-
Herald: So now, the next talk that
we have here for one hour from 8:30
-
’til 9:30 PM is “The Tor Network
– we’re living in interesting times”.
-
I don’t know how many of you are familiar
with the works of Terry Pratchett.
-
But anyways, in the novels of Terry
Pratchett there is the saying:
-
“And may you live in interesting
times!” that is actually a curse
-
for someone that you especially
dislike; because it usually means
-
that you’re in a lot of trouble. So
I guess we’re all very excited
-
for this year’s ‘Tor Talk’ by the
everlasting Dream Team:
-
Jacob Appelbaum and Roger
Dingledine! There you go!
-
cheers and applause
Give it up!
-
huge applause
-
Jacob Appelbaum: So, thanks very much
to the guy who brought me a Mate.
-
I learned his name is Alexander. It’s
never a good idea to take drugs
-
from strangers, so I introduced
myself before I drank it. Thank you.
-
laughter
-
First I wanted to say that following up
after Glenn Greenwald is a great honor
-
and a really difficult thing to do, that’s
a really tough act to follow, and
-
he’s pretty much one of,
I think, our heroes. So, it’s
-
really great to be able to share the stage
with him, even for just a brief moment.
-
And I wanted to do something a little
unconventional when we started
-
and Roger agreed. Which is that we
want people who have questions
-
– since I suspect some things happened
this year that arouse a lot of questions
-
in people – we’d like you to write those
questions down, pass them to an Angel
-
or to just bring them to the front
of the stage as soon as possible
-
during the talk, so that we can answer as
many of your questions as is possible.
-
This is a lot of stuff that happened,
there’s a lot of confusion, and we wanna
-
make sure that people feel like
we are actually answering
-
those questions in a useful way.
And if you wanna do that, it’d be great,
-
and otherwise, we’re gonna try to have
the second half of our talk be mostly
-
space for questioning.
So with that, here is Roger.
-
Roger Dingledine: Okay, so, a lot of
things have happened over this past year,
-
and we’re gonna try to cover
as many of them as we can.
-
Here’s a great quote
from either NSA or GCHQ,
-
I’m actually not sure which one it is.
-
But we’re gonna start a little bit
earlier in the process than this
-
and work our way up to that.
So, we’re in a war,
-
or rather, conflict of perception here.
-
There are a lot – I mean,
you saw Glenn’s talk earlier
-
– there are a lot of large media
organizations out there
-
that are trying to present Tor
in lots of different ways,
-
and we all here understand
the value that Tor provides
-
to the world, but there are a growing
number of people around the world
-
who are learning about Tor
not from our website, or from
-
seeing one of these talks or from
learning it from somebody who uses it
-
and teaches them how to use it.
But they read the Time Magazine
-
or Economist or whatever the
mainstream newspapers are,
-
and part of our challenge is how do we
help you, and help the rest of the world
-
do outreach and education, so that
people can understand what Tor is for
-
and how it works and what
sorts of people actually use it.
-
So, e.g. GCHQ has been given instructions
-
to try to kill Tor by, I mean, who knows,
maybe they thought of it on their own,
-
maybe we can imagine some nearby
governments asked them to do it.
-
And part of the challenge…
they say: “we have to kill it
-
because of child porn”. And it
turns out that we actually do know
-
that some people around the
world are using Tor for child porn.
-
E.g. we have talked to
a lot of federal agencies
-
who use Tor to fetch child porn.
subdued laughter
-
I talked to people in the
FBI who use Tor every day
-
to safely reach the websites
that they want to investigate.
-
The most crazy example of this is
actually the Internet Watch Foundation.
-
How many people here have heard
of the Internet Watch Foundation?
-
I see a very small number of hands.
They are the censorship wing
-
of the British Government. They are the
sort of quasi-government organization
-
who is tasked with coming up with the
blacklist for the internet for England.
-
And, we got email from them a few years
ago, saying – not what you’d expect,
-
you’d expect “Hey, can you please shut
this thing down, can you turn it off,
-
it’s a big hassle for us!” – the
question they asked me was:
-
“How can we make Tor faster?”
laughter, applause
-
It turns out that they need Tor,
because people report URLs to them,
-
they need to fetch them somehow.
It turns out that when you go the URL
-
with the allegedly bad stuff on
it and you’re coming from
-
the Internet Watch Foundation’s
IP address, they give you kittens!
-
laughter
Who would have known?
-
laughter, applause
-
So it turns out that these censors
need an anonymity system
-
in order to censor their internet.
laughter Fun times.
-
So another challenge here: at the
same point, one of my side hobbies
-
is teaching law enforcement how the
internet works, and how security works
-
and how Tor works. So, yeah, their job
does suck, but it’s actually not our fault
-
that their job sucks. There are a lot
of different challenges to successfully
-
being a good, honest law
enforcement person these days.
-
So, e.g. I went to Amsterdam and Brussels
-
in January of this past year to try to
teach various law enforcement groups.
-
And I ended up having a four-hour
debate with the Dutch regional Police,
-
and then another four-hour debate
with a Belgian cybercrime unit,
-
and then another four-hour debate
with the Dutch national Police.
-
And there are a lot of good-meaning, smart
people in each of these organizations,
-
but they end up, as a group, doing
sometimes quite bad things.
-
So part of our challenge is: how do we
teach them that Tor is not the enemy
-
for them? And there are a couple of
stories that I’ve been trying to refine
-
using on them. One of them they always
pull out, the “But what about child porn?
-
What about bad people? What about some
creep using Tor to do bad things?”.
-
And one of the arguments that I tried on
them was, “Okay, so on the one hand
-
we have a girl in Syria
who is alive right now
-
because of Tor. Because her family
was able to communicate safely
-
and the Syrian military didn’t
break in and murder all of them.
-
On the other hand, we have a girl
in America who is getting hassled
-
by some creep on the internet
who is stalking her over Tor.”
-
So the question is, how do we balance,
how do we value these things?
-
How do we assign a value
to the girl in Syria?
-
How do we assign a value
to the girl in America
-
so that we can decide which
one of these is more important?
-
And actually the answer is, you
don’t get to make that choice,
-
that’s not the right question to ask.
Because if we take Tor away
-
from the girl in Syria, she’s
going to die. If we take Tor away
-
from the creep in America, he’s got a lot
of other options for how he can be a creep
-
and start stalking people.
So if you’re a bad person,
-
for various definitions of ‘bad person’,
and you’re willing to break laws
-
or go around social norms,
you’ve got a lot of other options
-
besides what Tor provides. Whereas there
are very few tools out there like Tor
-
for honest, I’d like to say law-abiding,
-
but let’s go with civilization-abiding
citizens out there.
-
applause
-
Jacob: And it’s important to understand
that this hypothetical thing is actually
-
also true for certain values.
So at our Tor developer meeting
-
that we had in Munich recently,
that Syrian woman came to us,
-
and thanked us for Tor. She said:
“I’m from a city called Homs.
-
You might have heard about it,
it’s not a city anymore. I used Tor.
-
My family used Tor. We were able to
keep ourselves safe on the internet
-
thanks to Tor. So I wanted to come
here to Munich to tell you this.
-
Thank you for the work that you’re
doing.” And for people who
-
– this was their first dev meeting –
they were completely blown away
-
to meet this person. “Wow,
the stuff that we’re working on,
-
it really does matter, there
are real people behind it”.
-
And we were all, I think, very touched
by it, and all of us know someone
-
who has been on the receiving end
of people being jerks on the internet.
