[tor-talk] Iran cracks down on web dissident technology
http://www.telegraph.co.uk/news/worldnews/middleeast/iran/8388484/Iran-cracks-down-on-web-dissident-technology.html Iran cracks down on web dissident technology Iranian security authorities have launched a new crackdown on dissidents online by blocking US government-backed technology that allows them to speak out safely. Tor took off in Iran after the disputed 2009 election Photo: AFP/GETTY By Christopher Williams, Technology Correspondent 7:00AM GMT 18 Mar 2011 Internet freedom activists believe the regime in Tehran has implemented highly sophisticated internet surveillance technology and that an information “arms race” is now inevitable. The crackdown targeted Tor, a free piece of software that allows anyone to connect to internet via a global private network that hides computer IP addresses, which could be used by authorities to identify and locate dissidents. It also encrypts the contents of users' internet communications, making eavesdropping on emails, Facebook, Twitter and other applications more difficult. On average, around 250,000 computers worldwide are connected to the Tor network at any time, making it the leading anti-surveillance technology online. But in mid-January, as revolutionary fervour swept the Middle East, the number of computers connected to the Tor network via one major Iranian broadband provider collapsed almost overnight from more than 11,000 to zero. Investigations by the Tor Project, the not-for-profit company that runs the system, have since revealed that, crucially, other encrypted traffic such as internet banking was still flowing. It meant Iranian authorities had for the first time found a way to identify and block only Tor connections, and therefore a way to potentially identify dissidents. “What they did was vastly upgrade their capability,” said Andrew Lewman, executive director of the Tor Project. The technology responsible for the new threat was Deep Packet Inspection (DPI), a type of high-end network equipment that uses ultra-fast microchips to read and classify internet traffic in transit. The Iranian authorities used DPI to detect the highly specific parameters Tor uses to establish an encrypted connection. “From an engineering perspective this is fantastic,” said Mr Lewman of his adversaries' efforts. He added that the Tor Project had known it could be attacked in this way “for years”, but had chosen not to take pre-emptive measures because “we’re trying to have an arms race really slowly”. In the last few weeks developers have redesigned the software so that its traffic looks just like any other when it sets up an encrypted connection, and Iranian user numbers are now back to normal. It is unknown who supplied Iran with the DPI technology, but few technology manufacturers build equipment capable of reading and classifying internet traffic at the necessary scale and speed. Last year, Nokia-Siemens faced a European Parliament hearing after it admitted selling a mass communications “monitoring centre” to an Iranian mobile network. “Who knows, maybe they just got someone to configure it for them,” Mr Lewman speculated. Whoever the supplier, the temporary block on Tor does show that Iran is now more advanced than even China and its Great Firewall in terms of the technology it uses to suppress dissent online, said Mr Lewman. The regime has rapidly caught up with its critics since the unrest following the 2009 election, when the number of Tor users rocketed from approximately 1,200 to 2,800 in a matter of days as many Iranians first began to use social networks to organise protests. The value of “internet freedom” technologies to US foreign policy has not gone unnoticed in Washington: the Tor Project’s arms race with Iranian authorities is funded in part by grants from both the Department of Defense and the State Department. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Iran cracks down on web dissident technology
On 3/20/2011 5:08 PM, Eugen Leitl wrote: http://www.telegraph.co.uk/news/worldnews/middleeast/iran/8388484/Iran-cracks-down-on-web-dissident-technology.html Iran cracks down on web dissident technology... ... The value of “internet freedom” technologies to US foreign policy has not gone unnoticed in Washington: the Tor Project’s arms race with Iranian authorities is_funded in part by grants from both the Department of Defense and the State Department_. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk You've GOT to be kidding. Tell me that's a mistake. Tor Project, dedicated to privacy & anonymity, takes $ from DoD & Sam? While the US spies on it's citizens, unconstitutionally? That's rich. Honestly, this enlightenment will make me reconsider ever using Tor for anything I don't want sent directly to DC. It's like trusting car magazines' reviews that get their advertising $ from car manufacturers. There is no way the fed is going to give $ to any "privacy" organization w/o wanting something (cough, back door) in return. Every ISP has been forced into violating users' privacy. Why would Tor project, after taking $ from Sam, be any different? OK users, go ahead & stick your head in the sand. EVEN if it's not true, for me, Tor project has lost a good deal of its credibility through its associations. Of course, no government would ever lie & neither would a company (AT&T, Ford, Google, R.J. Reynolds...). ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Iran cracks down on web dissident technology
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Joe Btfsplk wrote: > On 3/20/2011 5:08 PM, Eugen Leitl wrote: >> http://www.telegraph.co.uk/news/worldnews/middleeast/iran/8388484/Iran-cracks-down-on-web-dissident-technology.html >> >> Iran cracks down on web dissident technology... >> >> ... The value of “internet freedom” technologies to US >> foreign policy has not gone unnoticed in Washington: the Tor Project’s arms >> race with Iranian authorities is_funded in part by grants from both the >> Department of Defense and the State Department_. >> ___ >> tor-talk mailing list >> tor-talk@lists.torproject.org >> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk > You've GOT to be kidding. Tell me that's a mistake. Tor Project, > dedicated to privacy & anonymity, takes $ from DoD & Sam? While the US > spies on it's citizens, unconstitutionally? That's rich. > Honestly, this enlightenment will make me reconsider ever using Tor for > anything I don't want sent directly to DC. It's like trusting car > magazines' reviews that get their advertising $ from car manufacturers. > There is no way the fed is going to give $ to any "privacy" organization > w/o wanting something (cough, back door) in return. Every ISP has been > forced into violating users' privacy. Why