preroll music Herald: I am very happy to introduce this year’s update on the “State of the Onion”! This is a talk with about 5 speakers, so let’s introduce them one by one. First, Roger. He did it the last talk. He is the founder of the TOR Project, applause MIT Graduate and Top 100 Global Thinkers. Then we have Jake, a humble PHD math student applause that is in my opinion not a National Security threat but a post National Security promise. We have Mike Perry, and I think it is enough to say about him, that the NSA calls him a worthy adversary. applause He is also the lead dev of the TOR Browser. And then we have Alison Macrina, a radical, militant librarian. applause And last but not least: Shari Steele, the new Executive Director of the TOR Project. applause So without further ado: This year’s State of the Onion! applause Jacob: Alright, it’s a great honor to be back here again. And we’re really happy to be able to introduce so many more faces. It’s no longer the Roger and Jake show. That’s very important to us. Hopefully next year, we won’t be here, but we’ll still be alive. So 2015, if I were to express it in a hand gesture or with a facial expression, it would look something like “Ooouuw”. It was really a year of big changes. Not all of them were really good changes. And there were a lot of heavy things that happened throughout the year. We won’t even be able to cover all of them because we only have an hour. So we want to focus on the positive things. I would say that probably the nicest thing is that we are growing. We’re really, really growing. Not only growing the network, but we’re growing the community. And in some sense we’re expanding throughout the whole world in terms of users who are using TOR, what TOR users are using TOR for, which is of course extremely important that there is more and more people just doing regular things with TOR, protecting themselves. But then we have of course lots of specialized things that happen with the TOR network as well. We have things like OnionBalance and Ricochet. Really exciting developments. And we’ll talk a bit about all of those things. One of the most unlikely things, at least when I imagine working on TOR, say 10 years ago vs. now, is that we’ve worked with some really unlikely partners. Some of you know that I’m not really a big fan of Silicon Valley, even though I’m from there. So you know, I sometimes call Facebook not so nice names, like Stasi-Book. And part of the reason for that is because I think it is a little bit weird, that you report on all your friends in order to go to parties. Previously it was to get into the party and now it is to go to parties. And yet we worked with them on something. Because it turns out that sometimes you have unlikely temporary alliances. And it turns out that while I personally may think that they are evil incarnate in some sense, it is the case that there is at least one good guy there. Alec worked on this fantastic RFC7686, that actually allowed us to help all Facebook users mitigate some harm. Which is that if they want to be able to visit Facebook; and I guess the reality is that not using Facebook for a lot of people is sort of like the “Kill your Television” bumper sticker of the 90s. For those of you that ever visited rural America. You know that that wasn’t like a really successful campaign. A lot of people have TVs these days as well. So it’s a little bit like that, only here we actually built an alternative where we can mitigate harm. And that’s really incredibly important because it mitigates harm in all sorts of different pieces of software. It makes it possible for us to talk to Browser vendors, to DNS resolvers. And part of this was motivated by some investigative journalism that I actually did, where I revealed XKeyscore rules, where the US Government’s National Security Agency was sifting through all of the internet traffic to look for .onion addresses. So when they saw a DNS request for .onion they were actually learning .onions by harvesting traffic. And that really motivated me to want to make it, so that the DNS resolvers didn’t do that anymore. It was very important, because one of my core missions with TOR is to make that kind of stuff a lot harder for the spies to do. And protecting everyday users, even users who aren’t TOR users, yet. And that’s very important. So working with Alec on this has been great, because the IETF actually supports this. And now ICANN will not sell .onion to anyone. It’s a special use reserved name. And that’s incredible! applause Roger: OK, so. Is this thing on? Yes it is, great! So there are a couple of interesting graphs, that we’re going to give you, of usage scenarios, usage instances over the past year. So pretty recently we were looking at the number of people in Russia using TOR. Russia has been talking about censoring, talking about all sorts of oppression steps. And at the beginning of November, we moved from 180k people in Russia each day using TOR up to almost 400k people. And this is probably a low estimate. So many hundreds of thousands of people for that two week period, which started with a Russian bomber getting shot down, were trying to get news from the rest of the world, rather than news as Russia wanted to show it to them. So that’s kind of a cool event. Another interesting event: Bangladesh ended up censoring Facebook and some other websites and a whole lot of people switched to using TOR. I was actually talking to one of the Facebook people and they have their own internal statistics about the number of people connecting over the TOR network to Facebook. And it would be super cool to super impose these two graphs. Our data is public and open and we like sharing it. They don’t actually share their data. But one day it would be really cool to be able to see both of these graphs at once, to see users shifting from reaching Facebook directly to going over TOR. The other interesting thing from the Bangladesh side: I was looking at the Alexa top websites around the world and we, torproject.org is like 8000th in the global rankings, but at least for the past couple of weeks torproject.org has been 300th in Bangladesh. So there are a whole heck of a lot of people there, learning about these privacy things that can get around local censorship. applause OK, and then an exciting other story that we’re going to touch on briefly, but it’s an entire talk on its own. So let me give you a couple of facts and we’ll go from there. January of 2014 a hundred relays showed up in the TOR network and we weren’t sure who was running them, but they weren’t exit relays, so they didn’t seem like they were such a threat at the time. Fast forward a while later: The CERT organization inside CMU submitted a presentation to Blackhat on how cool they were for being able to attack TOR users. And they talked about how they were going to talk about individual users that they de-anonymized and how cool they were for that. And I spent a while trying to extract details from them. And eventually I learned what their attack was. And then Nick Mathewson, one of the other TOR developers decided to check the TOR network to see if anybody was actually doing that attack. I mean it’s CERT, they are the folks who publicised the phrase “responsible disclosure”. Surely, they are not actually undermining the TOR network and attacking TOR users. But then it turns out that somebody was doing the attack. And it was these 100 relays that looked kind of ordinary and innocuous before that. Then I sent mail to the CERT people, saying: “Hey are those relays yours?” And they went silent. They have never answered any of my mails since then. So that’s what we know. It doesn’t