-
So this is a real thing where there
are real people involved, and
-
it’s really important to understand
that if you remove the option
-
for that woman in Syria – or you
here in Germany, now that we know
-
what Edward Snowden has told the world…
-
Those bad guys, those jerks
– for different values of that –
-
they always have options. But very
rarely do all of us have options
-
that will actually keep us safe.
And Tor is certainly not the only one,
-
but right now, and we hope in this
talk you’ll see that we’re making
-
the right trade-off by working on Tor.
-
Roger: One of the other talks that I give
to them, one of the other stories
-
that I give to them, one of the big
questions they always ask me is:
-
“But what about terrorists?
Aren’t you helping terrorists?”
-
And we can and we should talk about
“What do you mean by terrorists?”
-
because in China they have a very
different definition of terrorists
-
and in Gaza they have a very
different definition of terrorists, and
-
in America, they are always thinking
of a small number of people
-
in some Middle-Eastern country who are
trying to blow up buildings or something –
-
Jacob: Mohammed Badguy,
I think is his name.
-
Roger: Yes, that –
Jacob: In the NSA slides.
-
Roger: Yes. So, scenario 1:
-
I want to build a tool that
works for millions of people,
-
it will work for the next year,
and I can tell you how it works,
-
so you can help me evaluate
it. That’s Tor’s problem.
-
Scenario 2: I want to build a tool that
will work for the next 2 weeks,
-
it will work for 20 people and I’m
not going to tell you about it.
-
There are so many more
ways of solving scenario 2
-
than solving scenario 1. The bad
guys – for all sorts of definitions –
-
the bad guys have a lot more
options on how they can keep safe.
-
They don’t have to scale,
it doesn’t have to last forever,
-
they don’t want peer review, they
don’t want anybody to even know
-
that it’s happening. So the
challenge that Tor has is
-
we wanna build something that works for
everybody and that everybody can analyze
-
and learn about. That’s a much harder
problem, there are far fewer ways
-
of solving that. So, the terrorists,
they got a lot of options.
-
That sucks. We need to build tools that
can keep the rest of the world safe.
-
Jacob: And it’s important, really, to try
to have some good rhetorical arguments,
-
I think. I mean, we sort of
put a few facts up here.
-
One interesting point to mention
is that people who really
-
don’t want anonymity to exist
in a practical sense, maybe
-
not even in a theoretical, Human
Rights sense either, but definitely
-
in a practical sense, they’re not really
having honest conversations about it.
-
E.g. this DoJ study – the Department
of Justice in the United States – they
-
actually started to do a study where they
classified traffic leaving Tor exit nodes.
-
Which… it’s interesting that they
were basically probably wiretapping
-
an exit node to do that study. And
I wonder how they went about that – but
-
nonetheless, they came up with the
number 3% of the traffic being bad.
-
And then they aborted the study because
they received many DMCA takedown notices.
-
laughter
Roger: Yes, they –
-
Jacob: Apparently even the DMCA
is a problem to finding out answers!
-
That plague of society! (?)
-
Roger: interrupts They asked a
university to run the Tor exit for them
-
and they were just starting out
doing their study, and then
-
the university started getting
DMCA takedowns and said:
-
“Well, we have to stop, the
lawyers told us to stop!”,
-
and the Department of Justice said:
“We’re the Department of Justice,
-
keep doing it”, and then they
turned it off. laughter
-
So, not sure how the balance of power
goes there, but the initial results
-
they were looking towards
were about 3% of the traffic
-
coming out of that Tor exit node was bad,
-
but I haven’t figured out what they mean
by ‘bad’. But I’ll take it if it’s 3%.
-
Jacob: And I personally don’t
like to use the word ‘war’
-
when talking about the internet.
And I particularly dislike
-
when we talk about actual
issues of terrorism.
-
And I think that we should talk about it
in terms of perception and conflict.
-
And one of the most frustrating
things is: the BBC
-
actually has articles on their
website instructing people
-
how to use the Silk Road and
Tor together to buy drugs.
-
We very, very seriously do
not ever advocate that,
-
for a bunch of reasons… Not the
least of which is that even though
-
Bitcoin is amazing, it’s not
an anonymous currency.
-
And it isn’t the case that these websites
are necessarily a good idea and…
-
but it won’t be Tor, I think, that will be
the weakest link. But the fact that
-
the BBC promotes that – it’s because
they generally have “A man bites dog”.
-
You could say that that’s their
entire Tor related ecosystem.
-
Anything that could be just
kind of a little bit interesting,
-
they’ll run with it. So they have
something to say about it.
-
And in this case they literally were
promoting and pushing for people
-
to buy drugs. Which is crazy to me, to
imagine that. And that really impacts
-
the way that people perceive the
Tor Project and the Tor Network.
-
And what we’re trying to do
is not that particular thing.
-
That is a sort of side effect that occurs.
What we want is for every person
-
to have the right to speak freely and the
right to read anonymously on the internet.
-
Roger: And we also need to keep in
mind the different incentive structures
-
that they have. So BBC posted their
first article about Silk Road and Tor.
-
And the comment section was
packed with “Oh, wow, thanks!
-
Oh, this is great! Oh, I don’t have to go
to the street corner and getting shot!
-
Oh! Wow! Thanks! This is great!” Just
comment after comment, of people saying:
-
“Thank you for telling me about this!”
And then a week later they posted
-
a follow-up article saying “And we
bought some, and it was really good!”
-
laughter and applause
-
So what motivation are they doing here?
-
So their goal in this case is: “Let’s get
more clicks. Doesn’t matter what it takes,
-
doesn’t matter what we
destroy while we’re doing it.”
-
Jacob: So that has some serious problems,
obviously. Because then there are
-
different structures that exist to attack
– as part of the War on Some Drugs –
-
and they want to show that their
mission is of course impacted by Tor.
-
They want to have an enemy that
they can paint a target on. They want
-
something sexy that they can get funding
for. So here’s a little funny story
-
about an agent, as it says in the last
point, who showed this massive drop
-
in the Tor Network load after Silk
Road was busted. Right? Because
-
everybody realizes of course that all
of the anonymity traffic in the world
-
must be for elicit (?) things.
-
Roger: So this was at a particular meeting
-
where they were trying to get more funding
for this. This is a US Government person
-
who basically said: “I evaluated
the Tor Network load
-
during the Silk Road bust. And
I saw 50% network load drop
-
when the Silk Road bust happened.”
So I started out with him
-
arguing: “Actually, you know, when
there’s a huge amount of publicity about
-
– I don’t know – if Tor is broken, we can
understand, that would be reasonable,
-
that some Tor people would stop using
Tor for a little while, in order to wait
-
for more facts to come out and then will
be more prepared for it.” But then
-
I thought: “You know, wait a minute, we
got the Tor Metrics database. We have
-
all of this data of load on the network.”
-
So then I went: “Let’s go actually
see if there was a 50% drop on
-
the Tor Network!” So the green
line here is the capacity
-
of the Tor Network over time. So the
amount of bytes that relays can push
-
if we were loading it down
completely. And the purple line is
-
the number of bytes that are actually
handled on the network over time.
-
Jacob: Can you guess? If you don’t
look at the date at the bottom,
-
can you show what that
agent was talking about?
-
Or is the agent totally full of shit?
laughter
-
Just a… hypothetical question, but if you
have a theo… anyone? Shout it out! Yeah!
-
[unintelligible from audience]
-
Oh that’s right! It didn’t go down by 50%!
laughter
-
Wow! He was completely wrong!
-
But just for the record, that’s
where he said there was a drop!
-
laughter and applause
-
Roger: And while we’ve talked you had
to read these graphs. Here is a graph
-
of the overall network growth
over the past 3 or 4 years.
