Re: [tor-relays] How can we trust the guards?
> On 3 Jan 2017, at 17:38, Rana wrote: > > @teor >> I think you are talking about a different network, which is not Tor as > currently designed, implemented, and deployed. >> In particular, how do you get decent throughput, reliability, and low- > latency out of tens of thousands of devices? >> This is an open research problem, which the Tor design does not solve. > > Sorry for being thick-headed but > > 1. I do not see the connection between the latency and the number of relays. > However many relays there are in the pool, there always will be 3 relays > (or so) per circuit. Many small relays will have higher average latency. They are further apart, and their interconnections are poorer. Bandwidth also affects latency: https://en.wikipedia.org/wiki/Bandwidth-delay_product The network overheads are also greater, which reduces capacity and latency. (More relays means more connections and larger directory documents.) > 2. I also do not see the problem with throughput and latency. If the relay > is small, it should be used in accordance with its capacity, which is > reported in consensus. Many small relays should increase the probability of > finding one that has spare bandwidth (my residential relay is, for example, > idle 93% of the time despite having decent ultra-stable 153 KB/s bandwidth > and static IP); Perhaps it can't handle as much tor traffic as you think. In the absence of substantial evidence to the contrary, I believe the 5 tor bandwidth authorities are measuring reliably, and your relay is not able to reliably sustain much tor traffic. > 3. I do not see the problem of reliability. Reliability is easily measured > and reported. The same relay is VERY reliable - totally stable for weeks, > yet still under-used only because it is small. Perhaps your relay is not as reliable as you think. > 4. I do not see why the current design of Tor prevents using more relays. I > do not believe the current design is limited by design in the number of > relays it can support. This was answered in the thread: more relays means more directory overhead. T -- Tim Wilson-Brown (teor) teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org signature.asc Description: Message signed with OpenPGP ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] How can we trust the guards?
>> https://github.com/ornetstats/stats/blob/master/o/main_guard_operators.txt > > I do not know how to interpret this table. How many guards are there at any > given time? The list includes all relays having - the guard flag _and_ a - guard probability > 0%* now, 2079 relays currently. 732 of them have no ContactInfo set (representing ~30.7% guard probability). *(as reported by https://onionoo.torproject.org) signature.asc Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] How can we trust the guards?
On Tue, 03 Jan 2017 11:34:19 +, Aeris wrote: ... > And there is also an hardware bottleneck, because every components (mainly > ethernet & SD card here) are connected to the same physical USB controller > limited to 480Mbps for *overall* transfer (network + disk + others USB). Which isn't that small. tor does not do disk (or 'other'), and 25MByte/s is quite a lot - more than I can push with big iron due to traffic limits. ... > No no, GB. 128GB is usual on server. We even begin to see 1TB RAM machine. You mean 'this is what you usually get as a server machine', not 'this is what tor typically uses, right? Andreas -- "Totally trivial. Famous last words." From: Linus Torvalds Date: Fri, 22 Jan 2010 07:29:21 -0800 ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] How can we trust the guards?
> The question remains whether NOT having access to my relay makes life > easier for people. Sometimes I guess you are right. But when all the big > relays get overloaded, small relays could provide MORE bandwidth than large > relays.Both your and my statements are qualitative, I would like someone > who knows the numbers to respond. Currently, big relays are not really overloaded. We have 55Gbps on guards, and overall bandwidth used at only 50%. https://metrics.torproject.org/bwhist-flags.html https://metrics.torproject.org/bandwidth.html > There are 850 MB unused memory on my $35 Pi relay that is used to 7% of its link capacity. On Pi, bottleneck is not RAM, but CPU to do crypto. Because no AES-NI extension on the CPU and very low CPU benchmark (AES256 30MBps max, compared to 500MBps with i5). And there is also an hardware bottleneck, because every components (mainly ethernet & SD card here) are connected to the same physical USB controller limited to 480Mbps for *overall* transfer (network + disk + others USB). > HUNDRED GB of RAM? I believe you mean hundred MB? In this case ditto. No no, GB. 128GB is usual on server. We even begin to see 1TB RAM machine. Regards, -- Aeris Individual crypto-terrorist group self-radicalized on the digital Internet https://imirhil.fr/ Protect your privacy, encrypt your communications GPG : EFB74277 ECE4E222 OTR : 5769616D 2D3DAC72 https://café-vie-privée.fr/ signature.asc Description: This is a digitally signed message part. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] How can we trust the guards?