look good. One of the key things that we, TOR, have done from here is we’ve been working on strengthening the TOR network and getting better at recognizing these things. So the core of the attack was that they did what’s called a Sybil attack, where you sign up a lot of relays and you become too large a fraction of the TOR network. So we’ve been working on a lot of ways to recognize that an attack like that is happening, and mitigate it, and get rid of it early. For example Philipp Winter has a bunch of interesting research areas on recognizing similarity between relays. So you can automatically start detecting: “Wait a minute, this event happened, where a lot of relays are more similar than they should be.” Another example there is: We used to say: “Well I don’t know who’s running them, but they don’t seem that dangerous. So OK, it’s good to grow the TOR network.” Now we’re taking the other approach of “Gosh, that’s weird, let’s get rid of them and then we’ll ask questions after that.” So we’re trying to be more aggressive, more conservative at keeping the TOR network safe from large adversaries. Whether they’re government organizations or corporations or individuals. Whoever might be attacking it. Jacob: We’ve had a few really big changes in the TOR community. One of them is that we had an Interim Executive Director come on in a sort of quick moment and that’s Roger Dingledine. Some of you probably always thought he was the Executive Director the whole time. That’s because for a while he was and then he wasn’t. And then he was back again. And that change was quite a huge change in that instead of working on a lot of anonymity stuff, Roger was doing a lot of bureaucratic paperwork which was actually quite sad for the anonymity world, I think. He probably reviewed fewer papers and did fewer anonymity things this year than ever before. Which is really, really sad. But that really lit a fire under us to make sure that we would actually change that. To make sure that it was possible to get someone else, who is really good at being an Executive Director of the TOR Project, to really lead, so that we could have Roger return to not only being an anonymity researcher, but also the true Spirit Animal of the TOR Project. He doesn’t look like an onion, but in spirit. Roger: Slide! Jacob: laughing Another really big thing that happened is working with Laura Poitras over the last many years. She has followed the TOR Project – lots of people like to follow the people on the TOR Project – but we consented to her following us. And she made a film, “Citizenfour”, I think some of you… have any of you seen this film? applause Quite amazingly, she won an Oscar. Actually, she basically won every film prize. applause One of the key things is that people in this room that work on Free Software were explicitly thanked. If you work on Tails, if you work on GnuPG, if you work on SecureDrop, OTR, TOR, … She specifically said in the credits of the film: This film wouldn’t have been possible without that Free Software. Actually making her job and the jobs of her source and other people involved… making that possible. And so her winning that Oscar in some sense feels like closing a really big loop that had been open for a very long time. And it’s really great and she, I think, would really wish that she could be here today, again. She sends her regards, and she is really, really thankful for everybody here that writes Free Software for freedom! applause Roger: So another exciting event that happened in 2015 is that reddit gave us 83.000$. They had some extra profit and they decided that they would give it to 10 non-profits chosen from among the Redditer community. And there were people who came to me and said: “Hey Roger, you really have to, you know, start advocating, start teaching everybody, why TOR should be one of them.” And I said: “Oh, I’m busy. Those things never work. You know, they’ll choose somebody else.” And so it turns out that we were the 10th out of 10 without doing any advocacy work whatsoever to the reddit community, which is super cool that they care about us so much. Also reddit divided the ten equally. So even though we were the 10th out of 10, we got 10% of the donations that they were giving out. applause Jake: One of the really – I would say one of the oddest things about working at the TOR Project for me is that TOR has supported me through really crazy times. So when I was being detained by the US Government or having my property stolen by fascist pigs in the United States Government’s border checkpoints, TOR didn’t fire me. TOR always backed me and always kept me safe. And many people often look like they wanted to kill me from stress, but often they didn’t, which was nice. Or they didn’t get close enough and I could move fast enough. But they were always very helpful. And they’ve really helped me to go and do things to speak for anonymous users who can’t go other places. And one of the places which I was most honored to go in the last year – I was actually scheduled to go there with Caspar Bowden, but unfortunately he was ill at the time. And as you know, Caspar has since passed away. But we were scheduled to go together and TOR was supporting us both, actually, to go to this. And it resulted, I believe, in a very amazing meeting in Geneva at the United Nations, where the special rapporteur actually endorsed TOR and off-the-record messaging and encryption programs, and privacy, and free software. Saying that they are absolutely essential. And in fact their use should be encouraged from a human rights perspective. And in fact the really amazing part about it is he didn’t do it only from the perspective of free speech. And this is important, because actually there are other rights. And we should think about them. So for example the right to form and to hold an idea is a right that cannot be abridged. The right to free speech can be abridged in many free societies, but what is in your head and how you form it is something where… that is not a right that can be abridged. And he wrote this in the report. And he, when writing this report with many other people, made it very clear that this is something we need to keep in mind. That when we talk about private spaces online, where groups may collaborate to form ideas, to be able to create a political platform for example, to be able to make democratic change, they need to be able to use the internet to freely exchange those ideas in a secure and anonymized, encrypted fashion. And that helps them to form and to hold ideas. And obviously that helps them later to express free speech ideas. And that’s a huge thing to have the United Nations endorse basically what many of us in this room have been saying for, well… decades. Roger: So the UN thing is really cool. We’ve also been doing some other policy angles. So Steven Murdoch, who is a professor in England and also part of the TOR community, has worked really hard at teaching the British folks, that their new backdoor laws and their new terrible laws are actually not what any reasonable country wants. So he’s put a huge amount of energy into basically advocating for freedom for them. And similarly Paul Syverson, part of the TOR community, basically ended up writing a post note for the UK about how the dark web is misunderstood. See previous talk. So we’ve been doing quite a bit of education at the policy level to try to teach the world, that encryption is good and safe and worthwhile and should be the default around the world. Jake: And there is a kind of interesting thing here. Maybe a little contentious with some people in the TOR community. But I just wanted to make it really clear. We