-
So the green line, again, is the amount of
capacity. And we’ve seen a bunch of people
-
adding fast relays recently,
after the Snowden issues.
-
And we’ll talk a little bit later about
what other reasons people are running
-
more capacity lately, as the
load on the network goes up.
-
Okay. And then there is the
‘Dark Web’. Or the ‘Deep Web’.
-
Or the Whatever-else-the-hell-you-call-it
Web. And again,
-
this comes back to media trying to
produce as many articles as they can.
-
So here’s the basic… I’ll give you
the primer on this ‘Dark Web’ thing.
-
Statement 1: “The Dark Web is every web
page out there that Google can’t index.”
-
That’s the definition of the Dark Web.
laughter and applause
-
applause
-
So every Corporate database,
every Government database,
-
everything that you access with a
web browser at work or whatever,
-
all those things that Google can’t get to,
that is the Dark Web. That’s statement 1.
-
Statement 2: “90+X% of web
pages are in the Dark Web.”
-
So these were both well-known
facts a year ago.
-
Statement 3, that the media has
added this year: “The only way
-
to access the Dark Web is through Tor.”
laughter, some applause
-
These 3 statements together
sell more and more articles
-
because it’s great, people buy them,
they’re all shocked: “Oh my god,
-
the web is bigger than I thought,
and it’s all because of Tor”.
-
laughter and applause
-
Jacob: So, really… the reality of this
is that it’s not actually the case.
-
Obviously that’s a completely laughable
thing. And for everyone that’s here –
-
not necessarily people watching on the
video stream – but for everyone here,
-
I think, you realize how ridiculous
that is. That entire setup
-
is obviously a kind of ‘clickbait’, if
you would call it something like that.
-
There are a few high-profile Hidden
Services. And actually, this is
-
a show of hands: raise your hand
if you run a Tor Hidden Service!
-
few hands go up
-
Right. So, no one’s ever heard of your
Tor Hidden Service. Almost certainly.
-
And these are the ones that people have
heard of. And this is something which is
-
kind of a fascinating reality
which is that these 4 sites,
-
or these 4 entities have
produced most of the stories
-
related to the deep gaping
whatever web, that
-
if you wanna call it the Dark Web. And,
in fact, for the most part, it’s been…
-
I would say the Top one
e.g., with Wikileaks,
-
it’s a positive example. And,
in fact, with GlobaLeaks,
-
which is something that Arturo Filastò
and a number of other really great
-
Italian hackers here have been working
on, GlobaLeaks, they’re deploying
-
more and more Hidden Services that you
also haven’t heard about. For localized
-
corruption, reporting and whistleblowing.
But the news doesn’t report about
-
Arturo’s great work. The news
reports are on The Farmer’s Market,
-
on Freedom Hosting and
on Silk Road. And those things
-
also bring out a disproportionate
amount of incredible negative attention.
-
In the case of freedom hosting, we
have a developer, Mike Perry, who’s
-
kind of the most incredible
evil genius alive today.
-
I think he’s probably at about 2 Mike
Perrys right now. That’ll be my guess.
-
And he was relentlessly attacked.
-
Because he happened to have
a registration for a company
-
which had an F and an H in the name.
-
Wasn’t actually even close
to what’s up there now.
-
And he was relentlessly attacked because
the topics that the other sites have
-
as part of their customer base or as part
of the things that they’re pushing online,
-
they really pull on people’s
hearts in a big way.
-
And that sort of created
a lot of stress. I mean,
-
the first issue, Wikileaks, created a
lot of stress for people working on Tor
-
in various different ways. But for Mike
Perry, he was personally targeted,
-
in sort of Co-Intel-Pro style
harassment. And really sad,
-
in a really sad series of events.
And of course, the news
-
also picked up on that, in some
negative ways. And they really, really
-
picked up on that. And that’s a really
big part of I think you could call it
-
a kind of cultural conflict
that we’re in, right now.
-
The farmer’s market has also
quite an interesting story.
-
Which I think you wanted to tell.
-
Roger: Yeah, so, I actually heard from
a DEA person who was involved
-
in the eventual bust of
the Farmer’s Market story.
-
Long ago there was a website on
the internet, and they sold drugs.
-
Oh my god. And there were people
who bought drugs from this website
-
and Tor was nowhere in the story. It
was some website in South East Asia.
-
And the DEA wanted to take
it down. So they learned…
-
I mean the website was public. It was
a public web server. So they sent
-
some sort of letter to the country that it
was in. And the country that it was in
-
said: “Screw you!”. And then they said:
“Okay, well, I guess we can’t take down
-
the web server”. So then they started to
try to investigate the people behind it.
-
And it turns out the people
behind it used Hushmail.
-
So they were happily communicating
with each other very safely.
-
So the folks in the US
sent a letter to Canada.
-
And then Canada made Hushmail basically
give them the entire database
-
of all the emails that these people
had sent. And then, a year or 2 later,
-
these people discovered Tor. And they’re
like: “Hey we should switch our website
-
over to Tor and then it will be safe.
That sounds good!”. The DEA people
-
were watching them the whole time
looking for a good time to bust them.
-
And then they switched over to Tor, and
then 6 months later it was a good time
-
to bust them. So then there were all
these newspaper articles about how
-
Tor Hidden Services are
obviously broken. And
-
the first time I heard the story
I was thinking in myself:
-
“Idiot drug sellers use Paypal
– get busted – end of story”.
-
laughing
-
But they were actually using Paypal
correctly. They had innocent people
-
around the world who were receiving
Paypal payments and turning it into some
-
Panama based e-currency or
something. So the better lesson
-
of the story is: “Idiot drug sellers
use Hushmail – get busted”.
-
So there are a lot of different
pieces of all of these.
-
Jacob: Don’t use Hushmail!
laughter
-
Seriously! It’s a bad idea! And
don’t use things where they have
-
a habit of backdooring their
service or cooperating
-
with so called ‘lawful interception
orders’. Because it tells you that
-
their system is not secure. And it’s clear
that Hushmail falls into that category.
-
They fundamentally have chosen that
that is what they would like to do.
-
And they should have that reputation.
And we should respect them exactly
-
as much as they deserve for that. So
don’t use their service. If you can.
-
Especially if you’re gonna do
this kind of stuff. laughter
-
Or maybe what I mean is: guys,
do that – use Hushmail.
-
But everybody else, protect yourself!
laughter
-
So, the thing is that
not every single person
-
is actually stupid enough to use Hushmail.
-
So as a result, we had started to
see some pretty crazy stuff happen.
-
Which we of course knew would happen and
we always understood that this would be
-
a vector. So, in this case,
this year we saw,
-
I think, one of the probably not
the most interesting exploits
-
that we’ve ever seen. But one
of the most interesting exploits
-
we’ve ever seen deployed
against a broad scale of users.
-
And we’re not exactly sure
who was behind it. Though
-
there was an FBI person who went
to court in Ireland and did in fact
-
claim that they were behind it. The IP
space that the exploit connected back to
-
was either SAIC or NSA.
And I had an exchange
-
with one of the guys behind the VUPEN
exploit company. And he has
-
on a couple of occasions mentioned
writing exploits for Tor Browser.
-
And what he really means is Firefox. And
-
this is a serious problem of course. If
they want to target a person, though,
-
the first they have to actually find them.
So traditionally, if you’re not using Tor,
-
they go to your house, they plug in some
gear. They go to the ISP upstream,
-
and they plug in some gear. Or they do
some interception with an IMSI catcher,
-
and things like that. Most of these
techniques, I’ll talk about on Monday
-
with Claudio. If you’re interested.