>Any people who will use your relay on a circuit will also damn you to run such >small relay. This is so slow and not usable for day to day web surfing, >specially if you are well connected to Internet (fiber or decent ADSL). >Personnally, I have around this speed directly for my ADSL Internet connection >(500/80kB), and I rant each day I have to upload something… The question remains whether NOT having access to my relay makes life easier for people. Sometimes I guess you are right. But when all the big relays get overloaded, small relays could provide MORE bandwidth than large relays.Both your and my statements are qualitative, I would like someone who knows the numbers to respond. >Memory and TCP ports ? >A node need to maintain thousands of circuits. This consumes a lot of memory >(400MB on one of my guard) and a lot of TCP sockets (14k sockets). There are 850 MB unused memory on my $35 Pi relay that is used to 7% of its link capacity. Therefore the memory limitation you cited is irrelevant. >Those parameters don’t scale very well if you have more nodes (65k TCP port >only, or some hundred of GB of RAM). HUNDRED GB of RAM? I believe you mean hundred MB? In this case ditto. >Currently, with standard hardware, seems we can’t host more than 10 or 20× >more nodes than today without hitting some hardware limit. 10x more nodes than today sounds good to me. My understanding is that Tor is nowhere near breaking out of its 7K and moving to this limit. Therefore, the spare capacity of small relays could be used. Rana ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] How can we trust the guards?
> 93% of the time despite having decent ultra-stable 153 KB/s bandwidth > and static IP); > The same relay is VERY reliable - totally stable for weeks, > yet still under-used only because it is small. Any people who will use your relay on a circuit will also damn you to run such small relay. This is so slow and not usable for day to day web surfing, specially if you are well connected to Internet (fiber or decent ADSL). Personnally, I have around this speed directly for my ADSL Internet connection (500/80kB), and I rant each day I have to upload something… > 4. I do not see why the current design of Tor prevents using more relays. I > do not believe the current design is limited by design in the number of > relays it can support. Memory and TCP ports ? A node need to maintain thousands of circuits. This consumes a lot of memory (400MB on one of my guard) and a lot of TCP sockets (14k sockets). Those parameters don’t scale very well if you have more nodes (65k TCP port only, or some hundred of GB of RAM). Currently, with standard hardware, seems we can’t host more than 10 or 20× more nodes than today without hitting some hardware limit. Regards, -- Aeris Individual crypto-terrorist group self-radicalized on the digital Internet https://imirhil.fr/ Protect your privacy, encrypt your communications GPG : EFB74277 ECE4E222 OTR : 5769616D 2D3DAC72 https://café-vie-privée.fr/ signature.asc Description: This is a digitally signed message part. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] How can we trust the guards?
@teor >I think you are talking about a different network, which is not Tor as currently designed, implemented, and deployed. >In particular, how do you get decent throughput, reliability, and low- latency out of tens of thousands of devices? >This is an open research problem, which the Tor design does not solve. Sorry for being thick-headed but 1. I do not see the connection between the latency and the number of relays. However many relays there are in the pool, there always will be 3 relays (or so) per circuit. 2. I also do not see the problem with throughput and latency. If the relay is small, it should be used in accordance with its capacity, which is reported in consensus. Many small relays should increase the probability of finding one that has spare bandwidth (my residential relay is, for example, idle 93% of the time despite having decent ultra-stable 153 KB/s bandwidth and static IP); 3. I do not see the problem of reliability. Reliability is easily measured and reported. The same relay is VERY reliable - totally stable for weeks, yet still under-used only because it is small. 4. I do not see why the current design of Tor prevents using more relays. I do not believe the current design is limited by design in the number of relays it can support. I am sure that I am missing some deeper insights. What am I missing? ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] How can we trust the guards?
On 01/02/2017 06:08 PM, teor wrote: > >> On 3 Jan 2017, at 11:46, Mirimir wrote: >> >>> I believe that what is needed is changing Tor to accommodate a >>> lot of small relays running by a very large number of volunteers, >>> and to push real traffic through them. >> >> Alternately, you need lots of small relays, running (with plausible >> deniability) on IoT devices. Mirai-style. Using covert channels (packet >> timing etc). Tor Project would never do that, I know. But eventually, it >> might come down to that. > > I think you are talking about a different network, which is not Tor as > currently designed, implemented, and deployed. Yes, very different. But perhaps using onion-routing. Or mixes. Or both. > In particular, how do you get decent throughput, reliability, and low- > latency out of tens of thousands of devices? I imagine that it would be entirely peer-to-peer. And that it would use something like multipath UDP. Using covert channels, bandwidth would at best be ~1% of raw. But Internet bandwidth and latency are increasing, and high-definition video is everywhere, so there's lots of traffic to modulate. HD video devices would be good routers, I think. > This is an open research problem, which the Tor design does not solve. > > T Indeed. A few designs have been published, but nothing better has been implemented. As far as I know, anyway. > -- > Tim Wilson-Brown (teor) > > teor2345 at gmail dot com > PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B > ricochet:ekmygaiu4rzgsk6n > xmpp: teor at torproject dot org > > > > > > > ___ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] How can we trust the guards?