have the TOR Project, which is a non-profit in the United States. And we have a much wider TOR community all around the world. And in Berlin we have a really, really like an incredible TOR community. We have people like Donncha working on OnionBalance. We have people like Leif Ryge working on bananaphone. We have all of these different people working on all sorts of Free Software. And many of those people don’t actually work for the TOR Project. They’re community members, they’re volunteers, there is some of privacy students. And so the Renewable Freedom Foundation actually funded the creation of a sort of separate space in Berlin where people work on these kinds of things, which is not affiliated with US Government money. It’s not affiliated with the TOR Project as some sort of corporate thing. It’s not a multinational thing. It’s really the peer-to-peer version in some sense of what we’ve already had in other places. And it’s really great and I wanted to just thank Moritz who made that happen and to all the people like Aaron Gibson, and Juris who actually put that space together and made it possible. So in Berlin, there is a space, not just c-base, not just CCCB, but actually a place which is about anonymity. It’s called Zwiebelraum. And this is a place in which people are working on this Free Software. And they are doing it in an independent manner. And we hope actually that people will come together and support that, because we need more spaces like that, that are not directly affiliated with the TOR Project, necessarily, but where we have an aligned mission about reproduceable builds in Free Software and also about anonymity and actually about caring about Free Speech. And actually making it happen. And really building spaces like that all around the world. So if you have a place in your town where you want to work on those things, we would really hope that you will work on building that. I called it “general cipher punkery”. I feel like that’s a good description. There’s lots of stuff to be done. And now for a Marxist joke: So we discovered the division of labor, which was a really important discovery. We’re about 180 years too late, but we started to split up where it didn’t go very well, the Marxist asked why. Cheers, cheers! So the Vegas Teams are really simple. Basically we have a bunch of people that previously they did everything. And this really doesn’t work. It’s very stressful and it’s very frustrating and it leads to people doing lots and lots of things in a very unfocused way. And so we split it up! And it actually happened naturally, it was emergent. So e.g. Mike Perry, who’s gonna talk about the Applications Team’s work in a second here, he was already leading this, he was really making this happen. And so we just made it more explicit. And, in fact we created a way of communicating and reporting back so that you don’t have to, like, drink from the fire hose about absolutely everything that’s happening everywhere, but you can sort of tune in to those things, which means we get higher-level understandings and that is a really, incredibly useful thing that has made us much more productive. And what was part of the growing pains of the last year actually was figuring out how to make that work because we’re a pretty flat group in terms of a community and a pretty flat group in terms of an organization writing Free Software and advocating. And so that’s a really incredibly good thing which will come up all the time. You’ll hear people talking about the Metrics Team or the Network Team or the Applications Team or the Community Team. And that’s what we’re talking about. In that sense. So we tried to formalize it and in some ways we may be moving in a sort of Debian model a little bit. And we’ll see how that actually goes. So we have a really great person here to explain the work of the Metrics Team. Roger: OK, so I’m gonna tell you a little bit about what the Metrics Team has been working on lately to give you a sense of some of the components of the TOR community. So there are 5 or 10 people who work on the Metrics Team. We actually only pay one-ish of them; so most of them are volunteers and that’s… on the one hand that’s great. It’s wonderful that there are researchers all around the world who are contributing and helping to visualize and helping to do analysis on the data. On the other hand it’s sort of sad that we don’t have a full team of full-time people who are working on this all the time. So it’d be great to have your assistance working on this. So, actually Metrics has been accumulating all sorts of analysis tools over the past 5 years. So there are up to 30 different little tools. There’s Atlas and Globe and Stem and 20-something more which is a challenge to keep coordinated, a challenge to keep maintained. So they’ve been working on how to integrate these things and make them more usable and maintainable and extensible. So one example that they… so they wrote some slides for me to present here. One example that they were looking at, to give you an example of how this analysis works, is bad relays in the TOR network. So maybe that’s an exit relay that runs, but it modifies traffic, or it watches traffic or something. Maybe it’s a relay that signs up as a Hidden Service directory and then when you publish your onion address to it, it goes to visit it or it puts it on a big list or something like that. Or maybe bad relays are Sybils who – we were talking earlier about the 2014 attack where a 100 relays showed up at once and we, the directory authorities have a couple of ways of addressing that relays. One of them is each of the directory authorities can say: “That relay needs to get out of the network! We just cut it out of the network.” We can also say: “Bad exit!” We can also say: “That relay is no longer gonna be used as an exit!” So even though it advertises that it can reach Blockchain and other websites, clients choose not to do it that way. So that’s the background. One of the tools that Damian wrote a while ago is called Tor-Consensus-Health and it looks every hour at the new list of relays in the network and it tries to figure out: “Is there something suspicious that just happened at this point?” And in this case it looks for a bunch of new relays showing up all at the same time with similar characteristics and it sends email to a list. So that’s useful. The second piece of the analysis is “OK, what do you do when that happens?” So we get an email saying “Hey, 40 new relays showed up, what’s up with that?” So there’s a real challenge there to decide: do we allow the TOR network to grow – sounds good – or do we wonder who these people are and try to contact them or cut them out of the network or constrain what fraction of the network they can become. So Philipp Winter also has a visualization, in this case of basically which relays were around on a given month. So the X axis is all of the different relays in the month and the Y axis is each hour during that month. And they’ve sorted the relays here by how much they were present in the given month. And you’ll notice the red blocks over there are relays that showed up at the same time and they’d been consistently present at the same time since then. So that’s kind of suspicious. That’s “Hey, wait a minute, what’s that pattern going on there?” So this is a cool way of visualizing and being able to drill down and say: “Wait a minute, that pattern right there, something weird just happened.” So part of the challenge in general for the Metrics Team is: they have a Terabyte of interesting data of what the network has looked like over the years – how do you turn that into “Wait a minute, that right there is