But basically it’s the same.
-
They find out who you are,
then they begin to target you,
-
then they serve you an exploit.
This year one of the differences is
-
that they had actually taken over a Tor
Hidden Service. And started to serve up
-
an exploit from that. Just trying
to exploit every single person
-
that visited the Hidden Service. So there
was a period of time when you could
-
really badly troll all of your friends
by just putting a link up where
-
it would load in an iFrame and they would
have been exploited. If they were running
-
an old version of Firefox. And
an old version of Tor Browser.
-
Which was an interesting twist. They
didn’t actually, as far as we know,
-
use that exploit against anyone
while it was a fresh Zeroday.
-
But they did write it. And they
did serve it out. And they gave
-
the rest of the world the payload
to use against whoever they’d like.
-
So, when the FBI did this, they basically
gave an exploit against Firefox
-
and Tor Browser to the Syrian Electronic
Army who couldn’t have written one,
-
even if they wanted to. This is
a really interesting difference
-
between other ways that the FBI might
try to bust you, where they can localize
-
the damage of hitting untargeted
people who are otherwise innocent,
-
especially. But we’ve asked
Firefox to try to integrate
-
some of these privacy-related things that
we’ve done. We’d like to be able to be
-
more up-to-speed with Firefox and
they generally seem premili, too (?)
-
and I think that’s a fair thing to say.
But we have a de-synchronisation.
-
But even with that de-synchronisation we
were still ahead of what they were doing
-
as far as we can tell. But they
are actually at the point where
-
they have hired probably some people
from this community – fuck you –
-
and they write those exploits.
applause
-
And serve them up.
And so that is a new turn.
-
We had not seen that before this year.
And that’s a really serious change.
-
As a result we’ve obviously been
looking into Chrome, which has
-
a very different architecture. And in some
cases it’s significantly harder to exploit
-
than Firefox. Even with just very
straight-forward bugs which should be
-
very easy to exploit the Chrome team
has done a good job. We want to have
-
a lot of diversity in the different
browsers. But we have a very strict
-
set of requirements for protecting
Privacy with Tor Browser.
-
And there’s a whole design document
out there. So just adding Tor
-
and a web browser together is not quite
enough. You need some actual thoughts.
-
That have been – mostly by Mike Perry
and Aron Clark (?) – have been elucidated
-
in the Tor Browser design document.
So we’re hoping to work on that.
-
If anyone here would like to work on that:
that’s really something where we really
-
need some help. Because there is
really only one Mike Perry. Literately
-
and figuratively.
-
Roger: Okay. Another exciting topic
people have been talking about lately
-
is the diversity of funding. A lot of our
funding comes from governments.
-
US mostly but some other ones as
well. Because they have things
-
that they want us to work on. So once upon
a time when I was looking at fundraising
-
and how to get money I would go to places
and I would say: “We’ve got 10 things
-
we want to work on. If you
want to fund one of these 10,
-
you can help us set our priorities.
We really want to work on
-
circumventing censorship, we really want
to work on anonymity, we really want
-
to work on Tor Browser safety. So
if you have funding for one of these
-
then we’ll focus on the one that
you’re most interested in”.
-
So there’s some trade-offs here. On the
one hand government funding is good
-
because we can do more things. That’s
great. A lot of the stuff that you’ve seen
-
from Tor over the past couple of years
comes from people who are paid full-time
-
to be able to work on Tor and focus
on it and not have to worry about
-
where they’re gonna pay their rent
or where they’re gonna get food.
-
On the other hand it’s bad because
funders can influence our priorities.
-
Now, there’s no conspiracy. It’s not
that people come to us and say:
-
“Here’s money, do a backdoor, etc.”
We’re never gonna put any backdoors
-
in Tor, ever.
-
Jacob: Maybe you could tell the story
-
about that really high-pitched lady
who tried to get you, to tell you that
-
that was your duty and then you explained…
-
Roger: Give me a few more details!
laughter
-
Jacob: People have approached us,
obviously, in order to try to get us
-
to do these types of things. And
this is a serious commitment
-
that the whole Tor community gets behind.
Which is that we will never ever
-
put in a backdoor. And any time that we
can tell that something has gone wrong
-
we try to fix it as soon
as is possible regardless
-
– actually I would say for myself – of any
other consequences. That our commitment
-
to protecting anonymity
of our user base extends
-
beyond any reasonable commitment,
actually. And we really believe
-
that commitment. And there are people
that have tried to get us to change that.
-
Tried to tell us that “oh, it’s only
because you’re living in the free world,
-
and you’re able to have a company
that (?) and make a profit
-
that you can even right the supper (?). So
come on! Do your duty!” And of course
-
when we tell them we’re non-profit
and that we’re not gonna do it,
-
they’re completely
dumbfounded. For example.
-
Roger: Now I remember that discussion, yes!
Jacob: Yeah!
-
applause
-
Roger: This was a discussion with
a US Department of Justice person
-
who basically said: “It’s your…
the Congress has given us,
-
the Department of Justice, the
right to backdoor everything,
-
and you have a tool
that you haven’t made
-
easy for us to backdoor. So
it’s your responsibility to fix it
-
so that we can use the privileges
and rights given us by Congress
-
on surveilling everybody. And
you are taking advantage
-
of the situation that we’ve given you
in America where you’ve got good
-
freedom of speech and you got other
freedoms etc. You’re stealing
-
from the country. You’re cheating on the
process by not giving us the backdoor
-
that Congress said we should have”. And
then I said: “Actually we’re a non-profit.
-
We work for the public good”. And then
the conversation basically ended.
-
She had no further thing to say.
applause
-
So part of what we need to do is continue
to make tools that are actually safe
-
as tools. Rather than a lot of the other
systems out there. On the other hand,
-
every funder we’ve talked to
lately has interesting priorities:
-
they wanna pay for censorship-resistance,
they wanna pay for outreach, education,
-
training etc. We don’t have any
funders right now who want to pay
-
for better anonymity. And it’s really
important for some of the people
-
we heard about in the last talk that
they have really good anonymity
-
against really large adversaries.
And I’m not just talking about
-
American Intelligence Agencies. There
are a lot of Intelligence Agencies
-
around the world who are trying
to learn how to surveil everything.
-
So what should Tor’s role be here?
-
There are a lot of people in the Tor
development community who say:
-
“What we really need to do is
focus on writing good code,
-
and we’ll let the rest of the world
take care of itself.” There is also
-
a trade-off from some of the
funders we have right now.
-
Where I could go up and I could say
-
a lot of really outrageous
things that I agree with
-
and that you agree with. But some
of our funders might wonder
-
if they should keep funding us after
that. So part of what we need to do
-
is get some funders who are more
comfortable with the messages
-
that everybody here would like the
world to hear. So if you know anybody
-
who wants to help provide actual
freedom we’d love to hear from you.
-
Jacob: And it’s important to understand
that we sort of have an interesting place
-
in the world at the moment
where it’s easy to say
-
that we shouldn’t be political. And that
in general, there shouldn’t be politics
-
in what we’re doing. And
it’s also easy to understand
-
that that’s crazy when someone
says that to an extent. Because
-
the idea of having free speech, having
the right to read, having the ability
-
to reach a website that is beyond
of the power of the state
-
– that is a very political thing for
many people. And it is often the privilege
-
of some, where they don’t even
realize that’s a political statement.
-
applause
And they suggest…
-
and that they suggest that we don’t need
to be political. We need to recognize the
-
political context that we exist in. And
especially after the summer of Snowden,
-
understanding that there
are almost no tools
-
that can resist the NSA
and GCHQ. Almost none.