> On 3 Jan 2017, at 11:46, Mirimir wrote: > >> I believe that what is needed is changing Tor to accommodate a >> lot of small relays running by a very large number of volunteers, >> and to push real traffic through them. > > Alternately, you need lots of small relays, running (with plausible > deniability) on IoT devices. Mirai-style. Using covert channels (packet > timing etc). Tor Project would never do that, I know. But eventually, it > might come down to that. I think you are talking about a different network, which is not Tor as currently designed, implemented, and deployed. In particular, how do you get decent throughput, reliability, and low- latency out of tens of thousands of devices? This is an open research problem, which the Tor design does not solve. T -- Tim Wilson-Brown (teor) teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org signature.asc Description: Message signed with OpenPGP ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] How can we trust the guards?
On 01/01/2017 11:28 PM, Rana wrote: > I believe that what is needed is changing Tor to accommodate a > lot of small relays running by a very large number of volunteers, > and to push real traffic through them. Alternately, you need lots of small relays, running (with plausible deniability) on IoT devices. Mirai-style. Using covert channels (packet timing etc). Tor Project would never do that, I know. But eventually, it might come down to that. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] How can we trust the guards?
On 01/02/2017 06:56 AM, Aeris wrote: >>> Tor model breaks down when facing a modest government adversary for the >>> simple reason that having only 7000 relays total, with a minority of >>> them carrying most of the traffic, invites cheap infiltration and >>> takeover by state adversaries. >> >> Yeah, that's a problem :( > > That’s a theorical problem. > Currently, most of the major guard operators are well known people and no > doubt they’re not engaged with three-letter agencies. > > > https://github.com/ornetstats/stats/blob/master/o/main_guard_operators.txt Good. That's what I had assumed. So a major infiltration would be hard to hide. Those "well known people" would need to be covert operatives. And deploying covert operatives long-term is nontrivial. > Regards, > ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] How can we trust the guards?
Just to play devils advocate here - when a single hacker can control tens of thousands of devices in a botnet - just how easy would it be for a "state" agency to control a few hundred tor nodes? We can always assume, possibly to our own demise, that they utilize it to some degree themselves, and leave tor alone, mostly. However, if memory serves me correctly (debatable some days), a couple years ago, didn't part of Anonymous work with some of the developers at Mozilla - where when they hit certain Silk Road onion sites they were offered a "necessary" pervert only TBB update that allowed their "true" IP to be found - then doxxed each one and posted the list of child porn frequenters from that? Based on a scenario such as that - who CAN we trust? Who is actually "in the circle of trust" - and who ain't? Gumby "We're from the government, and we're here to help you!" > On January 2, 2017 at 12:44 PM Andreas Krey wrote: > > On Mon, 02 Jan 2017 08:28:52 +, Rana wrote: > ... > > That US agencies are actively working to destroy anonymity of (hopefully > > only selected, but who knows?) Tor users is an undisputable fact. Your > > implicit assumption that Russia is also attacking Tor is, however, > > unfounded. > > Now, what is the reasoning behind that? > > > There is, however, ZERO evidence that they are going head to head with > > America doing that. > > Is there any evidence that America is doing this? > (Outside the snowden leaks, o/c, because they don't cover russia.) > > > I believe that what is needed is changing Tor to accommodate a lot of small > > relays running by a very large number of volunteers, and to push real > > traffic through them. > > And where do you want to get these? > > Andreas > -- > "Totally trivial. Famous last words." > From: Linus Torvalds > Date: Fri, 22 Jan 2010 07:29:21 -0800 > ___ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] How can we trust the guards?
On Mon, 02 Jan 2017 08:28:52 +, Rana wrote: ... > That US agencies are actively working to destroy anonymity of (hopefully only > selected, but who knows?) Tor users is an undisputable fact. Your implicit > assumption that Russia is also attacking Tor is, however, unfounded. Now, what is the reasoning behind that? > There is, however, ZERO evidence that they are going head to head with > America doing that. Is there any evidence that America is doing this? (Outside the snowden leaks, o/c, because they don't cover russia.) > I believe that what is needed is changing Tor to accommodate a lot of small > relays running by a very large number of volunteers, and to push real traffic > through them. And where do you want to get these? Andreas -- "Totally trivial. Famous last words." From: Linus Torvalds Date: Fri, 22 Jan 2010 07:29:21 -0800 ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] How can we trust the guards?