would Tor project, after > taking $ from Sam, be any different? OK users, go ahead & stick your > head in the sand. > > EVEN if it's not true, for me, Tor project has lost a good deal of its > credibility through its associations. Of course, no government would > ever lie & neither would a company (AT&T, Ford, Google, R.J. Reynolds...). If I'm not mistaken, not only has TOR had at least some government / DOD funding from the start, the original project was started by the military. - -- Check out my Youtube channel: http://youtube.com/tinfoilchefdotcom Follow me on Twitter: http://twitter.com/tinfoilchef -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBTYbATHV+YnyE1GYEAQjRNwf8CKCehqNwRNVpL+ZUgkeS24uVAJB+pKnJ sxGs7f0I5JUO8lB3UZewJSXHxnxQ2dAHTZPg0T46qD2sn+tuXk0OPlONnBu3/1q0 oUWE6ADJhTZEvJINdR35dvC8JKQCJfGtJZMBFyW7jd37eBrmbOac0Qdu8vWh2bTR oQxbhXZXr7a6jULAtxf1jyZhTFVjeQ8TieGNm2iga4d26/P5xDCAHcEbSkokOAFx d/zX9iHC5BELOC+ASkEe9hItIf24W9rjfAE3JUSmCd1y4M52dc0a1yhw7IOH8R94 aILHdkXt0qpZVRfbDICOwNEIJDpZMLLa/lxAojlMuT22RwMF8qrung== =NkTy -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Iran cracks down on web dissident technology
On 3/20/2011 11:04 PM, Edward Langenback wrote: Joe Btfsplk wrote: On 3/20/2011 5:08 PM, Eugen Leitl wrote: You've GOT to be kidding. Tell me that's a mistake. Tor Project, dedicated to privacy& anonymity, takes $ from DoD& Sam? While the US spies on it's citizens, unconstitutionally? That's rich. Honestly, this enlightenment will make me reconsider ever using Tor for anything I don't want sent directly to DC. It's like trusting car magazines' reviews that get their advertising $ from car manufacturers. There is no way the fed is going to give $ to any "privacy" organization w/o wanting something (cough, back door) in return. Every ISP has been forced into violating users' privacy. Why would Tor project, after taking $ from Sam, be any different? OK users, go ahead& stick your head in the sand. EVEN if it's not true, for me, Tor project has lost a good deal of its credibility through its associations. Of course, no government would ever lie& neither would a company (AT&T, Ford, Google, R.J. Reynolds...). If I'm not mistaken, not only has TOR had at least some government / DOD funding from the start, the original project was started by the military. This is well-known, publicly-available, and frankly, *old* information. Of course, Tor is in open-source project, so you're welcome to peruse the source for any backdoors and compile it for yourself, just to be sure. ~Justin Aplin ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Iran cracks down on web dissident technology
I find it curious that ~credibility~ of tor is being called into question by some. The source is readily available, the libraries it compiles against are readily available, the change logs, code control records, etc. are all readily available. Certain contributors to tor have come under fire from various Governments and private institutions. For bloody sin sake EVERYTHING has had Uncle Sam involved in some variable way at this point. Linux, GCC, sendmail, bind, etc. etc. FUD is an energy stealer and if you can afford that energy loss then at least put it to good use auditing and tracking down bugs or any backdoors you suppose. -Ali ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Iran cracks down on web dissident technology
On Sun, Mar 20, 2011 at 10:04:45PM -0500, Edward Langenback wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Joe Btfsplk wrote: > > On 3/20/2011 5:08 PM, Eugen Leitl wrote: > >> http://www.telegraph.co.uk/news/worldnews/middleeast/iran/8388484/Iran-cracks-down-on-web-dissident-technology.html > >> > >> Iran cracks down on web dissident technology... > >> > >> ... The value of ???internet freedom??? technologies to US > >> foreign policy has not gone unnoticed in Washington: the Tor Project???s > >> arms > >> race with Iranian authorities is_funded in part by grants from both the > >> Department of Defense and the State Department_. > >> ___ > >> tor-talk mailing list > >> tor-talk@lists.torproject.org > >> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk > > You've GOT to be kidding. Tell me that's a mistake. Tor Project, > > dedicated to privacy & anonymity, takes $ from DoD & Sam? While the US > > spies on it's citizens, unconstitutionally? That's rich. > > Honestly, this enlightenment will make me reconsider ever using Tor for > > anything I don't want sent directly to DC. It's like trusting car > > magazines' reviews that get their advertising $ from car manufacturers. > > There is no way the fed is going to give $ to any "privacy" organization > > w/o wanting something (cough, back door) in return. Every ISP has been > > forced into violating users' privacy. Why would Tor project, after > > taking $ from Sam, be any different? OK users, go ahead & stick your > > head in the sand. > > > > EVEN if it's not true, for me, Tor project has lost a good deal of its > > credibility through its associations. Of course, no government would > > ever lie & neither would a company (AT&T, Ford, Google, R.J. Reynolds...). > > If I'm not mistaken, not only has TOR had at least some government / > DOD funding from the start, the original project was started by the > military. > People seem to need a periodic refresher on this. I will just state the long public and published facts. Interpret them as you like. You can read more details at http://www.onion-router.net/History.html but here's a quick summary: I invented onion routing at NRL with David Goldschlag and Mike Reed in 1995-96 as a US Naval Research Laboratory project with initial funding from ONR. All of us were NRL employees at the time. Our first deployed system was in 1996 and source code for that system was distributed later that year. (Code was entirely US government work by US government employees, so not subject to copyright.) As part of a later NRL project, I created the version of onion routing that became known as Tor along with Roger Dingledine and Nick Mathewson starting in 2002. I have been an NRL employee throughout all this. Roger and Nick were contractors working on my project. NRL projects funded by ONR and DARPA were the only funding they had to work on Tor until 2004. The first publicly deployed Tor network was in 2003, which was also when the source code was made available and publicly licensed under the MIT license. The first funding Roger and Nick got to work on Tor that was other than as part of an NRL project was from the EFF starting in 2004. Tor got funding from a variety of sources after that, including several U.S. government projects, both before and since becoming a US 501 (c)(3) nonprofit. You can find a summary at https://torproject.org/about/sponsors.html.en HTH, Paul ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Iran cracks down on web dissident technology