something mysterious that just happened. Let’s look at it more.” So you can look at it from the visualization side but you can also – there’s a tool called Onionoo where you can basically query it, all sorts of queries in it, it dumps the data back on to you. So we’ve got a Terabyte of interesting data out there, what the relays are on the network, what sort of statistics they been reporting, when they’re up, when they’re down, whether they change keys a lot, whether they change IP addresses a lot. So we encourage you to investigate and look at these tools etc. So there’s a new website we set up this year called CollecTor, collector.torproject.org that has all of these different data sets and pointers to all these different libraries and tools etc. that you too can use to investigate, graph-visualize etc. So here’s another example. At this point we’re looking at the 9 directory authorities in the network. Each of them votes its opinion about each relay. So whether the relay’s fast, or stable, or looks like a good exit or maybe we should vote about “Bad Exit” for it. So the grey lines are: all of the directory authorities thought that it didn’t deserve the flag and it’s very clear. The green lines are: enough of the directory authorities said that the relay should get the flag, also very clear. And all the brown and light green etc. in the middle are contradictions. That’s where some of the directory authorities said “Yes it’s fast” and some of them said “No, it’s not fast”. And this gives us a visualization, a way to see whether most of the directory authorities are agreeing with each other. We should look at this over time and if suddenly there’s a huge brown area then we can say “Wait a minute, something’s going on”, where maybe a set of relays are trying to look good to these directory authorities and trying not to look good to these. So basically it helps us to recognize patterns of weird things going on. So on CollecTor you can find all sorts of data sets and you can fetch them and do your analysis of them. And Tor Metrics – metrics.torproject.org – has a bunch of examples of this analysis, where you can look at graphs of the number of people connecting from different countries, the number of relays over time, the number of new relays, the number of bridges, users connecting to bridges etc. There are 3 different libraries that help you to parse these various data sets. So there’s one in Python, one in Java, one in Go; so whichever one of those you enjoy most you can grab and start doing analysis. They do weekly or so IRC meetings, so the TOR Metrics Team invites you to show up on January 7th and they would love to have your help. They have a bunch of really interesting data, they have a bunch of really interesting analysis tools and they’re missing curious people. So show up, start asking questions about the data, try to learn what’s going on. And you can learn more about them, on the Metrics Team, there. And then I’m gonna pass it on to Mike. applause Mike: OK, so Hello everyone! So, I’ll be telling ’bout the Applications Team part of the Vegas plan that Jake introduced. Basically, the Applications Team was created to bring together all the aspects of TOR and the extended community that are working on anything that’s user facing. So anything with a user interface that the user will directly interact with, that’s an application on either Mobile or Desktop. So to start, obviously we had the TOR Browser, that’s sort of like a flagship application that most people are familiar with when they think of TOR. Recently we’ve added OrFox which is a project by the Guardianproject to port the TOR Browser patches to Android and that’s currently in Alpha Status. But it’s available on the Guardianproject’s F-Droid Repo. We also have 2 chat clients: TorMessenger and Ricochet and both with different security properties. I will be getting to it later. So I guess, first off let’s talk about what happened in the TOR Browser world in 2015. Basically most of the, or a good deal of our work is spent keeping up with the Firefox release treadmill. That includes responding to emergency releases, auditing changes in the Firefox code base making sure that their features adhere to our privacy model and making sure that our releases come out the same day as the official Firefox releases so that there’s no vulnerability exposure to known vulnerabilities after they’re disclosed. That has been a little bit rough to over 2015. I believe there is a solid 3..4 months where it felt like we were doing a release every 2 weeks. Due to either log jam or random unassessed vulnerability or any arbitrary security issue with Firefox. But we did… despite treading all that water we did manage to get quite a bit of work done. As always our work on the browser focuses in 3 main areas: privacy, security and usability. Our privacy work is primarily focused around making sure that any new browser feature doesn’t enable new vectors for 3rd party tracking. So no ways for a 3rd party content resource to store state or cookies or blob URIs or some of the newer features. There’s a new cash API. These sorts of things need to all be isolated to the URL bar domain to prevent 3rd parties from being able to track you. From being able to recognize it’s the same you when you log in to Facebook and when you visit CNN, and CNN loads the Facebook Like buttons, e.g. Additionally we have done a lot of work on fingerprinting defences, the Alpha Release ships a set of fonts for the Linux users so that the font fingerprinting can be normalized since a lot of Linux users tend to have different fonts installed on their systems. As well as tries to normalize the font list that allowed for Windows and Mac users where they often get additional fonts from 3rd party applications that install them. On the security front the major exciting piece is the security slider. So with iSEC Partners’ help we did a review of all the Firefox vulnerabilities and categorized them based on the component that they were in as well as their prevalence on the web. And came up with 4 positions that allow you to choose, basically trade off, functionality for vulnerability surface reduction. And this was actually quite successful. It turned out that all of the Pwn2own exploits against Firefox were actually blocked for non-https sites at medium/high. And if you enable the high security level they were blocked for everything. We additionally released address sanitizer hardened builds, these are… basically should… especially the higher security levels of the security slider should protect against various memory safety issues in the browser and also help us diagnose issues very rapidly. And of course we now sign our Windows packages using a hardware security module from DigiCert. The usability improvements were primarily focused around this UI and this new Onion Menus you can see if you remember the old menu. There was quite a lot more options there. We sort of condensed and consolidated options and eliminated and combined as much as we could. An additionally displayed the circuit for the current URL bar domain. In 2016 we’ll be focusing mostly on again the same 3 areas. Our main goal for privacy is to try and convince Mozilla that they want to adopt our idea of isolating 3rd party identifiers at least to the point of if the user goes into the Preferences and tries to disable 3rd party cookies, will let you do the same thing for DOM storage, Cash, blob URIs, worker threads, and all these other sources of shared state. We’re very excited about their work on a multi-process sandbox, additionally even application-level sandboxing, it should be… without Mozilla’s sandbox, we should