> *any* sounds a little bit too optimistic IMO, but it reduces the risk of > being deanonymized (always under the assumption of the threat model). If family name is correctly defined, Tor ensure you will only use one of those nodes on your circuits. If family name not correctly defined, Tor project will try to contact operator to define one : https://lists.torproject.org/pipermail/tor-relays/2016-December/02.html https://lists.torproject.org/pipermail/tor-relays/2016-December/011402.html https://lists.torproject.org/pipermail/tor-relays/2016-December/011416.html Without action, nodes may be blacklisted if suspicious. And even if not, /16 restriction will apply, and never 2 nodes on the same /16 will be used. If attacker nodes have no family name and not in few /16, we are typically in a sybil attack and Tor network tools might report the trouble. https://gitweb.torproject.org/user/phw/sybilhunter.git/ https://lists.torproject.org/pipermail/tor-consensus-health/2014-November/ 005252.html Sure, all those protections are not perfect. Adding new relays few at a time to stay under the sybil attack detection level, without common pattern (IP, / 16, node name, AS…), during a lot of time to control most of the nodes may remain undetected. But currently, seems not the case at least for guard and exit which are well known or documented most of the time or at least for the biggest part of the consensus. More than money, such undetected attack requires global organisation to subvert and subponea enough people (network admin, sys admin, companies, hardware hosting…) to build it. It's more planetary conspiracy theory than anything else. Regards, -- Aeris Individual crypto-terrorist group self-radicalized on the digital Internet https://imirhil.fr/ Protect your privacy, encrypt your communications GPG : EFB74277 ECE4E222 OTR : 5769616D 2D3DAC72 https://café-vie-privée.fr/ signature.asc Description: This is a digitally signed message part. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] How can we trust the guards?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 01/02/2017 04:32 PM, Aeris wrote: > Tor node selection for circuits will address this trouble and avoid you to > use > more than 1 of their nodes in the same circuit, preventing any anonymity > problem. *any* sounds a little bit too optimistic IMO, but it reduces the risk of being deanonymized (always under the assumption of the threat model). - -- Toralf PGP: C4EACDDE 0076E94E -BEGIN PGP SIGNATURE- iHYEAREIAB4FAlhqdvMXHHRvcmFsZi5mb2Vyc3RlckBnbXguZGUACgkQxOrN3gB2 6U7jvQD/YXmvbeuG4bmj7xHSJsJsoUNcVxYhwU2s6O4oiVhyG1MA/RWDx4ail6j7 tw8X93LQvIsNiUJsQO1Rxt/0HGmOj4U0 =jfUR -END PGP SIGNATURE- ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] How can we trust the guards?
> I do not know how to interpret this table. How many guards are there at any > given time? Currently, we have 2442 guards. This number is not fix but vary each days depending of community efforts to maintain stable nodes with enough bandwidth. > Known to whom? Is there a Tor police that researches "unknown" guards? How > do you measure "known"? How do they become "known"? Something akin to key > signing parties? Secret meetings in Munich biergartens? Major operators are not anonymous and closed to the Tor project or others privacy aware association. On the top guard operator, I see Tor developers, EFF members, privacy aware email provider, privacy aware hosting provider, scientists, known hacktivists, people active on this list, VPN providers… Not at all related to three-letters agencies (or we must begin to fear about global conspiracy able to subponea all those kinds of people/association/companies on this planet during decades…). > Conversely, if someone installs a high performance relay, during the first > 70 days is there a secret police investigation giving the operator a clean > bill of health or conversely marking her as a rogue? All nodes are watched permanently by a bunch of tools : https://trac.torproject.org/projects/tor/wiki/doc/ ReportingBadRelays#Doyouactivelylookforbadrelays During the 70d, bad behaviour will be detected and associated nodes banned. And if we don’t detect anything bad during this time, so even if those nodes are controled by bad guys, we don’t care because they help the network ! Tor node selection for circuits will address this trouble and avoid you to use more than 1 of their nodes in the same circuit, preventing any anonymity problem. The best we can do in such case is to contact the operator to speak about diversity problem and to ask for shuting down some nodes if we consider he controls more consensus he should. Regards, -- Aeris Individual crypto-terrorist group self-radicalized on the digital Internet https://imirhil.fr/ Protect your privacy, encrypt your communications GPG : EFB74277 ECE4E222 OTR : 5769616D 2D3DAC72 https://café-vie-privée.fr/ signature.asc Description: This is a digitally signed message part. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] How can we trust the guards?
Known to whom? Is there a Tor police that researches "unknown" guards? How do you measure "known"? How do they become "known"? Something akin to key signing parties? Secret meetings in Munich biergartens? Conversely, if someone installs a high performance relay, during the first 70 days is there a secret police investigation giving the operator a clean bill of health or conversely marking her as a rogue? -Original Message- From: tor-relays [mailto:tor-relays-boun...@lists.torproject.org] On Behalf Of Zwiebel Sent: Monday, January 02, 2017 4:19 PM To: tor-relays@lists.torproject.org Subject: Re: [tor-relays] How can we trust the guards? > Currently, most of the major guard operators are well known people are you sure? - Zwiebel, 33rd on that list ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] How can we trust the guards?