On Sun, Mar 20, 2011 at 11:15:27PM -0400, Aplin, Justin M wrote: > welcome to peruse the source for any backdoors and compile it for > yourself, just to be sure. But make sure that you've compiled your compiler yourself with a compiler that you trust. http://cm.bell-labs.com/who/ken/trust.html *SCNR* signature.asc Description: Digital signature ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Iran cracks down on web dissident technology
1st, thanks for the refresher, Paul. I'll bet most users didn't know Tor was started by the NRL. Unfortunately, for many, that won't ease their minds much. I don't have the knowledge & skills to check Tor's source code & bet well > 90% of users don't either. I know (knew) my comments on Tor being funded (or started) by any Fed organization would not be well received. Neither were the handful of people w/ inside knowledge after 9-11 attacks, shouting there was no justification in attacking Iraq. They were shouted down & quickly labeled as unpatriotic. Even today, surveys show a significant percent of people still believe Iraq was responsible for 9-11 attacks. "Don't confuse me w/ facts - I've already made up my mind." Again, WHY would Sam develop or fund technology that would make it possible for * their enemies * to communicate anonymously and privately, possibly allowing them to plot against him, with ABSOLUTELY no way to decipher that communication? It's a serious question. Please save the "check the source code yourself" comments. Open source code means literally nothing. Did it mean anything when Iraq cracked down on Tor users? Researchers often show that. What makes this project different than other govt funded projects? (This seems like the, "It'll never happen here / to us" mentality). It * IS * happening to us in pretty much every aspect of citizens' privacy. That's no secret. What makes Tor any different? If one govt can figure out how to identify Tor traffic, so can others. Above ALL else, govts NEVER reveal the full extent of their intelligence capability. That would be foolish. I've never known Sam to get involved in, or fund something - especially like this - * w/o wanting something in return.* Ever. WHETHER or not they make known, to anyone, what they want or intend to do. It's been shown for over 50 - 60 yrs (probably much longer) that even people in charge of entire govt projects (or govt funded ones), often don't know the *full* extent of what's being done w/ the research, technology, info, etc. If you want to ignore history, go ahead. On 3/20/2011 11:46 PM, Paul Syverson wrote: On Sun, Mar 20, 2011 at 10:04:45PM -0500, Edward Langenback wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Joe Btfsplk wrote: On 3/20/2011 5:08 PM, Eugen Leitl wrote: http://www.telegraph.co.uk/news/worldnews/middleeast/iran/8388484/Iran-cracks-down-on-web-dissident-technology.html Iran cracks down on web dissident technology... ... The value of ???internet freedom??? technologies to US foreign policy has not gone unnoticed in Washington: the Tor Project???s arms race with Iranian authorities is_funded in part by grants from both the Department of Defense and the State Department_. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk You've GOT to be kidding. Tell me that's a mistake. Tor Project, dedicated to privacy& anonymity, takes $ from DoD& Sam? While the US spies on it's citizens, unconstitutionally? That's rich. Honestly, this enlightenment will make me reconsider ever using Tor for anything I don't want sent directly to DC. It's like trusting car magazines' reviews that get their advertising $ from car manufacturers. There is no way the fed is going to give $ to any "privacy" organization w/o wanting something (cough, back door) in return. Every ISP has been forced into violating users' privacy. Why would Tor project, after taking $ from Sam, be any different? OK users, go ahead& stick your head in the sand. EVEN if it's not true, for me, Tor project has lost a good deal of its credibility through its associations. Of course, no government would ever lie& neither would a company (AT&T, Ford, Google, R.J. Reynolds...). If I'm not mistaken, not only has TOR had at least some government / DOD funding from the start, the original project was started by the military. People seem to need a periodic refresher on this. I will just state the long public and published facts. Interpret them as you like. You can read more details at http://www.onion-router.net/History.html but here's a quick summary: I invented onion routing at NRL with David Goldschlag and Mike Reed in 1995-96 as a US Naval Research Laboratory project with initial funding from ONR. All of us were NRL employees at the time. Our first deployed system was in 1996 and source code for that system was distributed later that year. (Code was entirely US government work by US government employees, so not subject to copyright.) As part of a later NRL project, I created the version of onion routing that became known as Tor along with Roger Dingledine and Nick Mathewson starting in 2002. I have been an NRL employee throughout all this. Roger and Nick were contractors working on my project. NRL projects funded by ONR and DARPA were the only funding they
Re: [tor-talk] Iran cracks down on web dissident technology
On Mon, Mar 21, 2011 at 4:32 AM, Ali-Reza Anghaie wrote: > I find it curious that ~credibility~ of tor is being called into > question by some. The source is readily available, the libraries it > compiles against are readily available, the change logs, code control > records, etc. are all readily available. Certain contributors to tor > have come under fire from various Governments and private > institutions. For bloody sin sake EVERYTHING has had Uncle Sam > involved in some variable way at this point. Linux, GCC, sendmail, > bind, etc. etc. > > FUD is an energy stealer and if you can afford that energy loss then > at least put it to good use auditing and tracking down bugs or any > backdoors you suppose. -Ali I think that it's more curious that someone used Tor and didn't know that it used to be a military research project. Like the internet. But to be honest, if you don't know anything about programming it doesn't matter that the source code is available, how are you supposed to check? Pay someone a ridiculous amount of money to check it for you? And there's no way to know how many independent programmers have validated the source code. In a scenario where the military actually would hide something in the source, all programmers working on the project would of course be in on it together. There are only a handful of them. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Iran cracks down on web dissident technology