still be able to prevent the browser from bypassing TOR using SecComp or AppArmor or SeatBelt or one of these other sandboxing technologies. We’re looking forward to trying to get that rolled out. And we’re doing exploit bounties! We’ll be partnering with HackerOne, who’ll be announcing this shortly. The program will start out invite-only and then… just, so we can get used to the flow and scale up and then we’ll make it public later in the year to basically provide people with incentive to review our code to look for vulnerabilities that might be specific to our applications. And of course the usual usability improving, security, improving installation. And we’d like to improve the censorship and bridges ability flow as well hoping to automate the discovery of bridges and inform you if your bridges become unreachable. So TOR messenger is one of our 2 chat clients, also part of the Applications Team. Basically, the goal there was to minimize the amount of configuration that the user had to do if they wanted to use one of their existing chat clients with TOR and OTR. Now this is based on another Mozilla platform – Instantbird which is based on Thunderbird. This allows us to share a lot of the TOR Browser configuration codes for managing the TOR process and configuring bridges. So the user has a very similar configuration experience to the browser when they first start it up. It also has some additional memory safety advantages – all the protocol parsers are written in Javascript. This basically… one of the major things when we were looking at candidates for a messaging client was we wanted to avoid the problems of libpurple in the past where there’s been a lot of, like, remote code execution vulnerabilities with protocol parsing. Now there are some trade-offs here, obviously, when you’re dealing with a browser product. You still have a html window rendering the messages. But it is XSS filtered and even if an XSS exploit were to get through to run Javascript in your messaging window that Javascript would still be unprivileged. So they need an additional browser-style exploit. And that filter has been reviewed by Mozilla and additionally we’re looking into removing Javascript from that messaging window at all. It should be completely possible to just display a reduced, slightly less sexy version of the same window at perhaps another higher security level without Javascript involved at all in that window. So we will hand off to Jake now to describe some of the security properties and differences between TOR messenger and Ricochet. Jacob: Just to be clear about this: We wanted to sort of echo what Phil Rogaway has recently said. He wrote a really wonderful paper quite recently about the moral character of cryptographic work and Phil Rogaway for those of you that don’t know is one of the sort of like amazing cryptographers, very humble, really wonderful man who was really a little bit sad that cryptographers and people working on security software don’t take the adversaries seriously. So they use Alice and Bob, and Mallory and they have cutie icons and they look very happy. We wanted to make it clear what we thought the adversary was. Which is definitely not a cutie adversary. When anonymity fails for Muslims that live in Pakistan, or e.g. the guys that are giving a talk later today, the CAGE guys, when anonymity fails for them they get detained or they get murdered or they end up in Guantanamo Bay or other things like that. So it’s a serious thing. And we wanted to talk about what that looks like. So e.g. a lot of you use jabber.ccc.de, I guess. Don’t raise your hands. You should decentralize. Stop using jabber.ccc.de because we should decentralize. But that said if you do, this is sort of what it looks like, right? There’s the possibility for targeted attacks when you connect. There’s the possibility that the Social Graph e.g. of your buddy list, that that would be on the server. It would be possible that there’s a bug on any Jabber server anywhere. So of course you know that if you’re using Gmail with Jabber, you know that they are prison providers. So if you got a pretty big problem there and the attacker, again, is not a cutie attacker, it’s, you know, I like the Grim Reaper, that fit that Mike chose, if you like that’s accurate. And now if you see one of the protections you’ll have for communicating with your peers is off-the-record messaging. That’s basically the thing. But that’s a very slap together protocol in a sense. Because it’s hacks on top of hacks. Where you know you compose TOR with Jabber and TLS and maybe you still have a certificate authority in there somewhere. Or maybe you have a TOR Hidden Service but then your status updates they don’t have any encryption at all, for example. Or, again, your roster is an actual thing that someone can see, including every time you send a message to those people the server sees that. So, that said, TOR messenger is really great because it meets users where they already are. Right? So e.g. actually one other point here is if you use a piece of software like Adium, there is actually a bug filed against Adium where someone said “Please disable logging-by-default because Chelsea Manning went to prison because of your logging policy”. And the people working on Adium in this bug report basically said: “Good!” That’s horrifying! Right? So what if we made it as reasonable as possible, as configuration-free as possible using TOR, using OTR, trying to remove libpurple which is a whole like… it’s a flock of Zerodays flying in formation. Right? So we wanted to kill the bird in a sense but also not we want to help provide an incentive for improving. And so that’s where TOR messenger fits. But we also want to experiment with next generation stuff. And one of those things is written by a really great guy on our community, almost single-handedly, without any funding at all, and his name is “special”, that’s actually his name. He’s also special. But it’s really nice, because actually, if you solve the problem of telling your friend your name, if you’re familiar with the properties of Hidden Services where you have a self- authenticating name you know that you’re talking to the person that you think you are because you’ve already done a key exchange. The important part of the key exchange. And so one of the things that you’ll see very clearly is that there is no more server. Right? So there’s no more jabber.ccc.de in this picture. So this is a really good example of how we might decentralize, actually. It’s an experiment right now but it means no more servers. It uses the TOR network’s TOR Hidden Service protocol and everybody actually becomes a TOR Hidden Service for chatting with their buddies. And it’s end-to-end encrypted and it’s anonymized and of course this means that your Social Graph is a traffic analysis problem, it’s no longer a list on a server. And it means your metadata is as protected as we currently know how to do in a low-latency anonymity network. And in the future one of the really nice things about this is that it will be possible – or we think it will be possible – to even make it better in a sense, e.g. multiple chats, sending files, sending pictures, in other words, everything becomes, instead of a certainty we move it towards probability. And the probability is in your favour. Mike: Yes, additionally, I’ll be working on various forms of panning for cases like this to basically increase this high… the probability that there will be concurrent traffic at the same time from multiple TOR clients, which will further frustrate the discovery of the Social Graph based on simple traffic analysis especially for low-traffic cases such