
  • 58:21 - 58:24
    actually able to arrange for meetings
    with e.g. the Foreign Minister
  • 58:24 - 58:28
    or with various other people involved in
    the National Assembly.
  • 58:28 - 58:29
    And as a result
  • 58:29 - 58:32
    they had Article 474, which they
    proposed, which was basically
  • 58:32 - 58:34
    the worst Data Retention
    Law you can imagine.
  • 58:34 - 58:35
    It included video taping
  • 58:35 - 58:40
    in Internet Cafés, 6 months dragnet
    surveillance, all sorts of awful stuff.
  • 58:40 - 58:43
    And they were able to, in the
    course of, I would say 3..6 months,
  • 58:43 - 58:46
    this is mostly the FLOK Society,
    actually.
  • 58:46 - 58:47
    They were able to organize
  • 58:47 - 58:49
    a real discussion about this.
  • 58:49 - 58:51
    And we
    were able to get this proposed part
  • 58:51 - 58:53
    of the penal code completely removed.
  • 58:53 - 58:55
    At the end of November of last year…
  • 58:55 - 58:57
    early December… of this year.
  • 58:57 - 58:58
    So just about a month ago.
  • 58:58 - 59:02
    So if we really work together
    across the spectrum,
  • 59:02 - 59:06
    we see, right now, in Ecuador
    e.g. changing (?) away
  • 59:06 - 59:09
    by showing them that fundamentally:
    the game is rigged.
  • 59:09 - 59:10
    If you choose
  • 59:10 - 59:13
    to spy on your citizens then the NSA
    always wins.
  • 59:13 - 59:14
    And the NSA wants people
  • 59:14 - 59:16
    to believe that everybody is doing
    the spying.
  • 59:16 - 59:17
    So one of the things
  • 59:17 - 59:21
    I explained to people in the Ecuadorian
    Government and in Ecuadorian civil society
  • 59:21 - 59:23
    is that you can choose a different game.
  • 59:23 - 59:24
    You can choose not to play that game.
  • 59:24 - 59:29
    The only people that win when you
    choose that game are the NSA,
  • 59:29 - 59:31
    and potentially you
    – a few times.
  • 59:31 - 59:32
    But the NSA will get
  • 59:32 - 59:35
    whatever data you
    have stored away.
  • 59:35 - 59:36
    If you want to be secure
  • 59:36 - 59:38
    against the dragnet surveillance, if
    you want to be secure against people
  • 59:38 - 59:42
    who will break into that system you
    must not have that system in existence.
  • 59:42 - 59:44
    You must choose a different paradigm.
  • 59:44 - 59:45
    And when I told this to people in Ecuador
  • 59:45 - 59:48
    and they understood the trade-offs,
    and they understood that they are
  • 59:48 - 59:51
    not the best at surveilling
    the whole planet.
  • 59:51 - 59:52
    They understood that they’re
  • 59:52 - 59:53
    not the best in internet security yet.
  • 59:53 - 59:56
    They realized that the game is rigged.
  • 59:56 - 59:58
    And they got rid of Article
    474 from the penal code.
  • 59:58 - 60:02
    And there is no Data Retention
    there in that penal code now.
  • 60:02 - 60:10
    applause
  • 60:10 - 60:15
    But I have to stress this not
    because of 1 or 2 or 10 people,
  • 60:15 - 60:17
    it’s because of a broad
    civil society movement.
  • 60:17 - 60:18
    Which is what we’ve also seen
  • 60:18 - 60:21
    in Germany, and in other places.
  • 60:21 - 60:23
    So this is something which you
    should have a lot of hope about.
  • 60:23 - 60:26
    It’s not actually
    dark everywhere.
  • 60:26 - 60:29
    We are actually making
    positive steps forward.
  • 60:29 - 60:32
    Roger: So there are other tools
    that we would like help with.