On Mon, Mar 21, 2011 at 1:59 PM, Joe Btfsplk wrote: > I've never known Sam to get involved in, or fund something - especially like > this - * w/o wanting something in return.* Ever. WHETHER or not they make > known, to anyone, what they want or intend to do. It's been shown for over > 50 - 60 yrs (probably much longer) that even people in charge of entire govt > projects (or govt funded ones), often don't know the *full* extent of > what's being done w/ the research, technology, info, etc. If you want to > ignore history, go ahead. What they have gained with the Tor project, and I'm just brainstorming here because I'm from Sweden and don't know much about the internals of DoD, is this: They need a project like Tor as much as "we" do, if not more. They need ways to communicate with spies and dissidents located all over the world, they need a system that let their people do this without causing any suspicion. With Tor, they have such a tool, and the openess of the software and source code means that it's more thoroughly tested than they could ever have done in secret. It is likely that they have a highly modified version of Tor and that they are watching the Tor project very carefully as a research project to see the strengths and weaknesses with such a project. Planting backdoors in software like this is pretty useless and ineffective, because you can only use it once. As soon as you act on information received, there is a very big chance that the backdoor will be uncovered, Tor will lose all credibility, and no one will ever again use it for anything that the US would seem interesting. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Iran cracks down on web dissident technology
On Mon, Mar 21, 2011 at 02:43:22PM +0100, Anders Andersson wrote: > On Mon, Mar 21, 2011 at 4:32 AM, Ali-Reza Anghaie > wrote: > > I find it curious that ~credibility~ of tor is being called into > > question by some. The source is readily available, the libraries it > > compiles against are readily available, the change logs, code control > > records, etc. are all readily available. Certain contributors to tor > > have come under fire from various Governments and private > > institutions. For bloody sin sake EVERYTHING has had Uncle Sam > > involved in some variable way at this point. Linux, GCC, sendmail, > > bind, etc. etc. > > > > FUD is an energy stealer and if you can afford that energy loss then > > at least put it to good use auditing and tracking down bugs or any > > backdoors you suppose. -Ali > > I think that it's more curious that someone used Tor and didn't know > that it used to be a military research project. Like the internet. > > But to be honest, if you don't know anything about programming it > doesn't matter that the source code is available, how are you supposed > to check? Pay someone a ridiculous amount of money to check it for > you? And there's no way to know how many independent programmers have > validated the source code. In a scenario where the military actually > would hide something in the source, all programmers working on the > project would of course be in on it together. There are only a handful > of them. This is a reasonable concern, but I think you are oversimplifying the assurance and risk management available to those who are not tech savvy. If they are just going to look at one or two poorly researched articles in a blog/credentialed-news-publication/whatever-medium-you-want that confirm their expectations, well there's not much more you can do to help them. Whether they trust you or not, their beliefs will not be very well grounded. But if they do have the interest and time (lucky them), they don't have to be able to read the source code themselves or pay someone (and why trust the guy you are paying to read it anyway?, and how do you know that this is the code running on all of the relays out there?, or the code you downloaded, and ...) There are good answers to the latter of these for people who are tech savvy, but how do you get trust those answers short of a significant self-education? Here are just a few of many possible ways. The Tor source is available and people are encouraged to check it out, but that's _not_ the whole story. Tor is also fairly well documented (meaning that description of what the different parts of the source code does is available) which encourages people to look at it more than if it was just this pile of code goo to wade through. And lots of independent people _do_ look at the source code. One way you can tell this is that they find mistakes, sometimes some fairly bad ones. (Fortunately not too bad very often and generally fixed quickly.) You can look at the posted history of the announced versions https://lists.torproject.org/pipermail/tor-announce/ and see acknowledgments of who found flaws and look them up. Lots of times these are researchers at some reputed place. Lots of times these are smart people with no credentials you would recognize. In either case you could look them up and see who they are. Ask them their experience reporting a flaw and getting it fixed and what their overall impression of Tor is. You can do this even if you have no idea what the flaw is that the release notes are saying they found or how the Tor people fixed it. There's also lots of academic researchers looking at Tor all the time (somewhat overlapping the people looking at the source) and poking holes in the design, the deployment etc. testing its strengths and weaknesses, suggesting improvements, which often do get incorporated. This is also all well documented and vetted by publication in peer-reviewed scientific venues. It is also work done at reputed institutions of higher learning in various countries, if you want to base anything on that. You could contact the authors of these. There are also people at places you've never heard of if you don't trust people at big institutions. If you don't know anyone you trust who is tech savvy, you could contact your favorite computer science department by looking them up on the web and ask around till you get directed to someone who knows something about Tor and ask them. Yes, maybe someone bogusly directed you to a simulated website of Enormous State University with fake phone numbers in it, and whoever you talk to there might inadvertently link you back to the Tor cabal rather than getting some random professor or savvy student's opinion, and maybe all those publication venues and researchers and universities are in on it, and the supposedly independent researchers who found code flaws were also in on it (or sock puppets created by Roger to create credibility). But at some point you have to look at
Re: [tor-talk] Iran cracks down on web dissident technology