-
We did not survive completely
in the summer of Snowden.
-
They were able to get some Tor users.
But they couldn’t get all Tor users!
-
That’s really important. We change
the economic game for them.
-
And that, fundamentally,
is a political issue!
-
applause
-
But please note that the solution
is not a Partisan solution.
-
Where we say: well, some people
are good and some are bad.
-
You guys over there, on the left
or on the right, you don’t deserve
-
to have freedom of speech. You
don’t have the right to read.
-
We aren’t saying that. We’re saying that
the common good of everyone having
-
these fundamental rights
protected in a practical way
-
is an important thing for us to build
and for all of us to contribute to,
-
and for every person to
have. That is, I think,
-
the best kind of political solution
we can come up with.
-
Though it is a very controversial
one in some ways. I think that
-
we can’t actually do it unless everyone
really starts to agree with us.
-
And we are making a lot of positive change
in this. As we saw with the network graph.
-
But this comes from
Mutual Aid and Solidarity.
-
Which most of the people
in this room provide.
-
Roger: And that diversity of
users is actually technically
-
what makes Tor safe. You need to have
-
activists in various countries,
and folks in Russia right now,
-
and law enforcement around the
world. You need to have them all
-
in the same network. Otherwise
if I see that you’re using Tor,
-
I can start guessing why you’re using
Tor. So we need that diversity
-
of users. Not just for
a perception perspective
-
but for an actual technical perspective.
We need to have all the different
-
types of users out there blending
into the same system
-
so that they can keep each other
safe. So part of the hobbies
-
that each Tor person has,
we’re all getting better
-
at outreach to various communities.
So, I mentioned earlier
-
that I talked to law enforcement to try
to teach them how these things work.
-
Turns out that having Jake talk to
law enforcement is not actually
-
the most effective way to
convince them of things
-
laughter
so…
-
Jacob: I’m, I’m, I’m, eh, you know, my
lawyer gave me some great advice
-
which I can tell you without breaking the
privilege of our other communications.
-
Which he says: “never miss the
chance to shut the fuck up!”
-
laughter
And that I think really really underscores
-
why I should not talk to the Police
about why they also need
-
traffic analysis resistance, reachability,
network security, privacy and anonymity.
-
Roger’s much much more diplomatic.
-
Roger: So at the same time we have
people talking to domestic violence
-
and abuse groups and teaching them
how to be safe. And at the same time
-
we have folks at corporations
learning how to be safe online.
-
We hear from large companies
who are saying: “I want to
-
put the entire corporate
traffic over Tor
-
because we actually do have adversaries
and they actually are spying on us
-
and they do want to learn what we’re
doing. So how do we become safe
-
from these situations?” So part of
what we need is help from all of you
-
to become outreach for all of your
communities. And get better
-
at teaching people about why privacy
is important for the communities
-
that you’re talking to and learn how to
use their language and convince them
-
that these things are important.
And at the same time teach them
-
about the other groups out there who
care. So that they can understand
-
that it’s a bigger issue than just
whatever they’re most focused on.
-
Okay, so, a while ago I wrote up
a list of 3 ways to destroy Tor.
-
The first way – we have
a handle on it for a while.
-
The first way is: change the laws
or the policies or the cultures
-
so that anonymity is outlawed.
And we’re pretty good
-
at fighting back in governments
and policy and culture etc.
-
and saying: “No, there are good uses of
these things, you can’t take them away
-
from the world”. The second way:
Make ISPs hate hosting exit relays.
-
And if more and more ISPs say:
“No, I’m not gonna do that”
-
then eventually the Tor Network
shrinks reducing the anonymity
-
it can provide because there’s not as
much diversity of where you might
-
pop out of the Tor Network to go to
the websites. So I think we’re doing
-
pretty well fighting that fight.
We’ve known about it for a while.
-
It’s one we’ve been focusing on
for a long time. Torservers.net
-
and a lot of other groups are doing great
work at building and maintaining
-
relationships with ISPs. But the third
one is one that we haven’t focused on
-
as much as we should. Which is:
make websites hate Tor users.
-
So a growing number of
places are just refusing
-
to hear from Tor users
at all. Wikipedia did it
-
a long time ago. Google gives
you a captcha if you’re lucky…
-
Jacob: That’s the best question, ever!
If you like, that’s a good setup!
-
Roger: I’ll cover this one next. So,
-
Skype is another interesting example
here. If you run a Tor exit relay
-
and you try to skype with somebody
Microsoft hangs up on you.
-
And the reason for that is not that
they say: “Oh my god, Tor people
-
are abusing Skype!” – Microsoft pays
some commercial company out there
-
to give them a blacklist, they don’t even
know what’s on it, and the company
-
puts Tor exit IPs on it. And
now Microsoft blacklists all the
-
Tor exit relays. And they don’t even know
they’re doing it. They don’t even care.
-
So as more and more of these
blacklisting companies exist
-
we’re more and more screwed.
So we need help trying to
-
learn how to teach all of these
companies how to accept
-
users without thinking that IP addresses
are the right way to identify people.
-
Jacob: There might also be,
on point 3, a relationship here
-
with some of the other
points here. E.g. point 4.
-
Which is to say that when
a company does not want to
-
give you location anonymity
maybe there’s a reason for that.
-
I mean, I personally think that Wikipedia
is great, I don’t feel so great
-
about yelp and about Google, most of
the time. And I definitely don’t feel good
-
about Skype. Given what we’ve
learned it makes sense
-
that they would demonstrate that
they do not respect you as users.
-
And the Tor Network as a way to
protect users from them, actually.
-
And some of these places will
say that it's basically only being
-
used for abuse. Often they won’t have
metrics for it. And they will refuse
-
to work with us to come up with inventive
solutions, like e.g. something
-
where you have to use a
nym system of some kind,
-
in the case of Wikipedia, or something
where you solve a captcha, something
-
where you have to have an account,
something where you’re pseudononymous.
-
But you get to retain location privacy.
And actually, in a few cases,
-
it’s probably better that Tor is blocked
because they don’t even
-
provide secure logins when you’re not
using Tor. So it’s not necessarily
-
always a good thing to use the services,
anyway. So in a sort of funny sense
-
it could be helpful that they’re blocking
Tor. But we would like to improve
-
those things. And one thing is
to show that we need to build
-
some systems to get these properties. And
we need to show that it is the best thing
-
right now that we all can use. And
we need people that are working
-
with these companies, with these
communities, to actually help us
-
to understand how we can
better serve Tor community,
-
but also the Tor community that
overlaps with their community.
-
Especially Wikipedia. For me personally,
it kills me that the way that I get
-
to edit the Wikipedia, should I edit
it, is that I have to send an email
-
to someone, tell them an account I already
have, ask them to set a special flag
-
in the Wikipedia database,
and then I can log in and edit.
-
That’s not really the ideal solution,
I think. If I’m not being abusive
-
on Wikipedia I should be able to
have a pseudononymous way to edit.
-
I should be able to anonymously connect.
And I should be able to do that
-
from anywhere in the world, especially
when the local network is censoring me
-
and my only way to get to the
Wikipedia is to, in fact, use Tor
-
or something like it.
applause
-
So, the last point on that is this one:
I obviously joked the church man (?)
-
Roger: Yeah, so I was showing this to an
anonymity researcher and he started
-
yelling: “IPO, IPO, IPO, IPO…” as
soon as he saw this graph of Tor users
-
over time. So in the course of a week
or so we added about 4 or 5 million
-
Tor clients to the network.
