Re: Tor Project 2008 Tax Return Now Online

2010-08-17 Thread Jacob Appelbaum
On 08/16/2010 10:49 PM, Mike Perry wrote:
> Thus spake Anon Mus (my.green.lant...@googlemail.com):
> 
> You know too much, Mr. Anon Mus. The Adversary has been alerted.
> Prepare to be silenced (if we're lucky).
> 

Oh Mike - How could you divulge our secret information like that?
Couldn't you just resist the prideful temptation to troll the troll?

We're changing the secret Tor handshake. You're out of the club.

Don't try to "NEWNYM" your way back in buster!

Betrayed by Mr. Perry again,
Jake
***
To unsubscribe, send an e-mail to majord...@torproject.org with
unsubscribe or-talkin the body. http://archives.seul.org/or/talk/


Re: Tor Project 2008 Tax Return Now Online

2010-08-17 Thread Julie C
On Mon, Aug 16, 2010 at 10:31 PM, Gregory Maxwell wrote:

>
> This is neither fair nor reasonable.
>
> When Wikimedia broke into the top _10_ most popular sites, with
> something like 100 million unique viewers in a month the annual income
> was comparable to the tor project. It only broke 1m in fundraising at
> the very end of 2007. It takes time to scale up an organization so
> that it is able to spend large amounts of money in an efficient and
> responsible way.
>
> The Free Software Foundation 2008 990 reflects 1m in income and the
> FSF has been around for 25 years and supports many initiatives.
>
> Mozilla Foundation's 2008 990 reflects 1.2m in income (this isn't the
> whole story, Mozilla's finances are greatly complicated).
>
>
Wow. This is news to me, which I probably should have reviewed before my
post, to get more perspective. Thanks for offering it up, Gregory.

However, I see that there is a fundamental, relevant difference here between
the Tor Project and Wikimedia, FSF, and Mozilla Foundation. Who needs them?
What is their value to the institutions who have money? Governments, law
enforcement, military, enterprises, media, and others. I would speculate the
Tor Project (and you) probably thinks of itself as similar to these 3 other
organizations. But why not think of themselves as much more than them?
That's my controversial point here.

They are much more than a homeless shelter too, for example. They are much
more than a friggin database, and yet what was MySQL bringing in before it
sold for $1B to Sun about 3 years ago? Tor is much more than an operating
system, and yet how much has IBM and Oracle and others poured into Linux
over the years?

I apologize for hurting feelings on this point. But this issue is much more
important than that as well. I have listened to and followed Roger and
Andrew and Nick and others over the years, enough to know they are all top
quality guys.

But from an organizational, big picture view, I think it is clearly time for
them to bring in some evangelical fundraisers to move the Project forward.
There is a great base to build on. There is a great story to tell. But think
about it this way - how far is the Project going to go, how successful will
it be, with the inspirational leaders spending most of their time fixing
bugs, doing commits, living in the code, and such.

Also if you are challenging me to speak up, well here I am, and here I will
continue to be. Personally I am also looking at what part of the Tor
software I can work on myself as part of my upcoming thesis term at school
...

--
Julie C.
ju...@h-ck.ca
GPG key 06D32144 available at http://keys.gnupg.net


Re: Tor Project 2008 Tax Return Now Online

2010-08-17 Thread Robert Ransom
On Tue, 17 Aug 2010 09:05:27 -0700
Julie C  wrote:

> But from an organizational, big picture view, I think it is clearly time for
> them to bring in some evangelical fundraisers to move the Project forward.
> There is a great base to build on. There is a great story to tell. But think
> about it this way - how far is the Project going to go, how successful will
> it be, with the inspirational leaders spending most of their time fixing
> bugs, doing commits, living in the code, and such.

What do you expect the Tor Project to do with zillions of dollars?
Using donated funds to operate more relays, bridges, and exit nodes
won't help much -- Tor nodes need to be dispersed among as many
different operators and ISPs as possible.  Using donated funds to
improve the Tor software is a good thing, but there is a limit to how
much money can be thrown at that -- Tor developers must be competent
programmers, and must understand the Tor software and protocol well.