  • 60:32 - 60:36
    E.g. tails is a live CD, WiNoN and
    other approaches are trying
  • 60:36 - 60:40
    to add VM to it, so that even if
    you can break out of the browser,
  • 60:40 - 60:43
    there’s something else you have
    to break out, other sandboxes.
  • 60:43 - 60:44
    And there are
  • 60:44 - 60:47
    a lot of other crypto improvements that
    we’re happy to talk about afterwards.
  • 60:47 - 60:51
    The Tor Browser Bundle, the new one, has
    a bunch of really interesting features.
  • 60:51 - 60:53
    Deterministic Builds is
    one of the coolest parts of it.
  • 60:53 - 60:54
    Where everybody here can
  • 60:54 - 60:58
    build the Tor Browser Bundle and end up
    with an identical binary.
  • 60:58 - 60:59
    So that you can
  • 60:59 - 61:01
    check to see that it
    really is the same one.
  • 61:01 - 61:03
    And here’s a screenshot
  • 61:03 - 61:04
    of the new one.
  • 61:04 - 61:07
    It no longer has
    Vidalia in it, it’s all just a browser
  • 61:07 - 61:11
    with a Firefox extension that
    has a Tor binary and starts it.
  • 61:11 - 61:15
    So we’re trying to stream-line it
    and make it a lot simpler and safer.
  • 61:15 - 61:19
    I’d love to chat with you afterwards about
    the core Tor things that we’re up to
  • 61:19 - 61:22
    in terms of building the actual program
    called Tor but also the Browser Bundle,
  • 61:22 - 61:26
    and metrics, and censorship
    resistance etc.
  • 61:26 - 61:30
    And then, as a final note:
    We accept Bitcoin now.
  • 61:30 - 61:35
    Which is great.
    applause
  • 61:35 - 61:37
    Jacob: So all of the Bitcoin
    millionaires in this community:
  • 61:37 - 61:42
    we would really encourage you to help us
    get off of the US Government funding.
  • 61:42 - 61:43
    Don’t just complain, help us!
  • 61:43 - 61:46
    Mutual Aid
    and Solidarity means exactly that:
  • 61:46 - 61:48
    to put some money where
    your mouth is!
  • 61:48 - 61:50
    We’d really like to do that.
  • 61:50 - 61:54
    And it’s really important to show people
    that we have alternative methods
  • 61:54 - 61:55
    of funding community-based
    projects.
  • 61:55 - 61:57
    So think about it
  • 61:57 - 62:00
    and you can, if you’d like, use Bitcoin.
  • 62:00 - 62:04
    Roger: A last, right now, BitPay is
    limiting you to 1000 Dollars of Bitcoin
  • 62:04 - 62:05
    per donation.
  • 62:05 - 62:08
    We’re hoping to lift
    that in the next couple of days.
  • 62:08 - 62:13
    But if you would like to give us lots of
    Bitcoins, please don’t get discouraged.
  • 62:13 - 62:16
    And then, as a final note: starting
    right now in Noisy Square
  • 62:16 - 62:21
    is an event on how to help Tor and there
    will be a lot of Tor people there,
  • 62:21 - 62:24
    and we’d love to help teach you
    and answer your questions
  • 62:24 - 62:26
    and help you become part of the community.
  • 62:26 - 62:29
    We need you to teach other people
  • 62:29 - 62:31
    why Tor is important.
  • 62:31 - 62:32
    Jacob: Thank you!
  • 62:32 - 62:39
    applause
  • 62:39 - 62:41
    no time for Q&A left
  • 62:41 - 62:44
    *Subtitles created by c3subtitles.de
    in the year 2016.
  • 62:44 - 62:48
    Join and help us!*
Title:
Video Language:
English
Duration:
01:02:47
  • Revision 4 was an tex import from the pad with automated sync support. As some parts in the middle are missing the text of revison 5 is out of sync, starting from minute 10.

English subtitles

Revisions Compare revisions