On Mon, 21 Mar 2011 11:07:49 -0400 Paul Syverson wrote: > universities are in on it, and the supposedly independent researchers > who found code flaws were also in on it (or sock puppets created by > Roger to create credibility). But at some point you have to look at > the size, diversity, and entrenchment of the conspiracy you think is Mike Perry is the one who creates the sock puppets. See https://trac.torproject.org/projects/tor/ticket/1967#comment:6 for incontrovertible proof. -- Please use encryption. My PGP key ID is E51DFE2C. signature.asc Description: PGP signature ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Iran cracks down on web dissident technology
On Mon, Mar 21, 2011 at 11:40 AM, katmagic wrote: > On Mon, 21 Mar 2011 11:07:49 -0400 > Paul Syverson wrote: > >> universities are in on it, and the supposedly independent researchers >> who found code flaws were also in on it (or sock puppets created by >> Roger to create credibility). But at some point you have to look at >> the size, diversity, and entrenchment of the conspiracy you think is > > Mike Perry is the one who creates the sock puppets. See > https://trac.torproject.org/projects/tor/ticket/1967#comment:6 for > incontrovertible proof. Please, let's not introduce sarcasm to discussions like this. It only confuses people. (For the uninitiated: Mike Perry and Ioerror are not the same person, even if a guy says so with lots of exclamation points.) ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Iran cracks down on web dissident technology
--- On Mon, 3/21/11, Joe Btfsplk wrote: > It's a serious question. Please save the "check the > source code yourself" comments. Open source code means > literally nothing. You have three choices when it comes to trusting something: 1) you can check yourself, 2) you can have someone you trust check, 3) you can trust an authority. Having the source code enables option 1 and 2. Option 3 is pretty much useless if your concern is authority in the first place, no? So like it or not, having the source code is more useful than anything else anyone can propose. It is not perfect, but it is the ONLY recourse that has even a remote chance of being useful against trusting authority. -Martin ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Iran cracks down on web dissident technology
Joe Btfsplk wrote on 21.03.2011: > Again, WHY would Sam develop or fund technology that would make it > possible for * their enemies * to communicate anonymously and > privately, possibly allowing them to plot against him, with ABSOLUTELY > no way to decipher that communication? > Do you really think, that there is a one Sam who makes clear decisions regarding TOR? There is a very large organization (the US) consisting of many different people with many different opinions. Some of them don't like TOR, some thought it is an exiting research project and funded it, and others just don't care about it. Regards, Klaus signature.asc Description: This is a digitally signed message part. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Iran cracks down on web dissident technology
On 3/21/2011 10:07 AM, Paul Syverson wrote: On Mon, Mar 21, 2011 at 02:43:22PM +0100, Anders Andersson wrote: In a scenario where the military actually would hide something in the source, all programmers working on the project would of course be in on it together. There are only a handful of them. This is a reasonable concern, but I think you are oversimplifying the assurance and risk management available to those who are not tech savvy. If they are just going to look at one or two poorly researched articles in a blog/credentialed-news-publication/whatever-medium-you-want that confirm their expectations, well there's not much more you can do to help them. Whether they trust you or not, their beliefs will not be very well grounded. But if they do have the interest and time (lucky them), they don't have to be able to read the source code themselves or pay someone (and why trust the guy you are paying to read it anyway?, and how do you know that this is the code running on all of the relays out there?, or the code you downloaded, and ...) There are good answers to the latter of these for people who are tech savvy, but how do you get trust those answers short of a significant self-education? Here are just a few of many possible ways. The Tor source is available and people are encouraged to check it out, but that's _not_ the whole story. Tor is also fairly well documented (meaning that description of what the different parts of the source code does is available) which encourages people to look at it more than if it was just this pile of code goo to wade through. And lots of independent people _do_ look at the source code. One way you can tell this is that they find mistakes, sometimes some fairly bad ones. (Fortunately not too bad very often and generally fixed quickly.) You can look at the posted history of the announced versions https://lists.torproject.org/pipermail/tor-announce/ and see acknowledgments of who found flaws and look them up. Lots of times these are researchers at some reputed place. Lots of times these are smart people with no credentials you would recognize. In either case you could look them up and see who they are. Ask them their experience reporting a flaw and getting it fixed and what their overall impression of Tor is. You can do this even if you have no idea what the flaw is that the release notes are saying they found or how the Tor people fixed it. There's also lots of academic researchers looking at Tor all the time (somewhat overlapping the people looking at the source) and poking holes in the design, the deployment etc. testing its strengths and weaknesses, suggesting improvements, which often do get incorporated. This is also all well documented and vetted by publication in peer-reviewed scientific venues. It is also work done at reputed institutions of higher learning in various countries, if you want to base anything on that. You could contact the authors of these. There are also people at places you've never heard of if you don't trust people at big institutions. If you don't know anyone you trust who is tech savvy, you could contact your favorite computer science department by looking them up on the web and ask around till you get directed to someone who knows something about Tor and ask them. Yes, maybe someone bogusly directed you to a simulated website of Enormous State University with fake phone numbers in it, and whoever you talk to there might inadvertently link you back to the Tor cabal rather than getting some random professor or savvy student's opinion, and maybe all those publication venues and researchers and universities are in on it, and the supposedly