And you’d think: “Oh wow,
-
this Snowden thing worked,
it’s great!” But actually,
-
some jerk in the Ukraine signed
up his 5 million node botnet.
-
Jacob: I mean, one of the good things
about this is that we learned that
-
the Tor Network scales to
more than 5 million users.
-
Roger: We’ve been working on
scalability: it works!
-
applause
-
Jacob: We had to make some changes.
There’s e.g. the NTor handshaking
-
which is using elliptic curves. That is
something which really helps to reduce
-
the load on the relays. This is a pretty
big change. But there’s a lot of work
-
that Mike Perry has done with load
balancing, lots of work by Nick Mathewson.
-
Lots of changes in the Tor Network
for scalability. But if this had been
-
like a real attacker, or if the botnet had
been turned against the Tor Network,
-
it probably would have been fatal,
I think. A really interesting detail is
-
that this was a botnet for Windows.
And Microsoft has the ability to remove
-
things that they flag as malicious.
And so they were going around
-
and removing Tor clients from
Microsoft Windows users
-
that were part of this botnet. Now when we
talked to them, my understanding is that
-
they only removed it when they were
certain that is was a Tor that came
-
from this botnet. That’s a lot of power
that Microsoft has there, though!
-
If you’re using Windows, trying to be
anonymous, with the device. Bad idea.
-
Roger: They actually removed the
bot and left the Tor client because
-
they weren’t sure whether they
should remove it. So actually
-
all those 5 millions are
still running Tor clients.
-
Jacob: Whhoops! So, interesting
point here, summer of Snowden.
-
It’s hard to tell. There’s
some piece of information
-
that we’re really missing here. Due to
the botnet happening at the same time
-
it’s really difficult to understand the
public response to the revelations
-
about NSA and spying.
Especially now. I mean:
-
we think that most of that is
botnet traffic. Over a million.
-
Over a million, where it goes
up. Over almost a 6 million.
-
So that’s a serious amount
of traffic, from that botnet.
-
And that is a really serious threat to
the Tor Network. It can be (?)
-
a couple of different ways. One of
these things, I mentioned before,
-
NTor handshake. But another thing
is: if every person in this room
-
were to run a Tor relay, even
a middle relay not an exit relay,
-
it would make it significantly harder to
melt the Tor Network.
-
I actually think
-
that would be incredible if you guys
would all do that.
-
I don’t think that
all of you will.
-
But if you did that would
make it so that we could survive
-
other events like this in the future.
-
applause
-
So someone sent a question which we’re
just gonna go ahead and answer now.
-
“When talking of funding for better
anonymity, what do you think,
-
in terms of money,
how much could you need?”
-
Well here’s a thing:
-
if you were willing to fund us
we would really like you.
-
Or I would really like it
-
especially, since I’m probably the one
that threatens the US Government funding
-
of Tor, more than any person in this room.
-
I think that it would be great if you
could match the Dollar-to-Dollar
-
that Government funders
bring to the table.
-
We would really like that.
-
It would be amazing if that was possible.
-
So there’s actually a hard number
-
on the website.
-
Or if you wanted to
– as much money as you have.
-
laughter
Feel free!
-
Either way –
-
Roger: To give you a sense of
scale: right now our 2014 budget
-
is looking like it will be somewhere
between 2 Mio US and 3 Mio US,
-
which is great except we’re trying to
do so many different things at once.
-
If it ends up on the 2 Mio US side
we basically have no funding
-
for making anonymity better.
-
If it ends up
more than that then
-
we’re in better shape and
we can make people more safe.
-
Jacob: And part of the thing is that we
have to build all sorts of tools that are
-
not directly related to Tor.
-
In many cases.
-
Especially because of the funding.
-
But because we want users to be
able to actually use the software
-
with something else.
-
It’s not nearly
enough to have a Tor.
-
You need to be able
-
to do something with the Tor.
-
You know?
-
And that’s a really difficult part.
-
But if there’s specific things we would
also be open to alternate funding models
-
where we fund very specific tasks e.g.
that would be a really great thing.
-
We haven’t really
experimented with that.
-
But on that note I wanted to talk
about classified information.
-
Everybody ready?
It’s not classified any more,
-
it’s on the internet?
I’m not sure. So,
-
this is probably the hot topic
I would say.
-
Probably the one
everyone wanted to know about.
-
So the NSA and GCHQ
-
have decided that they
don’t like anonymity,
-
and they’re doing everything that
they possibly can to attack it.
-
With a few exceptions.
-
So there’re
a few different programs
-
– I’m gonna talk a lot about this
on Monday. So I don’t wanna go
-
into too much detail about the
non-Tor aspects of it. But
-
for the Tor side of it – Quick Ant is
what’s called a question-filled data set.
-
This is a QFD.
-
What that means is it’s TLS related
sessions, as I understand it.
-
And it is recording data, i.e.
Data Retention about TLS sessions.
-
It’s pulled from a larger thing –
Flying Pig.
-
Which was revealed on I think,
a Brazilian Television clip, or someone
-
photographed a moving
picture of Glenn’s screen.
-
That program is kind of scary.
But not too scary.
-
Just looks like after the fact (?) Data
Retention.
-
Quantum Insert
-
on the other hand is a pretty
straightforward man-on-the-side-attack.
-
Foxacid, which is another thing which
we know that’s used against Tor users,
-
is basically just the ‘Tailored Access
and Operations’ web server farm
-
where they serve out malware.
-
Sort of like a watering hole attack.
Except
-
in this case they also combine it with
Quantum Insert.
-
So that when you visit
-
your Yahoo mail
– NSA and GCHQ love Yahoo –
-
even when you use Tor
they basically redirect you
-
by just tagging a little bit of data
into the TCP connection. And
-
of course Tor does its job, it flows all
the way back to you.
-
Your web browser
then loads it.
-
You’re now connected to
their server.
-
Their server delivers
malicious code.
-
And the use it
is to pop somebody.
-
From what I understand it took
them 8 months to hit one guy.
-
That’s fucking great, I think, that
we went from ‘everybody all the time
-
applause
being compromisable’ to ‘they have to
-
very carefully pick one person
and work for a long time’.
-
They really believe that
that’s the right target.
-
They really understand that
-
that is someone that they
want to go after. And
-
if that person were to keep their browser
up-to-date they probably would have been
-
ahead of the game.
Not exactly sure.
-
But there are some other things
that are really dangerous.
-
Which is
Quantum Cookie, e.g. Quantum Cookie
-
is a program where basically
they’re able to elicit
-
from a connection other connections
from your web browser
-
which will get you to
leak cookie information.
-
So let’s say you happen to
log-in to a Yahoo account.
-
And that was a known
selector for surveillance.
-
And then they thought you might also have
a Gmail cookie that wasn’t marked secure
-
and you might also have another
search engine; or you might have
-
some other cookies.
-
Then they would
basically insert things that your browser
-
will then request insecurely over the same
connection, to (?) tie them together,
-
correlate that.
-
And then they will extract
it and they’ll be able to tell that
-
this selector is linked to
these other selectors.
-
’Cause they basically been able
to actively probe.
-
A solution to that is
‘Https Everywhere’ which we already ship
-
in the Tor Browser Bundle
but also to be aware about
-
session isolation to maybe
even if you’re using things
-
where you’re trying to it as securely as
possible – not every site will offer TLS
-
to actually make sure that the
Tor browser only has the exact
-
set of credentials you need for the thing
you’re doing at that time.
-
So that’s
-
incredibly straight-forward stuff.
-
In terms of the hacker
community this is like
-
not even really interesting, actually.