Also, remember that Tor's opponents would put much more effort into
blocking Tor if it were heavily promoted in the Western media.  (China
and Iran are not Tor's only opponents -- here in the US, misguided
politicians want to criminalize operating a Tor relay (see S. 436
).)


> Also if you are challenging me to speak up, well here I am, and here I will
> continue to be. Personally I am also looking at what part of the Tor
> software I can work on myself as part of my upcoming thesis term at school
> ...

What are you studying?  Perhaps we can help you find a way to work on
Tor.


Robert Ransom


signature.asc
Description: PGP signature


Re: Tor Project 2008 Tax Return Now Online

2010-08-17 Thread Robert Ransom
On Tue, 17 Aug 2010 12:09:29 -0700
Robert Ransom  wrote:

> Also, remember that Tor's opponents would put much more effort into
> blocking Tor if it were heavily promoted in the Western media.  (China
> and Iran are not Tor's only opponents -- here in the US, misguided
> politicians want to criminalize operating a Tor relay (see S. 436
> ).)

Oops -- I just re-read the bill, and it's somewhat less broad than I
thought when I first saw it.  It still seems to criminalize running a
Tor relay with a directory mirror, or running a Tor relay without full
logging, or running a Tor relay at all if you also run a web server or
provide an Internet mail-like service.


Robert Ransom


signature.asc
Description: PGP signature


Re: Tor Project 2008 Tax Return Now Online

2010-08-17 Thread Julie C
On Tue, Aug 17, 2010 at 12:09 PM, Robert Ransom wrote:
>
>
> What do you expect the Tor Project to do with zillions of dollars?
> Using donated funds to operate more relays, bridges, and exit nodes
> won't help much -- Tor nodes need to be dispersed among as many
> different operators and ISPs as possible.  Using donated funds to
> improve the Tor software is a good thing, but there is a limit to how
> much money can be thrown at that -- Tor developers must be competent
> programmers, and must understand the Tor software and protocol well.
>
> Also, remember that Tor's opponents would put much more effort into
> blocking Tor if it were heavily promoted in the Western media.  (China
> and Iran are not Tor's only opponents -- here in the US, misguided
> politicians want to criminalize operating a Tor relay (see S. 436
> ).)
>
>
>
Hmm. I think I will add you to my list of "holding back the Tor Project from
thinking bigger" people. But to clarify, this is not zillions of dollars,
and I am not suggesting the Project itself deploy any relays, servers or
bridges. Others like Amazon.com, Google, etc need to be convinced to do it.

--
Julie C.
ju...@h-ck.ca

GPG key 06D32144 available at http://keys.gnupg.net


Re: TLS NPN (Next Protocol Negotiation)

2010-08-17 Thread Mike Perry
Thus spake Seth David Schoen (sch...@eff.org):

> Much of the debate centers around the idea that NPN will make it
> harder for network operators to know what protocols users are using
> over TLS and hence to block particular protocols while permitting
> others.  One of the proponents (Adam Langley, who has been doing a
> lot of other fantastic work on making TLS better and more ubiquitous)
> mentioned the idea that Tor is an intended use case for this
> behavior, although there hasn't been any other explicit discussion
> of this.

It does seem like something we would try to use, but only if it were
deployed widely enough so that we weren't the only ones using it.

> I'm tempted to reply pointing out that _all_ uses of TLS represent
> at least potential support for a threat model in which a network
> operator is the adversary whom users are trying to defend against.
> So there's not much conceptually new about having TLS reduce network
> operators' control over traffic, although some of the people in
> the discussion seem to feel there is a qualitative difference
> between, say, keyword filtering and protocol filtering.

The point I would make is that its very likely that most services
will continue to operate on their traditional tcp ports, regardless of
NPN. 

Administrators hoping to be able to block protocols by a TLS
fingerprint seem to be barking up the wrong tree. Anyone wishing to
subvert their controls will use a custom TLS/stunnel bridge on an
acceptable port as defined by their policy. I think this indicates
that you are right.