Sorry -Original Message- From: tor-relays [mailto:tor-relays-boun...@lists.torproject.org] On Behalf Of Aeris Sent: Monday, January 02, 2017 3:56 PM >Currently, most of the major guard operators are well known people and no >doubt they’re not engaged with three-letter agencies. >https://github.com/ornetstats/stats/blob/master/o/main_guard_operators.txt I do not know how to interpret this table. How many guards are there at any given time? ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] How can we trust the guards?
> Currently, most of the major guard operators are well known people are you sure? - Zwiebel, 33rd on that list ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] How can we trust the guards?
> > Tor model breaks down when facing a modest government adversary for the > > simple reason that having only 7000 relays total, with a minority of > > them carrying most of the traffic, invites cheap infiltration and > > takeover by state adversaries. > > Yeah, that's a problem :( That’s a theorical problem. Currently, most of the major guard operators are well known people and no doubt they’re not engaged with three-letter agencies. https://github.com/ornetstats/stats/blob/master/o/main_guard_operators.txt Regards, -- Aeris Individual crypto-terrorist group self-radicalized on the digital Internet https://imirhil.fr/ Protect your privacy, encrypt your communications GPG : EFB74277 ECE4E222 OTR : 5769616D 2D3DAC72 https://café-vie-privée.fr/ signature.asc Description: This is a digitally signed message part. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] How can we trust the guards?
On 01/02/2017 12:53 AM, Rana wrote: > @Mirimir >>> This is not Blockchain where hundreds of thousands of greedy selfish >>> genes are working together for non-collusion. A practically zero- >>> effort collusion of already fully cooperating FIVE EYE agencies (US, >>> UK, Canada, Australia, New Zealand) is needed to sprinkle several tens >>> of rogue relays every month all over the globe, hosted at unsuspected >>> hosters, looking perfectly bona fide. All they need is maintain some >>> bandwidth and stability (why not?) and wait 70 days and - hop! - they >>> are guards. > >> That seems plausible. I don't know how the community of relay operators >> works. But I suspect that, if you're right, many known and trusted relay >> operators must be covert operatives. While that's not impossible, it >> would represent a huge investment. > > I've been through this already, and made a calculation of the completely > negligible - in government terms - amount required to pay for hosting > 4000 powerful nodes that are indiscernible from honest relays and are > scattered all over the world. A huge investment is emphatically NOT > required for this. As to operatives, I see no reason why a single > employee could not control 500 rogue relays from a single $1000 PC. > Say, spending her day revisiting 25 relays daily, doing maintenance. > That's assuming zero automation. With some automation software (say, > flagging relays that need attention, most of them don't most of the > time), a single employee could control the entire 7000. Where's > the "huge investment"? Yes, there's no huge investment in equipment or operator time. But it's my impression that there's a community of relay operators. Who know each other. And I doubt that an appreciable percentage of entry guards are run by anonymous cowards, such as myself ;) If that's the case -- and I'd appreciate knowledgeable comment -- many known and trusted relay operators must be covert operatives. I expect that running a long-term covert operation isn't cheap. But upon reflection, it would arguably not cost more than a hundred million USD per year. So maybe so. > Tor model breaks down when facing a modest government adversary for the > simple reason that having only 7000 relays total, with a minority of > them carrying most of the traffic, invites cheap infiltration and > takeover by state adversaries. Yeah, that's a problem :( > Rana > > ___ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] How can we trust the guards?
@Mirimir >> This is not Blockchain where hundreds of thousands of greedy selfish >> genes are working together for non-collusion. A practically zero- >> effort collusion of already fully cooperating FIVE EYE agencies (US, >> UK, Canada, Australia, New Zealand) is needed to sprinkle several tens >> of rogue relays every month all over the globe, hosted at unsuspected >> hosters, looking perfectly bona fide. All they need is maintain some >> bandwidth and stability (why not?) and wait 70 days and - hop! - they >> are guards. >That seems plausible. I don't know how the community of relay operators works. >But I suspect that, if you're right, many known and trusted relay operators >must be covert operatives. While that's not impossible, it would represent a >huge investment. I've been through this already, and made a calculation of the completely negligible - in government terms - amount required to pay for hosting 4000 powerful nodes that are indiscernible from honest relays and are scattered all over the world. A huge investment is emphatically NOT required for this. As to operatives, I see no reason why a single employee could not control 500 rogue relays from a single $1000 PC. Say, spending her day revisiting 25 relays daily, doing maintenance. That's assuming zero automation. With some automation software (say, flagging relays that need attention, most of them don't most of the time), a single employee could control the entire 7000. Where's the "huge investment"? Tor model breaks down when facing a modest government adversary for the simple reason that having only 7000 relays total, with a minority of them carrying most of the traffic, invites cheap infiltration and takeover by state adversaries. Rana ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] How can we trust the guards?