as Ricochet. So just to wrap up that TOR Applications piece: in 2016 we’re trying to focus heavily on usability and gin more people to be able to use TOR, omitting the barriers to finding TOR, downloading TOR, being able especially for censored users, and being able to install TOR. There’s still some snags, various difficulties that cause people to stop at various stages of that process and we want to try and work for to eliminate them. We also, of course, want to increase coordination: share graphics, visual aesthetics and coordinate the ability to share the TOR process. And we also want to create a space for more experimentation, for more things like Ricochet. There’s probably a lot more ideas like Ricochet out there. There could be leverages of TOR protocol and especially Hidden Services in creative ways. So we’re looking to create an official sanctioned space as part of TOR to give them a home. And to look for that in the coming months on the TOR blog. Jacob: Alright, I just wanted to put in a picture of a guy wearing a Slayer T-Shirt. So there it is. That’s Trevor Paglen. Some of you may remember him from such things as helping to film Citizenfour, building Satellites that burn up in space so that are actually currently on other satellites. And this on the left is Leif Ryge, he’s sort of the person that taught me how to use computers. And he is an incredible Free Software developer. Trevor Paglen and myself, and this is a cube, the Autonomy Cube which we talked about last year. Because we think that culture is very important and we think that it’s important to actually get people to understand the struggle that exists right now. So this is installed in a museum right now in Germany, in the city of Oldenburg, at the Edith-Russ-Haus. And it actually opened several months ago, it’s filled with classified documents, it has really interesting things to go and read. I highly encourage you to go and read. We built a reading room about anonymity papers, about things that are happening. About how corporations track you, and then the entire museum is an Open-WiFi network that routs you transparently through TOR. So in Germany a free open WiFi network that isn’t run by Freifunk – much respect to them – we wanted to make it possible for you to just go and have the ability to bootstrap yourself anonymously if you needed to. And also these four boards are Novena boards. And these Novena boards are Free and Open Hardware devices made by Bunnie and Sean in Singapore where you could, if you wanted to, download the schematics and fab it yourself. And it’s running the Debian GNU Linux universal operating system. And it’s an actual TOR exit node with absolutely every port allowed. So the museum’s infrastructure itself on the city’s internet connection actually is a TOR exit node for the whole world to be able to use the internet anonymously. applause But the museum’s infrastructure is not just helping people in Oldenburg, it’s helping people all around the world to be able to communicate anonymously and it’s quite amazing actually because when cultural institutions stand up for this we recognize it’s not just a problem of over-there stand. We have mass-surveillance and corporate surveillance in the West and we need to deal with that. Here, by creating spaces like this. But that said, we also need to make sure that we create spaces in people’s minds all around the world. And I want to introduce to you someone who’s incredibly awesome, the most bad-ass radical librarian around, this is Alison. Alison is going to talk about… Alison: …Library Freedom Project! Hi! Thank you so much! I’m so excited to be here, it’s my first CCC and I’m on stage, and it’s very… exciting. So I’m going to talk to you a little bit about my organization, Library Freedom Project. I’m the director and what we do: we have a partnership with TOR project to do community outreach around TOR and other privacy-enhancing technologies. Making TOR network more strong and making tools like TOR Browser more ubiquitous and mainstream, all with the help of a coalition of radical militant librarians. So we introduced you to the Library Freedom Project back in February. We told you a little bit about the kind of work that we do, mostly in US libraries, increasingly internationally. Where essentially we teach them about tools like TOR Browser, how to install it on their local computers, how to teach it into computer classes that they offer for free in the library or one-on-one technology sessions for their community. And we’ve had a really amazing year since then. In addition to working with the TOR project we’re really fortunate to work with the American Civil Liberties Union (ACLU). If you’re not familiar with them, they’re basically… they’re the bad asses who’ve been suing the US Intelligence Agencies and Police for about a 100 years. That is me with 2 people from the ACLU Massachusetts, Jessy Rossman who is a surveillance law expert and Kay Croqueford who is an activist for the ACLU. And they’re here, if you see that human buy them a drink and ask them about the surveillance capabilities of the US Police. applause So, it’s really cool! It’s a great partnership with the ACLU because basically they can teach why we need to use tools like TOR Browser. So how to use them is super-super important but you need to know about the authorizations, the programs, all the bad laws and the uses of them against ordinary people. So, why do we teach this stuff to librarians? It’s basically for 2 big reasons. One of them is that libraries and librarians have an amazing history of activism around privacy, fighting surveillance and fighting censorship in the US where I live. Librarians were some of the staunchest opponents of the USA Patriot Act from the beginning when it was codified back in 2002. They made T-Shirts that said “Another hysterical librarian for Privacy” because of the… The Attorney General at the time called them “hysterical” for the fact that they didn’t want this awful authorization to go through. And of course then after Snowden we learned many more things about just how bad the Patriot Act was. So librarians were some of the first people to oppose that. They also have fought back against National Security Letters which are the US Government informational requests that sometimes go to software providers and other internet services. They have an attached gag order that basically says: “You have to give this information about your users and you can’t tell anyone that you got it.” Well, libraries got one of these and fought back against that in one. applause They also, all the way back in the 1950s even, at the height of Anti-Communist Fervor and FUD, around the time of the House on American Activities Committee, librarians came out with this amazing statement, called the “Freedom to Read” Statement that I think really is a beautiful text. It’s about 2 pages long and it is their commitment to privacy and democratic ideals made manifest. And I have a little excerpt from it here. I’m not gonna read the whole thing to you ’cause I understand I’m all too pressed for time. But the last line is my favourite. It says: “Freedom itself is a dangerous way of life. But it is ours.” So everybody go and get that tattooed! You know, on your forehead or whatever. applause So, the history of activism is one of the big things. There’s a second part that is more practical. Libraries have an amazing relationship to the local communities. That doesn’t really exist anywhere else especially in this era of privatization and the destruction of public commons. Libraries have already free computer classes in many places, sometimes the only free computer help that