The more effecive way I have seen to do these sorts of controls is by
policy enforcement on the software that the machines themselves can
run, rather than on the network.


-- 
Mike Perry
Mad Computer Scientist
fscked.org evil labs


pgprBA6gSIQVj.pgp
Description: PGP signature


Re: Tor Project 2008 Tax Return Now Online

2010-08-17 Thread Paul Syverson
On Tue, Aug 17, 2010 at 09:05:27AM -0700, Julie C wrote:
> On Mon, Aug 16, 2010 at 10:31 PM, Gregory Maxwell wrote:
> 
> >
> > This is neither fair nor reasonable.
> >
> > When Wikimedia broke into the top _10_ most popular sites, with
> > something like 100 million unique viewers in a month the annual income
> > was comparable to the tor project. It only broke 1m in fundraising at
> > the very end of 2007. It takes time to scale up an organization so
> > that it is able to spend large amounts of money in an efficient and
> > responsible way.
> >
> > The Free Software Foundation 2008 990 reflects 1m in income and the
> > FSF has been around for 25 years and supports many initiatives.
> >
> > Mozilla Foundation's 2008 990 reflects 1.2m in income (this isn't the
> > whole story, Mozilla's finances are greatly complicated).
> >
> >
> Wow. This is news to me, which I probably should have reviewed before my
> post, to get more perspective. Thanks for offering it up, Gregory.
> 
> However, I see that there is a fundamental, relevant difference here between
> the Tor Project and Wikimedia, FSF, and Mozilla Foundation. Who needs them?
> What is their value to the institutions who have money? Governments, law
> enforcement, military, enterprises, media, and others. I would speculate the
> Tor Project (and you) probably thinks of itself as similar to these 3 other
> organizations. But why not think of themselves as much more than them?
> That's my controversial point here.
> 
> They are much more than a homeless shelter too, for example. They are much
> more than a friggin database, and yet what was MySQL bringing in before it
> sold for $1B to Sun about 3 years ago? Tor is much more than an operating
> system, and yet how much has IBM and Oracle and others poured into Linux
> over the years?

Since you're (rightly) not worried about stepping on some toes, I'll
do likewise: You have given at least part of a response about FSF
since from both a code and a community/culture standpoint there
probably would not be a linux without them. And firefox serves as a
platform (from testing through to deployment) for lots of security
ideas that would not be where they are without Mozilla. Also, it is
much easier for IBM and Oracle to understand the RoI in linux than for
such players, qua corporate position, to see the RoI in Tor, but even
that still occurred over years of footdragging, hedging bets, etc.

> 
> I apologize for hurting feelings on this point. But this issue is much more
> important than that as well. I have listened to and followed Roger and
> Andrew and Nick and others over the years, enough to know they are all top
> quality guys.
> 
> But from an organizational, big picture view, I think it is clearly time for
> them to bring in some evangelical fundraisers to move the Project forward.
> There is a great base to build on. There is a great story to tell. But think
> about it this way - how far is the Project going to go, how successful will
> it be, with the inspirational leaders spending most of their time fixing
> bugs, doing commits, living in the code, and such.

I have been evangelizing versions of onion routing including Tor to
VCs etc. since before we started calling this version Tor. My
experience is that if they want to put serious money in (or sometimes
not even), they want to be able to generate revenue from that in a
short period of time, perhaps a few years. Similarly for other sources
of funding even if they aren't expecting direct immediate financial
return but are not paying for prototypes, research, and improvements
to what's there now; although the story changes somewhat in each
case. They may not be looking for financial return, but they have
unrealistic expectations about what would happen if they abruptly
threw lots of money at someone or added fifty percent to the
infrastructure at once. When you describe ways that things could
improve with an investment in the 50K USD to a million range, they
become less interested. They actually seem to prefer to hear promises
to roll out whatever random stuff from someone who would be happy to
get an instant ginormous influx of cash or adopt their plans to put a
thousand new nodes up from their corporate network.