independent researchers who found code flaws were also in on it (or sock puppets created by Roger to create credibility). But at some point you have to look at the size, diversity, and entrenchment of the conspiracy you think is there. At some point there is only so much we can do to reassure you. (I'm talking about reassuring you that there is no conspiracy. That the stuff is good is a related but independent question that the above suggested checks should help with.) If the above or some of the many other things you might do to check into it yourself without needing to understand the technology doesn't convince you, then probably you have already decided what to believe and no evidence is going to change that. And yes there's always things to do to improve transparency/trustability/usability/etc. People worth trusting probably have a processes to do that and a relatively independent and confirmable history of doing it. HTH, Paul 1st, a note. I appreciate everyone's reply. If some want to be a bit insulting or sarcastic, that's OK. I'm not highly technically savvy in source code, but I've lived a long time & know a lot about typical modus operandi of many govts. I've read all up thru Klaus Layer's post. 2nd, my reference to a TRUE back door in open source software was fairly tongue in che
Re: [tor-talk] Iran cracks down on web dissident technology
On Mon, Mar 21, 2011 at 02:06:04PM -0500, Joe Btfsplk wrote: > On 3/21/2011 10:07 AM, Paul Syverson wrote: >> On Mon, Mar 21, 2011 at 02:43:22PM +0100, Anders Andersson wrote: >>> In a scenario where the military actually >>> would hide something in the source, all programmers working on the >>> project would of course be in on it together. There are only a handful >>> of them. >> This is a reasonable concern, but I think you are oversimplifying the >> assurance and risk management available to those who are not tech >> savvy. If they are just going to look at one or two poorly researched >> articles in a >> blog/credentialed-news-publication/whatever-medium-you-want that >> confirm their expectations, well there's not much more you can do to >> help them. Whether they trust you or not, their beliefs will not be >> very well grounded. But if they do have the interest and time (lucky >> them), they don't have to be able to read the source code themselves >> or pay someone (and why trust the guy you are paying to read it >> anyway?, and how do you know that this is the code running on all of >> the relays out there?, or the code you downloaded, and ...) >> There are good answers to the latter of these for people who >> are tech savvy, but how do you get trust those answers short of >> a significant self-education? Here are just a few of many possible >> ways. >> >> The Tor source is available and people are encouraged to check it out, >> but that's _not_ the whole story. Tor is also fairly well documented >> (meaning that description of what the different parts of the source >> code does is available) which encourages people to look at it more >> than if it was just this pile of code goo to wade through. And lots >> of independent people _do_ look at the source code. One way you can >> tell this is that they find mistakes, sometimes some fairly bad >> ones. (Fortunately not too bad very often and generally fixed >> quickly.) You can look at the posted history of the announced versions >> https://lists.torproject.org/pipermail/tor-announce/ and see >> acknowledgments of who found flaws and look them up. Lots of times >> these are researchers at some reputed place. Lots of times these are >> smart people with no credentials you would recognize. In either case >> you could look them up and see who they are. Ask them their experience >> reporting a flaw and getting it fixed and what their overall >> impression of Tor is. You can do this even if you have no idea what >> the flaw is that the release notes are saying they found or how the >> Tor people fixed it. >> >> There's also lots of academic researchers looking at Tor all the time >> (somewhat overlapping the people looking at the source) and poking >> holes in the design, the deployment etc. testing its strengths and >> weaknesses, suggesting improvements, which often do get incorporated. >> This is also all well documented and vetted by publication in >> peer-reviewed scientific venues. It is also work done at reputed >> institutions of higher learning in various countries, if you want >> to base anything on that. You could contact the authors of these. >> There are also people at places you've never heard of if you don't >> trust people at big institutions. >> >> If you don't know anyone you trust who is tech savvy, you could >> contact your favorite computer science department by looking them up >> on the web and ask around till you get directed to someone who knows >> something about Tor and ask them. >> >> Yes, maybe someone bogusly directed you to a simulated website of >> Enormous State University with fake phone numbers in it, and whoever >> you talk to there might inadvertently link you back to the Tor cabal >> rather than getting some random professor or savvy student's opinion, >> and maybe all those publication venues and researchers and >> universities are in on it, and the supposedly independent researchers >> who found code flaws were also in on it (or sock puppets created by >> Roger to create credibility). But at some point you have to look at >> the size, diversity, and entrenchment of the conspiracy you think is >> there. At some point there is only so much we can do to reassure >> you. (I'm talking about reassuring you that there is no >> conspiracy. That the stuff is good is a related but independent >> question that the above suggested checks should help with.) If the >> above or some of the many other things you might do to check into it >> yourself without needing to understand the technology doesn't convince >> you, then probably you have already decided what to believe and no >> evidence is going to change that. >> >> And yes there's always things to do to improve >> transparency/trustability/usability/etc. People worth trusting >> probably have a processes to do that and a relatively independent and >> confirmable history of doing it. >> >> HTH, >> Paul > Last comments for a while. (All I have time for, sorry.) I'm just going
Re: [tor-talk] Iran cracks down on web dissident technology