On 01/01/2017 11:28 PM, Rana wrote: > @Mirimir, @Andreas >>> This assumes that there is only one entity wanting to do that. >>> When there are multiple the game isn't that easy. > >> Yes, that is a great Tor feature! Dueling adversaries strengthen >> Tor against each other. > > That's wishful thinking at best. Assuming that there are enough > non-colluding adversaries attacking Tor and destroying each > other's efforts is futile. Well, from what I've read, it does interfere with some attacks. > This is not Blockchain where hundreds of thousands of greedy selfish > genes are working together for non-collusion. A practically zero- > effort collusion of already fully cooperating FIVE EYE agencies (US, > UK, Canada, Australia, New Zealand) is needed to sprinkle several > tens of rogue relays every month all over the globe, hosted at > unsuspected hosters, looking perfectly bona fide. All they need is > maintain some bandwidth and stability (why not?) and wait 70 days > and - hop! - they are guards. That seems plausible. I don't know how the community of relay operators works. But I suspect that, if you're right, many known and trusted relay operators must be covert operatives. While that's not impossible, it would represent a huge investment. > Sprinkling middle relays is even easier. I am not even talking > about the broader 14-EYE intelligence cooperation that includes 14 > countries (https://en.wikipedia.org/wiki/UKUSA_Agreement#9_Eyes. > 2C_14_Eyes.2C_and_other_.22third_parties.22) > > That US agencies are actively working to destroy anonymity of > (hopefully only selected, but who knows?) Tor users is an > undisputable fact. Your implicit assumption that Russia is also > attacking Tor is, however, unfounded. I mentioned that they have > the resources to do so. Russia has arguably MORE resources that > the US because instead of paying for hacking services and > infrastructure all they need to do is threaten to put the > ringleaders of their internationally renowned criminal hacking > gangs in jail. There is, however, ZERO evidence that they are > going head to head with America doing that. They seem to be much > more interested in attacking weakly protected email servers of DNC. Well, who knows? Maybe Russia just has better security. China too. But whatever. I do agree that guards are a risk. They may be malicious. And there may be other flaws that permit signaling via circuit management. So I always use Tor via nested VPN chains. And I tend to include Russian VPNs in the chains. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] How can we trust the guards?
@Sebastian >> On 02 Jan 2017, at 07:28, Rana wrote: >> I think I already covered the "if it exists" part. Sticking to the original >> (old) design doc of Tor is not a practically useful strategy. I believe that >> Tor has MOSTLY such strong adversaries, the others do not matter much. You >> do not really use Tor to protect yourself from petty hackers, do you? >I think the vast majority of Tor users are doing exactly that. Then I can't accuse you of being inconsistent or illogical. I think, however, that you are very wrong. Petty hackers are not even remotely interested in destroying your anonymity. They are interested in your money. As long as they can have that, you can remain perfectly anonymous as far as they are concerned. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] How can we trust the guards?
> On 02 Jan 2017, at 07:28, Rana wrote: > I think I already covered the "if it exists" part. Sticking to the original > (old) design doc of Tor is not a practically useful strategy. I believe that > Tor has MOSTLY such strong adversaries, the others do not matter much. You do > not really use Tor to protect yourself from petty hackers, do you? I think the vast majority of Tor users are doing exactly that. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] How can we trust the guards?