There are little ways in which big entities are funding Tor or working
on collaborating. And it would be good for that to expand and
improve. Also, if someone (or better, several distinct someones) were
to double Tor's funding over two years, that would be great, but my
guess is that if anyone were to throw a tenfold jump in funding at the
Tor Project, Inc. all at once right now, the result would be
profoundly disappointing and frustrating for both the Tor Project and
the funder. And probably damaging to the Tor Project in the long
run. Similar comments if some one entity wanted to contribute, e.g.,
300 fast nodes to the network at once (except add that there would be a
swift major reduction in security).  I am pleased that when I
brought Roger

Tor nodes with idenitical names.

2010-08-17 Thread Matthew


If one goes to, for example, http://torstatus.blutmagie.de/ one can see 
many nodes, all called "Unnamed".  How can such nodes be specifically 
referred to if one is using StrictExitNodes =1?


Thanks.


Re: Tor nodes with idenitical names.

2010-08-17 Thread Flamsmark
On 17 August 2010 17:47, Matthew  wrote:

> How can... nodes be specifically referred to...?
>

Refer to the nodes by their unique fingerprints;.


Re: TLS NPN (Next Protocol Negotiation)

2010-08-17 Thread Gregory Maxwell
On Tue, Aug 17, 2010 at 2:08 AM, Seth David Schoen  wrote:
[snip]
> I'm tempted to reply pointing out that _all_ uses of TLS represent
> at least potential support for a threat model in which a network
> operator is the adversary whom users are trying to defend against.
> So there's not much conceptually new about having TLS reduce network
> operators' control over traffic, although some of the people in
> the discussion seem to feel there is a qualitative difference
> between, say, keyword filtering and protocol filtering.

s/network operator/someone with access to the network/

A protocol which places the service type outside of the crypto isn't
_only_ vulnerable to the formal operators of the network it's just
simply vulnerable.  If you can trust that people with access to the
network are trustworthy then why are you using TLS at all?

If the IETF wishes to make the protocol subject to control by network
operators then they should incorporate an explicit cryptographically
secured backdoor (i.e. something similar to key escrow). This would be
bad from a privacy and security perspective, but because it would be
explicit it would still be arguably superior to INTENTIONALLY MAKING
THE PROTOCOL IMPLICITLY VULNERABLE NOT ONLY TO THE PEOPLE YOU ARE
EXPECTED TO TRUST BUT TO THE ENTIRE WORLD. ahem.

I feel better now.
***
To unsubscribe, send an e-mail to majord...@torproject.org with
unsubscribe or-talkin the body. http://archives.seul.org/or/talk/


$keyid of my server

2010-08-17 Thread Orionjur Tor-admin
Where I can find it for pointing out "MyFamily" in /etc/torrc ?
I find only my node fingerprint.
***
To unsubscribe, send an e-mail to majord...@torproject.org with
unsubscribe or-talkin the body. http://archives.seul.org/or/talk/


Re: $keyid of my server

2010-08-17 Thread Andrew Lewman
On Wed, 18 Aug 2010 01:20:25 +
Orionjur Tor-admin  wrote:

> Where I can find it for pointing out "MyFamily" in /etc/torrc ?
> I find only my node fingerprint.

That's your keyid, or look for the log message on start:
[notice] Your Tor server's identity key fingerprint is

Or here,
https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TorFAQ#Iwanttorunmorethanonerelay

-- 
Andrew Lewman
The Tor Project
pgp 0x31B0974B
+1-781-352-0568

Website: https://www.torproject.org/
Blog: https://blog.torproject.org/
Identi.ca: torproject
skype:  lewmanator
***
To unsubscribe, send an e-mail to majord...@torproject.org with
unsubscribe or-talkin the body. http://archives.seul.org/or/talk/


Re: Tor Project 2008 Tax Return Now Online

2010-08-17 Thread Andrew Lewman
On Mon, 16 Aug 2010 20:32:13 -0700
Julie C  wrote:

First off, your enthusiasm and questioning our decisions is great and
encouraged.  Will you help us?