On 3/21/2011 2:39 PM, Paul Syverson wrote: On Mon, Mar 21, 2011 at 02:06:04PM -0500, Joe Btfsplk wrote: Last comments for a while. (All I have time for, sorry.) I'm just going to respond to specific issues about system threats and the like. I appreciate your comments & the work of all involved w/ Tor. I read the papers you linked, though I've seen most of the material in various places. I will not join in the speculation about what governments do or why. Perhaps you should, because at least one govt seems to be steering the boat. Therein lies the problem (not you, specifically). My comments & MAINLY questions, weren't about typical or even very sophisticated adversaries. They concern WHY any govt would continue funding an anonymous communication project that in today's world, very real enemies can use against said govt, in a very real way, if the govt has no way to monitor it? One should ask, "Why would they do that?" It doesn't make sense unless there's more to the story. Also, in terms of adversaries against something like Tor, any advanced, well funded govt dwarfs the most sophisticated adversaries. Many govts have unimaginable technology & resources as well as legal (or not so legal) authority to demand info (from ISPs, etc.) that no typical adversary would. The threat models, discussion of thwarting various attacks, safety in numbers, etc., are all based on assumptions like, 1) the adversaries don't have unlimited time, resources & $. That assumption is out the window if an adversary is a large govt. 2) The adversary doesn't have access to (some) info going IN and OUT of a network like Tor. Not valid for a govt. They can get what they want from ISPs - and have. The info may be encrypted going in, but they can see you're accessing a Tor node. A large govt could ALSO monitor every single exit node (& may). There's NO comparison between people looking at open code, universities or organizations doing small studies on flaws in Tor, etc., and capabilities of a large, advanced govt. So please, I'm not talking about how many people or universities look at Tor. Advanced govts no doubt have incredible technology regarding breaking encryption. Not a typical adversary. Since Tor was developed BY a govt, and since many talk about one of its greatest values is to allow people in "repressed" societies to communicate freely, the adversary those users need to be most concerned about, is probably the one MOST likely to breach Tor's anonymity. I doubt most people think Tor's main purpose is to hide communication between two cheating spouses. A govt helped develop Tor for SPECIFIC reasons (we probably don't know all of them) & still funds it. Then for users around the world counting on Tor for protection from their govts, the govts would have to be considered as one of the main adversaries to Tor. Either the US is really dumb for developing a system, perfect for enemies to use against them (kinda doubt that) or there's more to the story. I don't pretend to know the answers, but know when to ask questions. For all I know, the US wants the enemy to use Tor for plotting, thinking they're anonymous, when they're not. No one's answering my specific questions, possibly because if they knew them, they'd be in top level govt positions, sworn to secrecy. For those doubting any of this has any merit, are you still waiting for them to find WMDs in Iraq? ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Iran cracks down on web dissident technology
On 2011-03-21 16:17, Joe Btfsplk wrote: [...] > I don't pretend to know the answers, but know when to ask questions. > For all I know, the US wants the enemy to use Tor for plotting, thinking > they're anonymous, when they're not. No one's answering my specific > questions, possibly because if they knew them, they'd be in top level > govt positions, sworn to secrecy. This thread has crossed into the unreasonable realm of conspiracy theories akin to fears that jet aircraft dispense mind-controlling drugs via their con trails. Let's call and end to this thread and move on to more productive discussion about how to improve Tor for its users. --Lucky ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Iran cracks down on web dissident technology
That's a very good point klaus. Joe - if you think the US Government is one big cohesive entity that funds projects consistently from a single pool of resources and money then I would politely suggest you may not have had much to do with them :P Alfred On 21 Mar 2011 16:27, "Klaus Layer" wrote: > Joe Btfsplk wrote on 21.03.2011: >> Again, WHY would Sam develop or fund technology that would make it >> possible for * their enemies * to communicate anonymously and >> privately, possibly allowing them to plot against him, with ABSOLUTELY >> no way to decipher that communication? >> > > Do you really think, that there is a one Sam who makes clear decisions > regarding TOR? There is a very large organization (the US) consisting of many > different people with many different opinions. Some of them don't like TOR, > some thought it is an exiting research project and funded it, and others just > don't care about it. > > Regards, > > Klaus ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Iran cracks down on web dissident technology
Thus spake Aplin, Justin M (jmap...@ufl.edu): > On 3/20/2011 11:04 PM, Edward Langenback wrote: > >Joe Btfsplk wrote: > >>EVEN if it's not true, for me, Tor project has lost a good deal of its > >>credibility through its associations. Of course, no government would > >>ever lie& neither would a company (AT&T, Ford, Google, R.J. Reynolds...). > >If I'm not mistaken, not only has TOR had at least some government / > >DOD funding from the start, the original project was started by the > >military. > > This is well-known, publicly-available, and frankly, *old* information. > Of course, Tor is in open-source project, so you're welcome to peruse > the source for any backdoors and compile it for yourself, just to be sure. By the way, for people reading this doing advocacy in the field, this is probably the worst justification you can give to people, even technical people. As soon as you tell someone to audit the code themselves, you are placing a huge burden on their shoulders that they must deal with somehow before they can trust it, even if they don't begin to believe you are implicitly signaling something to them that you can't say out loud. Roger has spent a lot of time experimenting with people's reactions to his answers to questions like "So, is tor secure?" or "Are there really no back doors?" and the response that invariably freaked already uneasy people out was "The source code is available. Check for yourself." Whenever he told people this, invariably they assumed that he was secretly trying to tell them that there was in fact a backdoor, and that he was implicitly asking them to find it. He actually got the best responses when he essentially just told people, "Sure it's secure. Trust me, I wrote it.". AFAIK, though, he has not extensively tested the more nuanced response that Paul gave in his replies. But I think that if you can shorten that down, it can work too, possibly better. For example: "Trust the community. So many different people have worked on, volunteered for, attacked, reviewed, and researched tor-related topics from so many different institutions and backgrounds that it is *the* most extensively studied and independently reviewed anonymous communications system ever designed, let alone built. This makes it secure." But perhaps the average person's eyes will *still* glaze over half way through that sentence, and you may be better off starting with Roger's empirical favorite of "Oh, trust me, it's secure" first :) -- Mike Perry Mad Computer Scientist fscked.org evil labs pgpwrenWsp04m.pgp Description: PGP signature ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Iran cracks down on web dissident technology