@Andreas >It will not go quite unnoticed when the set of major relays changes >substantially over a few months. Tor exists for what, 10 years? 30 new rogue relays per month (monthly quantity designed to be proportional to the recent months growth statistic) would go totally unnoticed and would get the attacker to the control of 4000 relays today. NSA certainly has the long term planning capacity to do exactly this, and the required resources are negligible. @Mirimir, @Andreas > >This assumes that there is only one entity wanting to do that. > >When there are multiple the game isn't that easy. >Yes, that is a great Tor feature! Dueling adversaries strengthen Tor against >each other. That's wishful thinking at best. Assuming that there are enough non-colluding adversaries attacking Tor and destroying each other's efforts is futile. This is not Blockchain where hundreds of thousands of greedy selfish genes are working together for non-collusion. A practically zero-effort collusion of already fully cooperating FIVE EYE agencies (US, UK, Canada, Australia, New Zealand) is needed to sprinkle several tens of rogue relays every month all over the globe, hosted at unsuspected hosters, looking perfectly bona fide. All they need is maintain some bandwidth and stability (why not?) and wait 70 days and - hop! - they are guards. Sprinkling middle relays is even easier. I am not even talking about the broader 14-EYE intelligence cooperation that includes 14 countries (https://en.wikipedia.org/wiki/UKUSA_Agreement#9_Eyes.2C_14_Eyes.2C_and_other_.22third_parties.22) That US agencies are actively working to destroy anonymity of (hopefully only selected, but who knows?) Tor users is an undisputable fact. Your implicit assumption that Russia is also attacking Tor is, however, unfounded. I mentioned that they have the resources to do so. Russia has arguably MORE resources that the US because instead of paying for hacking services and infrastructure all they need to do is threaten to put the ringleaders of their internationally renowned criminal hacking gangs in jail. There is, however, ZERO evidence that they are going head to head with America doing that. They seem to be much more interested in attacking weakly protected email servers of DNC. @Aeris >Having is not enough. You can’t just send in hardware and expect to >be guard. You need to prove your worth to the network to have guard flag. >And you also need intelligence, because your node must be VERY differents each >others or only few of your guard will be used (same /16 network, same country, >same operator => never 2 nodes on a circuit or guard set). Ditto >Controlling all guards is NOT a serious problem ’til you also control other >nodes (middle or exit). Yep. Modify my previous posts and replace "guards" by "Guards and exits". Here you go. >If you think such attacker exists, just don’t use Tor, this is EXACTLY the >threat model Tor can’t avoid and expressed on the paper. I think I already covered the "if it exists" part. Sticking to the original (old) design doc of Tor is not a practically useful strategy. I believe that Tor has MOSTLY such strong adversaries, the others do not matter much. You do not really use Tor to protect yourself from petty hackers, do you? I believe that what is needed is changing Tor to accommodate a lot of small relays running by a very large number of volunteers, and to push real traffic through them. The current consolidation most of the Tor traffic in a small number of stable, high bandwidth relays was NOT anticipated by the Tor design paper and makes contamination of the majority of the network by rogue relays a very easy job indeed. Rana ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] How can we trust the guards?
> @Aeris > > I do not see how Sybil attacks relate to my question. The adversary will > simply set up new nodes, without messing with attacking identities of > existing ones. Sybil attack is not attacking identity, but just running bunch of relays. > As to the rest of it, let us calculate. Assuming that the adversary wants to > control 4000 nodes for 3 years, the 70d startup period is irrelevant and > negligible. But because they have guard flags, those 4000 nodes must be on the top 25% bandwidth nodes. So this assume we have around 16k nodes currently. Which is false. And current average guard bandwidth is around 40Mbps, so your attacker have 156Gbps capacity… And because of Tor nodes selection, those 4000 nodes must be on the more /16 network as possible. > Assuming further that operating the relays will cost the > adversary $20/month each, the total "investment" required would be > 20x12x3x4000=less than $3million > > That’s $1million a year to control most of the Tor nodes., You call this > "costly"? This amount is a joke, a trifle, petty cash for any US or Russian > government agency. FIFTY times this amount is STILL petty cash, so in case > you think $20/month is not enough to run a relay, make it $1000 a month. Having is not enough. You can’t just send in hardware and expect to be guard. You need to prove your worth to the network to have guard flag. And you also need intelligence, because your node must be VERY differents each others or only few of your guard will be used (same /16 network, same country, same operator => never 2 nodes on a circuit or guard set). > So I repeat - how is this prevented? Re-read my first post. Tor node selection for circuit, Tor node guard flag assignment. And because currently most of guards are controlled by well known or smart enough people, we don’t have such attacker. Controlling all guards is NOT a serious problem ’til you also control other nodes (middle or exit). If you think such attacker exists, just don’t use Tor, this is EXACTLY the threat model Tor can’t avoid and expressed on the paper. Regards, -- Aeris Individual crypto-terrorist group self-radicalized on the digital Internet https://imirhil.fr/ Protect your privacy, encrypt your communications GPG : EFB74277 ECE4E222 OTR : 5769616D 2D3DAC72 https://café-vie-privée.fr/ signature.asc Description: This is a digitally signed message part. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] How can we trust the guards?
On 01/01/2017 03:42 PM, Andreas Krey wrote: > On Sun, 01 Jan 2017 23:54:03 +, Rana wrote: > ... >> I do not see how Sybil attacks relate to my question. The adversary will >> simply set up new nodes, without messing with attacking identities of >> existing ones. > > It will not go quite unnoticed when the set of major relays changes > substantially over a few months. True. But prudent adversaries wouldn't put their trusted relays, with guard flags, at risk by doing anything unusual with them. They would use throwaway relays with exit flags to modulate circuit traffic, and then detect that modulation in their guards. Such malicious exits would be detected and banned, but the malicious guards would only be at risk when users became aware of compromise. That wouldn't work for onion services, however, because there are no exits involved. Something might be doable using rendezvous relays, or perhaps onion directories, but I'm guessing that it would be harder and more obvious. Unfortunately, however, I don't understand the mechanism well enough to have much of an opinion. > ... >> That???s $1million a year to control most of the Tor nodes., You call this >> "costly"? This amount is a joke, a trifle, petty cash for any US or Russian >> government agency. FIFTY times this amount is STILL petty cash, so in case >> you think $20/month is not enough to run a relay, make it $1000 a month. > > This assumes that there is only one entity wanting to do that. > When there are multiple the game isn't that easy. Yes, that is a great Tor feature! Dueling adversaries strengthen Tor against each other. > Andreas > ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] How can we trust the guards?