> The larger threat that I see is the Tor Project is absolutely ...
> dare I say it? ... PATHETIC AT MARKETING ITSELF.

Yes, this is by design.  For years we've been a boring R&D organization
working away in relative obscurity.  Only in the past year have we been
forced into the public spotlight.  First was the growing number of
Chinese citizens that found Tor circumvented the GFW just fine, and
protected their privacy when doing so.  Second was the Iranian protests
in June 2009.  We now answer the press questions, appear on tv/radio
shows, panels, and other Internet media.  There's an internal debate
over how much publicity is good versus harmful.  

We've learned that keeping a relatively low profile continues to let us
work on the R&D, rather than writing policy papers and dealing with
bureaucracy.  Many other organizations are great at doing the latter
two. We're happy to subcontract from the latter types of organizations,
which lets us focus on R&D.

> Something has been bugging me the last couple days about the bigger
> picture of the funding issue that came to light with the cryptome
> posting a couple days ago. It became clearer to me today as I was
> driving through my neighbourhood (yes, I am a Canadian) - only
> $500,000 in funding for all of 2008 for the Tor Project?!

Yes, 2 years ago that was more money than we could handle.  It's taken
6-8 months to ramp up to handle more funding and to get everyone
productive.  This includes finding the right people, passing audits,
managing the workload, and getting infrastructure assembled so people
can do their jobs.  

Conversely, think of all we've been able to accomplish with that
$500k.  

> Sorry, Roger and Andrew, but as talented as you are, I think you have
> to make it a priority to get some professional fundraisers on board.
> Anonymity, privacy, free speech, and stuff are absolutely more
> important than a few thousand homeless people in my home town.
> Somebody is not getting the message out, and all of the volunteers
> who believe in these bread and butter moral and ethical issues
> deserve more.

As Paul mentioned later in this thread, we did.  Karen is awesome and
currently handling the fundraising, policy meetings, grant writing, and
marketing for us.  However, she's one person, she could use help.

> Think bigger, please! Who is holding the project back from not
> thinking bigger? Why isn't the UN sending you $50M a year? 

We are self-limiting.  Too much growth, too fast, will kill us.
Bigger isn't always better.  We are a cash and project-based business.
By design, we take on slightly more than we can handle.  Think of a
startup versus a Fortune 50 company.  Like all startups, there is much
more to do than people to do it. That's fine, as it forces us to focus
on what's important.  We don't have an endowment to smooth out the
funding roller coaster.  All of our contracts can be cancelled at any
point in time. We either deliver or die.  

R&D work is much different than writing policy statements, legal
opinions, and producing documentaries.  So far, the UN, IGF, and parts
of various governments don't understand what we say nor what we do.  I'm
happy to keep talking to them and work on something that works for both
organizations.  Education and training seems to be the common ground
where we speak the same language.

We've recently started attracting potential sponsors that want us to
stand up for anonymity in general.  Starting to counter the
surveillance by design mentality of the general populace is a different
focus for us.  Frankly, the EFF and ACLU may be better at this than us,
nevertheless discussions continue. 

> enterprises need your software. All law enforcement needs your
> software. All governments need your software. All journalists, all
> bankers, accountants, lawyers, researchers - everyone who needs to
> have at least some of their communications off the record.

I agree.  We're working with a surprising number of people in those
categories.  However, the vast majority of the world doesn't understand
how the Internet works, nevermind how Tor can help them.  Education is
a big deal which takes time and understanding.  

I can't tell you how many times I've explained to victims of domestic
violence, child abuse, or human rights activists that organizing over
some social networking site is a horrible idea. There are many, many
good things that come out of social networking sites, but too many of
them are careless with private information or not clear in what is
collected, how it is collected, and how it is shared. This fact comes
back to bite people or groups in unexpected ways. In many cases, people
have lost their jobs, been arrested, or put their families and extended
networks at risk because of something on a social network site. 

I don't want people to use Tor becaus