-
The thing that makes it interesting is
-
that they do it at internet scale.
-
And that they’re trying to watch
-
the entire internet all the time.
-
Another interesting fact about this is
-
that you would imagine that not
routing through Five Eyes countries
-
would make you safer in some way.
-
I don’t think that’s actually true.
-
From what I can tell they actually
have some restrictions, if you route
-
through the Five Eyes countries.
-
And if you are not in
a Five Eyes country,
-
like Germany, they have no restrictions.
-
So if you behave differently we know
from an anonymity perspective
-
that that’s worse for you.
-
And if you behave differently
in this particular way
-
then there are legal answers that
show that you shouldn’t break out
-
from the regular way that Tor
users and Tor clients behave.
-
But the key point to take home is
that every single person here
-
has the same set of problems
if they’re not using Tor.
-
And it is easier for them.
-
So that’s a huge,
huge difference.
-
And the last point, I think is a key one
which Roger has a great story for.
-
Roger: Yeah, so they… the story
here is they look at Tor traffic
-
coming out of Tor exit relays.
-
They don’t know who the person is.
And they have
-
to make a decision there: do I try the
Quantum Insert and the Foxacid,
-
do I try to break into their browser?
Or do I leave them alone.
-
And when they see the Tor flow
they don’t know who it is.
-
So on the one hand, that’s great.
-
They can’t do target attacks.
-
They have to do broad
attacks and then
-
check/wait (?) later to see whether
they broke into the right person.
-
But as soon as the Guardian
articles went up about this,
-
DNI – the something National Intelligence
– put out a press release, saying:
-
“We’d like to assure everybody
that we never attack Americans”.
-
Jacob: So first of all – on behalf of
the American people and the US Government
-
which I do not represent:
I’m so sorry that
-
my country keeps embarrassing the rest
of the reasonable Americans, of which
-
there are plenty, many of us that are not
James Clapper, that total fucking asshole.
-
applause
-
to Roger:
We have 5 minutes.
-
applause
-
Roger: So the reason why that story is
particularly interesting is that: I talked
-
to an actual NSA person a couple of weeks
ago… and I’m like: “Wait, you never attack
-
Americans but you have to blank-and-attack
everybody and then find out who it was”.
-
And he said: “Oh no no no no, we watch
them log into Facebook and if they log in
-
as the user we’re trying to attack
then we attack them.
-
No problem.”
-
Jacob: And they do the blanket
dragnet surveillance. So,
-
an interesting point of course is that we
always heard…
-
I once met someone
-
who explained to me: “The NSA obviously
runs lots of Tor nodes like they were
-
like 90.000 Tor nodes”,
I think was the number.
-
I wish we had 90.000 Tor nodes.
That’d be incredible.
-
You know
we’re like, what, at about 4..5000
-
at any given point in time, that are
stable, of which are 1/3 are exit relays.
-
Right.
-
So it turns out when the NSA did
run some, they ran half a dozen.. a dozen?
-
Roger: They ran about 10.
-
And they
were small.
-
And short-lived.
-
On EC2.
-
But that should not
make you happy.
-
It doesn’t matter
-
whether the NSA runs Tor relays.
-
They can watch your Tor relays.
-
If you run a Tor relay at a
great place anywhere in the US
-
or Germany or wherever they’re good
at spying on they watch the upstream
-
of your relay and they get almost
what they would get from running
-
their own relay.
-
So what we should be
worried about – we should not be worried
-
that they’re running relays.
-
It’s a concern, but the
bigger concern is
-
that they’re watching the whole internet.
-
And the internet is much more centralized
-
than we think it is.
-
There are a lot more
bottle-necks where if you watch them
-
you get to see a lot of
different Tor traffic.
-
So the problem is not so much
-
“Are they running relays?” as “How
many normal relays can they watch?”
-
And if you’re thinking about a large
adversary like NSA: the answer could be:
-
“A third?”, “Half?”.
-
We don’t know
how many deals they have.
-
Jacob: So, an interesting point here is
that one-hop-proxies are… or VPN
-
– who here uses a VPN to some
kind of commercial VPN service?
-
about 1/4 raised hands
Right.
-
So this is a pretty big problem,
-
I think.
-
Which is that you end up with the
hide-my-ass problem.
-
Which is that –
-
first of all that company, it’s a problem.
-
Second of all, what they do to their users
-
is also a problem.
-
Which is that they
basically promote their service
-
for revolution in Egypt, e.g. but when
someone used it because they disagreed
-
with the policies of the UK then
they turned them over.
-
Interesting point.
-
We need to build decentralized systems
where they can’t make that choice.
-
We need to make sure that that
isn’t actually happening.
-
And one of the things
-
that we’re trying to drive home is
that – and I really think it’s important
-
to take this to heart –
one-hop-proxies or VPNs,
-
as we have said for more that a
decade, are not safe. Especially
-
if you think about when they from the
QuickANT and from the Flying Pig software,
-
they’re recording traffic
information about connections.
-
And in some cases
-
we know – thanks to Laura Poitras
and James Risen – that they have
-
Data Retention which is something
like – what is it, 10..15 years,
-
5 years online, 10 years
offline, is that right?
-
Right. Okay.
That’s bad news.
-
We know that the math
for VPNs is not in your favor.
-
So that said: What
happens with this stuff?
-
Right?
-
What happens is what happened
e.g. with the Silk Road fellow.
-
Or maybe not.
It’s not clear.
-
It could be that the guy used a VPN.
-
Which is braindead.
But it could also be that
-
the NSA has this data and tried
to pull off a retractive attack
-
once they already had him from
other things like auguring fake IDs.
-
We don’t know which in the case
of Silk Road.
-
But we can tell you
-
that it’s pretty clearly a bad
idea to do it if you’re going to
-
do something interesting.
-
It’s probably also a bad
idea to do it just generally
-
because you don’t even know what
’interesting’ is in 5 or 10 years. So
-
parallel construction is a really
serious problem, and we think,
-
probably, if we could expand the
Tor Network, we would make it
-
significantly harder to do this.
-
It would
make it significantly harder for them
-
to do it, especially if you replace your
VPN with Tor.
-
There are some trade-offs
-
with that, though.
-
So the real question is
what your threat model is.
-
And you really
have to think about it.
-
And then also understand
that we live in a world now
-
where Law Enforcement and
Intelligence Services, they seem to be
-
blending together.
-
And they seem to be blending
together across the whole planet
-
in secret.
-
Which is a serious problem
for the threat model of Tor.
-
Roger: So I actually talked to
some FBI people and I said:
-
So which one of these is it?
-
And they said: Well, we
never get tips from the NSA.
-
We’re good, honest Law enforcement,
they’re doing something bad,
-
but why should that affect us?
-
And my response was: “Well,
NSA says they told you!
-
So, are you lying
to me or are they lying to you?
-
Or what’s going on here?”
-
And I don’t actually
know the right solution here.
-
So scenario 1: The NSA
anonymously tips the FBI
-
and they go check something out and
they say: “Well I need to build a case
-
that they do”.
-
Scenario 2: Some anonymous
whistleblower tips off the FBI
-
and they go build a case.
-
From the FBI’s perspective
these are the same:
-
“I got a tip, I build a case.
-
Why should I care where
it came from?” And
-
so should we build a Know-your-customer
Law so that the FBI has to know
-
their informers or whistleblowers?
-
Should we rely on the NSA
-
to regulate itself?
-
Should we rely
on the Congress to regulate NSA?
-
None of these are good answers.
-
Jacob: So, we have a very
limited amount of time.
-
And in order to be able
-
to address some questions we
will probably skip a few things
-
and we’ll put these slides
online.