On Sun, 01 Jan 2017 23:54:03 +, Rana wrote: ... > I do not see how Sybil attacks relate to my question. The adversary will > simply set up new nodes, without messing with attacking identities of > existing ones. It will not go quite unnoticed when the set of major relays changes substantially over a few months. ... > That???s $1million a year to control most of the Tor nodes., You call this > "costly"? This amount is a joke, a trifle, petty cash for any US or Russian > government agency. FIFTY times this amount is STILL petty cash, so in case > you think $20/month is not enough to run a relay, make it $1000 a month. This assumes that there is only one entity wanting to do that. When there are multiple the game isn't that easy. Andreas -- "Totally trivial. Famous last words." From: Linus Torvalds Date: Fri, 22 Jan 2010 07:29:21 -0800 ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] How can we trust the guards?
On 01/01/2017 04:54 PM, Rana wrote: > The adversary will simply set up new nodes Which can be called a Sybil attack. > That’s $1million a year to control most of the Tor nodes., You call this > "costly"? This amount is a joke, a trifle, petty cash for any US or Russian > government agency. FIFTY times this amount is STILL petty cash, so in case > you think $20/month is not enough to run a relay, make it $1000 a month. > > So I repeat - how is this prevented? I started out writing a really long reply to your initial email, but I don't think it would have been worth hitting send. The very short answer: it isn't prevented. My other reply went on and on about how node selections are weighted and reminded you how nodes get the Guard flag and how nodes must be stable, familiar, and speedy for a significant amount of time. All to try to convince you that Tor does a good enough job. But none of that matters because the adversary you talk about has big $$$. So I invite you to read section 3 of the original Tor paper[0] to see what the goals, non-goals, and threat model originally were. No low-latency anonymity network that I'm aware of can protect its users from such a powerful adversary as the one you speak of. It's an open problem. Some good papers have been coming out recently, and some hold promise. But none of them have made it out of the paper/prototype stage that I'm aware. Matt [0]: https://svn.torproject.org/svn/projects/design-paper/tor-design.pdf ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] How can we trust the guards?
@Aeris I do not see how Sybil attacks relate to my question. The adversary will simply set up new nodes, without messing with attacking identities of existing ones. As to the rest of it, let us calculate. Assuming that the adversary wants to control 4000 nodes for 3 years, the 70d startup period is irrelevant and negligible. Assuming further that operating the relays will cost the adversary $20/month each, the total "investment" required would be 20x12x3x4000=less than $3million That’s $1million a year to control most of the Tor nodes., You call this "costly"? This amount is a joke, a trifle, petty cash for any US or Russian government agency. FIFTY times this amount is STILL petty cash, so in case you think $20/month is not enough to run a relay, make it $1000 a month. So I repeat - how is this prevented? ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] How can we trust the guards?
> Whats the trust mechanism (if any) to ensure that the majority of guards > are not hijacked by adversaries? See https://blog.torproject.org/blog/lifecycle-of-a-new-relay * You need to wait around 70d to be a fully ready guard relay consuming all the possible bandwidth. * Any sybil attack will be discovered even before having the guard flag at all (8th day). * And you have to provide a lot of bandwidth to the network to be on the top quarter of relay to have the guard flag. So it will be difficult for an attacker to hijack enough guard nodes to be really dangerous. Too costly (bandwidth), too long (70d) and too visible. Remember too that your client use only few guards at each time and rotate them only each 4 to 8 weeks. So even if evil guard appear, you have to wait at least 4 weeks to be in danger if in danger at all (probability is low to peak an evil guard at the next rotation). And last, even if you use an evil guard node, attacker need to control an other node (middle or exit) on one of your circuit to break anonymity. So, evil guard nodes are not a big problem :) Regards, -- Aeris Individual crypto-terrorist group self-radicalized on the digital Internet https://imirhil.fr/ Protect your privacy, encrypt your communications GPG : EFB74277 ECE4E222 OTR : 5769616D 2D3DAC72 https://café-vie-privée.fr/ signature.asc Description: This is a digitally signed message part. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