you can get anywhere. They offer free computer terminals to many people who don’t have any other computer access. They’re trusted community spaces, they already teach about a whole number of things. So we think they’re really the ideal location for people to learn about things like TOR Browser. So it’s been going really well. This year we have visited hundreds of different locations. We’ve trained about 2300 librarians in the US, in Canada and a few other countries, Australia, UK and Ireland. We held an amazing conference, you might recognize this as Noisebridge. Any Noisebridge fans here? I hope so. Come on, there’s got to be more Noisebridge fans than that! Christ! We had an amazing conference in Noisebridge and actually my co-organizer is also here, April Glaser, so you can buy her a drink, she’s right over there. There has been a huge response from the library community. They wanna learn about TOR Browser, they’re so excited that finally there’s a practical way for them to help protect their patrons’ privacy. They’ve cared about this stuff from an ideological and ethical standpoint for a really long time, and now they know that there are tools that they can actually use and implement in their libraries and teach to their community to help them take back their privacy. We’re really lucky that not only do we get to teach librarians but occasionally we get invited to visit the local communities themselves. So, here we teach how to teach privacy classes with TOR as a big focus. But sometimes we get to meet the local community members themselves. So I want to show you this picture of a recent visit that I made to Yonkers, New York. It was a class just for teens. They’re all holding TOR stickers if you can see that and Library Freedom Project stickers. This is a great picture that sort of is emblematic of the kind of communities that we get to visit. Yonkers is one of the poorest cities in the US. These kids are… many of them are immigrants, their parents are immigrants, they face surveillance and state violence as a matter of their regular everyday lives. For them privacy is not just a human right but it’s sometimes a matter of life and death. And these kids are just some of the amazing people that we get to see. Also, just to give you an idea of how the public perception around privacy is shifting in my anecdotal experience: we had 65 teenagers come to this class! If you have a teenager or if you’ve been a teenager you know teenagers don’t show up for stuff, they don’t do that. 65 kids came to this! And they were so excited! This was just the group that was left over at the end that had so many questions and wanted more stickers to bring back to their friends. So it’s pretty cool stuff. Recently we embarked on a new project bringing TOR relays into libraries. This is Nima Fatemi with me, when we set up our pilot at a library in New Hampshire which is the state just above where I live in the United States. And we basically decided to do this project because we thought it was a really great continuation of the work that we were already doing, teaching and training librarians around using TOR. We wanted to take a step further and take the infrastructure that libraries already have; many of them are moving to really fast internet, they can donate an IP address and some bandwidth. And they… many of them want to do kind of the next thing to help protect privacy and not just in their local communities, as well. They want to help protect internet freedom everywhere. So we thought it was a really great sort of next step to go. So we set up our pilot project in New Hampshire. It went pretty well, we got a lot of great press attention, a lot of really great local and global community support. We also got the attention of the Department of Homeland Security. applause Basically they contacted the local Police in this town in New Hampshire and they said: “You know, this is stupid, and bad, and criminal and you should shut this down!” And the library was understandably shaken by this and temporarily suspended the operation of the relay. So we responded by writing a letter, an open letter from Library Freedom Project, from TOR project, from ACLU and a broad coalition of public interest groups and luminary individuals including the Electronic Frontier Foundation (EFF), the Freedom of the Press Foundation, the Free Software Foundation and all of our other friends many of whom are in this audience today. We wrote this letter to the library basically affirming our commitment to them, how much we are proud of them for participating in this project and how much we wanted them to continue. We put a lot of nice, you know, ideological, why this is important, warm fuzzy stuff. We also got EFF to start a petition for us and over a weekend we got about 4500 signatures from all over the world, the library was flooded with emails, calls. Only one negative one. Just one out of hundreds. And that person was a little confused, so I’m not even counting that necessarily. It was like a conspiracy type thing. So we got this amazing support and this was all in anticipation of their board meeting that was gonna happen a few days later where the board was gonna decide what to do about the relay. So Nima and I show up to New Hampshire on a Tuesday Night and you might imagine what a library board meeting in rural New Hampshire is typically like. It was nothing like that. So we get outside and there’s a protest happening already. Many people holding Pro-TOR signs. This was just a glimpse of it. And the look on my face is because someone pointed to a very small child and said: “Alison, look at that child over there”. This tiny little girl was holding a sign that said “Dammit Big Brother” and I was like “I’m done, that’s it, I got to go home!” So we went into the board meeting and we were met with about 4 dozen people and media and a huge amount of support. Many of the community members expressed how much they loved TOR, that this whole incident made them download TOR and check it out for themselves. Basically it galvanized this community into a greater level of support than we even had when we initially set it up about a month earlier. People who had no idea that the library was doing this heard about it because it got a huge amount of media attention thanks to a story by Julia Angwin in ProPublica that broke the news to everybody and then it just went like wildfire. So as you might imagine the relay went back online that night. We were super-successful. Everybody in the community was incredibly excited about it and supportive. And what has happened now is that this community has sort of… like I said they’ve been galvanized to support TOR even more. The library has now allowed at some of their staff time and travel budget to help other libraries in the area set up TOR relays. They’re speaking about TOR… applause Thank you! They’re speaking about TOR at conferences. And this has really caught on in the greater library community as well. So I mentioned already the kind of success that we’ve had at Library Freedom Project in teaching tools like TOR Browser and getting folks to bring us in for trainings. This is even bigger than that! Libraries are now organizing their, you know, staff training days around, you know, “Should we participate in the TOR relay project?” or “How can we do this best?”, “What’s the best angle for us?” So we’re really excited to do announce that we’re gonna be continuing the relay project at scale. Nima Fatemi, who is now also in this picture again, I’m really sad that he can’t be here, he is wonderful and essential to this project. But he will now be able to travel across the US and we hope to go a