-
But short/quick
-
summaries for a few of these slides, then
we’re gonna address some questions.
-
One of them is that we want to improve
Hidden Services.
-
Even though they
-
haven’t been broken as far as we
understand from any of the documents
-
that have been released.
-
We still
want to make them stronger,
-
because we wanna be ahead of the game.
-
We don’t want to play Catch-Up.
-
Roger: We especially need to improve
the usability and performance of them.
-
Because right now they’re a toy
that only really dedicated people
-
get working.
-
And the more
mainstream we could make them
-
the more broad uses we are going to see.
-
The reason why people keep hearing
-
about high-profile bad Hidden Services
is that we don’t have enough
-
good use cases in action yet that
lots of people are experiencing.
-
Jacob: The most important thing for all of
the – let’s say – Cypherpunks movement
-
to understand is that when
you have usable crypto
-
you are doing the right thing.
-
When
you have strong peer-reviewed
-
Free Software to implement that, and
it’s built on a platform where you can
-
look at the whole stack you’re
really ahead of the game.
-
There’s a lot to be done in that.
-
And if we do that
for Hidden Services
-
I think we’ll have similar returns that
you’ll see with other crypto projects.
-
Roger: So one of the other great things in
the Tor world is the number of researchers
-
who are doing great work at evaluating
and improving Tor’s anonymity.
-
So there are a couple of papers that were
out over the past year talking about
-
how we didn’t actually choose the
right guard rotation parameters.
-
I’m not going to get into that in detail
in our last couple of minutes.
-
But the very brief version is:
-
if you can attack both sides of the
network and they run 10% of the network
-
– they, the adversary run 10% of the
network – the chance over time,
-
the blue line is the current situation,
where you choose 3 first hops,
-
3 entry guards and you rotate every
couple of months – over time
-
the chance that you get screwed by an
adversary who runs 10% of the network
-
is pretty high.
-
But if we change it
to 1 guard and you don’t rotate
-
then we’re at the green line which
is a lot better against an adversary
-
who’s really quite large.
-
This is an adversary
larger than torservers.net
-
e.g. So A...
-
Jacob: Arts (?) is no adversary, right?
-
Roger: So a pretty large attacker we
need to move it from the blue line
-
down to the green line.
-
And that’s
an example of the anonymity work
-
that we need to do.
-
-- So, what’s next?
-
Tor, endorsed by Egyptian activists,
-
Wikileaks, NSA, GCHQ, Chelsea
Manning, Edward Snowden…
-
Different communities like
Tor for different reasons.
-
Some of our funders we go to them with
that sentence – basically everybody
-
we go to with that sentence.
-
It’s like:
“I like those 3 examples but I don’t like
-
those 2 examples”.
-
So part of what we
need to do is help them to understand
-
why all of these different
examples matter.
-
Jacob: That said, I tend to believe
that we need to be engaged
-
in a pretty big way and thanks
to the people of Ecuador,
-
especially the people running the Minga-tec
community events, they have actually
-
put together a real model which
should be emulated probably
-
by the rest of the world where they really
engage with civil society, and they’re
-
actually able to arrange for meetings
with e.g. the Foreign Minister
-
or with various other people involved in
the National Assembly.
-
And as a result
-
they had Article 474, which they
proposed, which was basically
-
the worst Data Retention
Law you can imagine.
-
It included video taping
-
in Internet Cafés, 6 months dragnet
surveillance, all sorts of awful stuff.
-
And they were able to, in the
course of, I would say 3..6 months,
-
this is mostly the FLOK Society,
actually.
-
They were able to organize
-
a real discussion about this.
-
And we
were able to get this proposed part
-
of the penal code completely removed.
-
At the end of November of last year…
-
early December… of this year.
-
So just about a month ago.
-
So if we really work together
across the spectrum,
-
we see, right now, in Ecuador
e.g. changing (?) away
-
by showing them that fundamentally:
the game is rigged.
-
If you choose
-
to spy on your citizens then the NSA
always wins.
-
And the NSA wants people
-
to believe that everybody is doing
the spying.
-
So one of the things
-
I explained to people in the Ecuadorian
Government and in Ecuadorian civil society
-
is that you can choose a different game.
-
You can choose not to play that game.
-
The only people that win when you
choose that game are the NSA,
-
and potentially you
– a few times.
-
But the NSA will get
-
whatever data you
have stored away.
-
If you want to be secure
-
against the dragnet surveillance, if
you want to be secure against people
-
who will break into that system you
must not have that system in existence.
-
You must choose a different paradigm.
-
And when I told this to people in Ecuador
-
and they understood the trade-offs,
and they understood that they are
-
not the best at surveilling
the whole planet.
-
They understood that they’re
-
not the best in internet security yet.
-
They realized that the game is rigged.
-
And they got rid of Article
474 from the penal code.
-
And there is no Data Retention
there in that penal code now.
-
applause
-
But I have to stress this not
because of 1 or 2 or 10 people,
-
it’s because of a broad
civil society movement.
-
Which is what we’ve also seen
-
in Germany, and in other places.
-
So this is something which you
should have a lot of hope about.
-
It’s not actually
dark everywhere.
-
We are actually making
positive steps forward.
-
Roger: So there are other tools
that we would like help with.
-
E.g. tails is a live CD, WiNoN and
other approaches are trying
-
to add VM to it, so that even if
you can break out of the browser,
-
there’s something else you have
to break out, other sandboxes.
-
And there are
-
a lot of other crypto improvements that
we’re happy to talk about afterwards.
-
The Tor Browser Bundle, the new one, has
a bunch of really interesting features.
-
Deterministic Builds is
one of the coolest parts of it.
-
Where everybody here can
-
build the Tor Browser Bundle and end up
with an identical binary.
-
So that you can
-
check to see that it
really is the same one.
-
And here’s a screenshot
-
of the new one.
-
It no longer has
Vidalia in it, it’s all just a browser
-
with a Firefox extension that
has a Tor binary and starts it.
-
So we’re trying to stream-line it
and make it a lot simpler and safer.
-
I’d love to chat with you afterwards about
the core Tor things that we’re up to
-
in terms of building the actual program
called Tor but also the Browser Bundle,
-
and metrics, and censorship
resistance etc.
-
And then, as a final note:
We accept Bitcoin now.
-
Which is great.
applause
-
Jacob: So all of the Bitcoin
millionaires in this community:
-
we would really encourage you to help us
get off of the US Government funding.
-
Don’t just complain, help us!
-
Mutual Aid
and Solidarity means exactly that:
-
to put some money where
your mouth is!
-
We’d really like to do that.
-
And it’s really important to show people
that we have alternative methods
-
of funding community-based
projects.
-
So think about it
-
and you can, if you’d like, use Bitcoin.
-
Roger: A last, right now, BitPay is
limiting you to 1000 Dollars of Bitcoin
-
per donation.
-
We’re hoping to lift
that in the next couple of days.
-
But if you would like to give us lots of
Bitcoins, please don’t get discouraged.
-
And then, as a final note: starting
right now in Noisy Square
-
is an event on how to help Tor and there
will be a lot of Tor people there,
-
and we’d love to help teach you
and answer your questions
-
and help you become part of the community.
-
We need you to teach other people
-
why Tor is important.
-
Jacob: Thank you!
-
applause
-
no time for Q&A left
-
*Subtitles created by c3subtitles.de
in the year 2016.
-
Join and help us!*
Andi
Revision 4 was an tex import from the pad with automated sync support. As some parts in the middle are missing the text of revison 5 is out of sync, starting from minute 10.