On Wed, Oct 14, 2020, 6:59 PM Karl <gmk...@gmail.com> wrote: > > > On Wed, Oct 14, 2020, 6:34 PM Peter Fairbrother <pe...@tsto.co.uk> wrote: > >> On 14/10/2020 18:22, jim bell wrote: >> >> > Last year, I tried to start a discussion to implement a new anonymity >> router network, perhaps using the Raspberry Pi computers. I got a quote >> for 500 Raspberry Pi's, at $70 each. I included a few ideas, some old, >> some new: >> > >> > 1. Routers could be anywhere, but would include homes and small >> businesses. Anyone who has an Internet service with an adequately-large >> data cap. (Recently, I saw that CenturyLink had removed the data cap from >> some of its internet services. especially fiber. >> https://www.highspeedinternet.com/resources/which-internet-service-providers-have-data-caps#:~:text=CenturyLink%20has%20a%201%20TB,you'll%20enjoy%20unlimited%20data >> . >> > >> > And their data caps, where they still exist, are 1 terabyte/month, >> which I think would be plenty for an anonymity network. >> >> The problem is that a reliable cheap anonymising network for low-latency >> traffic like web traffic is basically impossible. >> >> Tor is about as good as we can get. When I was designing m-o-o-t I >> didn't include any web anonymiser for that reason. >> >> The problem is traffic volume and latency. If we want low-latency web >> traffic - nowadays [1] that's less than 4 seconds - we can't include >> fixed file sizes with realistic constraints on traffic. >> >> To put some BOTE numbers on that, suppose you want to provide for 1 >> million concurrent users. You have about 150 TB per month user traffic >> to play with (500 x 1TB, ~3 hops), 150 MB per month per user, or 450 Baud. >> > > Could you explain your math here? How did 500TB/3 (am I wrong?) become > 150MB? >
Well, I see what I did wrong there now, but Peter, 1TB per user is only a 3 Mbps connection (right?). Shouldn't the bandwidth just divide by the number of hops? > > >> Ouch. >> >> > 2. Extensive chaff. (which, of course, is an old idea, strangely >> it's not yet implemented in TOR) >> >> Like fixed file sizes - essential for anonymity - chaff and covertraffic >> takes too much traffic, see above. >> > > I don't see how what you said above is related to whether the data is real > or decoy. Obviously you would keep the sum of the two constant. > > >> > 3. "Output nodes" would output only in encrypted form, so that >> people generally could not get in trouble for acting as an output node: >> Their output could be monitored, but not understood as to its content, >> since it would look like random data. >> >> That doesn't work - the users want to connect to any web server >> somewhere. You could enforce eg TLS but even that does not hide file >> sizes.. >> > > Enforcing TLS is much more reasonable nowadays. (You could add a plugin > to use http tricks to hide file sizes.). Not what I would focus on once it > gets nonsimple. > > >> > 4. I also thought of an idea that such a network should implement >> multiple algorithms for networking, simultaneously, limited only by >> people's imaginations: People frequently talk about new ideas for >> anonymity networks, but how might they try them out in practice? If an >> anonymity network is fated to have ONLY ONE routing method, then all new >> such methods cannot be easily developed: You'd have to physically build a >> new network, along with all such associated costs, for each new routing >> method. That's completely illogical. >> > >> > Should there be any limit to the number of kinds of routing done? >> It's all software. One advantage of this feature is that all these >> different routing algorithms are mixed together, such it should be harder to >> >> That's OK if you are doing development, but not for production - unless >> the users decide the routing, as in eg Mixmaster. But you can't (or >> shouldn't) use an anonymiser if you don't know whether it is going to >> work! >> > > Seems reasonable to make this pluggable. Final use would need all users > to look the same, and no exits have a predictable source. > > >> > TOR is doubted for many good reasons, but if it is generally agreed >> that some form of anonymizing network is needed, then people should be >> willing to work to provide an alternative. >> > > Seems to me the smaller it is to build the more likely it is to reach > completion and use. > > >> >> I was at some of the early meetings when Roger Dingledene, Paul >> Syverson, Lucky Green, Nick Matthewson, Len Sassaman, myself and others >> were talking about a web anonymiser, which later became Tor. >> >> Other people at those meetings included many if not most of the top >> anonymity researchers, and some of the top cryptographers, in the world >> at that time. Tor was not conceived as is was by accident or in >> ignorance [2], many people (including myself) thought it was about the >> best that could be done. >> >> >> Roger's thought was that TOR would make mass surveillance difficult and >> it would be worth doing for that reason, even though it wouldn't prevent >> targeted attacks by major adversaries. At a set of meetings the next >> year Roger had gotten some funding, iirc from the US Navy, and Nick had >> started work on coding. >> >> I bowed out almost immediately, Len and Lucky bowed out after a while, >> because we knew it couldn't be done securely on the user level. >> >> After that I pretty much lost interest, though I did keep an eye on the >> project. >> >> >> >> >> The problem is that it's a super Zooko's triangle - you simply can't get >> reliably anonymous, low-latency and cheap anonymous web traffic. >> >> You probably can't even get reliably anonymous and low-latency, at any >> price. >> >> >> >> Peter Fairbrother >> >> >> >> [1] Acceptable low latencies vary according to use and user expectations >> - fifteen years ago people would wait 20 seconds or more for a web page >> to load, nowadays they lose interest at 4 seconds. Actually maybe less >> now, that figure is several years old. And for interactive speech or >> video latencies should be subsecond. >> >> [2] or with evil intent, at least from Roger and Nick. >> >> I don't think Paul had any evil intent either, but he was USN and is >> therefore suspect. It's like my friend from GCHQ - we are friends and we >> were sort-of colleagues until I retired, but it's a bit like having a >> policeman live next door - even when you have done no wrong you are >> always aware that he is a policeman. >> > > My gut is that evil intent is pretty rare in a group of like-minded people > putting work in. It's more likely people are acting on differing > information or experiences, or can't escape something difficult. > > >> >> One curiousity, the .onion part of the TOR infrastructure was largely >> driven by Paul. >> >