little further opening up more relays in libraries. We’re gonna continue teaching, of course, about TOR Browser and other privacy-enhancing Free Software. We’re now gonna incorporate some other TOR services, so we’re really excited to bring “Let’s Encrypt” into libraries. And while we’re there, why not run a Hidden Service on the library’s web server. Among many other things. The other goals for Library Freedom Project: to take this to a much more international level. So if you want to do this in your country, you know your librarian, put them in touch with us. You can follow our progress on LibraryFreedomProject.org or @libraryfreedom on Twidder. And we’re always sort of posting on Tor Blog about stuff that’s going on with us, so… Thank you so much for letting me tell you about it. It’s really a pleasure to be here! applause Jacob: So, that’s a really tough act to follow! But we’re very pressed for time now. And we want to make sure that we can tell you two big things. And one of them is that, as you know, we were looking for an Executive Director because our Spirit Animal, Roger,… Roger: Slide… Jacob: Right… He couldn’t do it all. And in fact we needed someone to help us. And we needed someone to help us who has the respect not only of the community here but the community, basically, all around the world. And we couldn’t think of a better person, in fact, when we came up with a list of people. The person that we ended up with was the Dream Candidate for a number of the people in the TOR Project and around the world. And so, I mean, I have to say that I’m so excited, I’m so excited that we have her as our Executive Director. I used to think that our ship was going to sink, that we would all go to prison, and that may still happen, the second part. But the first part, for sure, is not going to happen. We found someone who I believe will keep the TOR Project going long after all of us are dead and buried. Hopefully, not in shallow graves. So, this is Shari Steele! applause Shari: Hi! applause Thanks! Thanks, it’s actually so fun to be back in this community. And I wasn’t gone for very long. I had so much for retirement. It didn’t work out for me. But, that’s OK, I’m really excited. I have had – we’re so tight on time – so I want to just tell you there are 2 big mandates that I was given when I first was hired. And one is: Help build a great infrastructure so that TOR Project is sustainable. Working on that! The other thing is: Money! We need to diversify our funding sources, as everybody knows here. The Government funding has been really difficult for us specifically because it’s all restricted. And so it limits the kinds of things we want to do. When you get the developers in a room blue-skying about the things that they want to do, it’s incredible! Really, really brilliant people who want to do great things but they’re really limited when the funding says they have to do particular things. So we happen to be doing our very first ever crowd funding campaign right now. I want to give a shout out to Katina Bishop who is here somewhere and who is running the campaign for us and is just doing an amazing job. As of last count which is a couple of days ago, we had over 3000 individual donors and over 120.000 Dollars which is incredible for our very first time when we didn’t even really have a mechanism in place to be collecting this money, even. So, it’s really great! And I wanna also say we have a limited number of these T-Shirts that I brought in a suitcase from Seattle. So, and they’re gonna be available, if you come down to the Wau Holland booth at the Noisy Square. Come talk with us! Give a donation! We’re doing a special: it’s normally a 100 Dollar donation to get a shirt, but for the conference we’ll do, for 60 Euro you can get a shirt and it would be great you’d be able to show your support. And you can also donate online if you don’t wanna do that here. That’s the URL. And to end, we’d like to have a word from Down Under! Video starts Video Intro Violin Music Good Day to you! Fellow Members of the Intergalactic Resistance against Dystopian bastardry! It is I, George Orwell, with an urgent message from Planet Earth, as it embarks on a new orbit. Transmitting via the Juice Channeling Portal. Our time is short. So let’s get straight to the point. Shall we? This transmission goes out to all you internet citizens. Denizens of the one remaining free frequency. In whose hands rests the fate of humanity. Lord… f_ckin’ help us! typewriter typing sounds When I last appeared to you, I warned you noobs: You must not lose the Internet! Now before I proceed, let us clarify one crucial thing. The Internet is not Virtual Reality, it is actual Reality. typewriter typing sounds Are you still with me? Good. Now ask yourselves: Would you let some fascist dictate with whom you can and cannot communicate? Because that’s what happens every time a government blacklists a website domain. Would you let anyone force you to get all your information from cable TV? That’s effectively the case if you allow corporations to kill Net Neutrality. typewriter typing sounds Would you let the Thought Police install telescreens in your house, monitor and record everything you do, every time you move, every word you’ve read, to peer into the most private nook of all, your head? BECAUSE THAT’S WHAT HAPPENS when you let your governments monitor the net and enact mandatory data-retention laws! smashing sounds If you answered “No” to all those questions, then we can safely deduce that terms like “Online”, “IRL” and “in Cyberspace” are Newspeak. They confuse the truth: There is no “Cybersphere”. There is only life. Here. It follows that if you have an oppressive Internet, you have an oppressive society, too. Remember: online is real life… typewriter typing sounds Your Digital Rights are no different from everyday human rights! And don’t give me that BS that you don’t care about Privacy because you have nothing to hide. That’s pure Doublethink. As comrade Snowden clearly explained, that’s like saying you don’t care about Free Speech because you have nothing to say! Stick that up your memory holes and smoke it, noobs! Pigs Arse, the portal is closing, I’m losing you! I’ll leave you with a new tool to use. I assume you’ve all been fitted with one of these spying devices. Well, here’s an app you can use in spite of this. It’s called Signal, and, yes, it’s free and simple. Install it and tell all your contacts to mingle then all your calls and texts will be encrypted. So even if Big Brother sees them the c_nt won’t be able to read them. Hahaa! Now that’s a smartphone! Our time is up! typewriter typing sounds Until the next transmission. Heed the words of George Orwell. Or should I say: George TORwell? typewriter typing sounds Remember, just as I went to Spain to fight the dirty fascists you can come to Onion land and fight Big Brother’s filthy tactics. If you’re a Pro run a node and strengthen the code. Or if you’re in the Outer Party and can afford it, send TOR some of your dough. Special Salute to all my comrades, the “State of the Onion”. Happy Hacking! Now go forth and f_ck up Big Brother. That mendacious motherf_cking, c_ck-sucking bastard son of a corporatist b_tch… Video Outro Music applause Jacob: So, I think that’s all the time that we have. Thank you very much for coming. And thank you all for your material support. applause Herald: Unfortunately we won’t have time for a Q&A. But I heard that some of the crew will now go to the Wau Holland booth at Noisy Square down in the Foyer and might be ready to answer questions there. If you have any. postroll music Subtitles created by c3subtitles.de in 2016. Join and help us!