On Tue, Mar 22, 2011 at 3:16 AM, Mike Perry wrote: > For example: "Trust the community. So many different people have > worked on, volunteered for, attacked, reviewed, and researched > tor-related topics from so many different institutions and backgrounds > that it is *the* most extensively studied and independently reviewed > anonymous communications system ever designed, let alone built. This > makes it secure." Alright, I can understand your argument and you and Roger are speaking from experience. And I like this version of a FOSSH response. Thanks for the education, -Ali ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Iran cracks down on web dissident technology
Thus spake Joe Btfsplk (joebtfs...@gmx.com): > On 3/21/2011 2:39 PM, Paul Syverson wrote: > >On Mon, Mar 21, 2011 at 02:06:04PM -0500, Joe Btfsplk wrote: > >Last comments for a while. (All I have time for, sorry.) I'm just > >going to respond to specific issues about system threats and the > >like. > I don't pretend to know the answers, but know when to ask questions. > For all I know, the US wants the enemy to use Tor for plotting, thinking > they're anonymous, when they're not. No one's answering my specific > questions, possibly because if they knew them, they'd be in top level > govt positions, sworn to secrecy. For those doubting any of this has > any merit, are you still waiting for them to find WMDs in Iraq? Despite Lucky closing the thread in response to your conspiracy theory in favor more productive matters, I didn't get enough sleep last night to be productive, so I feel like trying to inject some reason into this thread. To distill your argument down, you've said so far: 1. Tor was/is funded by a government. 2. Governments only act out of self-interest. 3. Governments often have ulterior movies. 4. Governments have inconceivable power. You've argued that #1, #2, and #3 together means that Tor cannot be trusted. It appears we may have dissuaded you from this, because of the fact that so many other individuals and entities have also had a hand in Tor research and development. You seem to have somewhat independently argued that #4 means that Tor cannot be trusted against (any) large government(s). This, unfortunately, may be true for some governments. Extremely well funded adversaries that are able to observe large portions of the Internet can probably break aspects of Tor and may be able to deanonymize users. This is why the core tor program currently has a version number of 0.2.x and comes with a warning that it is not to be used for "strong anonymity". (Though I personally don't believe any adversary can reliably deanonymize *all* tor users, for similar reasons as detailed here: http://archives.seul.org/or/dev/Sep-2008/msg00016.html but attacks on anonymity are subtle and cumulative in nature). The goal of Tor is to balance the interests of as many different parties as possible to provide distributed trust, and to raise the amount of resources that any one adversary must have before it can compromise the network. Academic research also focuses on ways to improve the network characteristics of tor to defend against wide-scale observation (think dummy traffic and Paul's topology research), but so far none of these approaches has proved either robust or lightweight enough to actually deploy. In fact, the best known way we have right now to improve anonymity is to support more users, and more *types* of users. See: http://www.freehaven.net/doc/wupss04/usability.pdf http://freehaven.net/~arma/slides-weis06.pdf This is also why it is not the case that point 2 means that Tor is necessarily broken just because The Tor Project has done the legwork to show these and other groups how a robust Tor is useful for them. The Tor Project has done this because every new entity that believes Tor is useful makes Tor stronger and more anonymous for every other entity. Most of the governmental entities that like Tor either like it because they use it (think FBI stings, investigative research, and soldiers deployed overseas), or because they understand that a "liberation technology" like Tor is both great PR for them, and a great tool in diplomacy and statecraft, to deploy in countries where it is clear that better information flows will weaken or even topple unfriendly rulers. These are good enough first-order benefits to discount some ulterior bait-and-switch conspiratorial motives, I believe. Couple this with the fact that the real serious "cybersecurity" threats come not from tor, but from sophisticated, well funded adversaries that have their own botnets that can leverage the same properties of the Internet that tor leverages, regardless of tor's existence. Once this is understood, there isn't really a whole lot of downside to government entities encouraging a stronger Tor that these entities don't already have to deal with in other ways (such as better information security). Of course, it still is concerning that any entity that can fit into argument #4 might be able to break tor, but hey, it's still 0.2.x. We're working on it ;). -- Mike Perry Mad Computer Scientist fscked.org evil labs pgpUQ7bBC7GPC.pgp Description: PGP signature ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Iran cracks down on web dissident technology
On 22/03/2011, at 1:09 PM, Mike Perry wrote: > You seem to have somewhat independently argued that #4 means that Tor > cannot be trusted against (any) large government(s). This, > unfortunately, may be true for some governments. Extremely well funded > adversaries that are able to observe large portions of the Internet > can probably break aspects of Tor and may be able to deanonymize > users. This is why the core tor program currently has a version number > of 0.2.x and comes with a warning that it is not to be used for > "strong anonymity". (Though I personally don't believe any adversary > can reliably deanonymize *all* tor users, for similar reasons as > detailed here: http://archives.seul.org/or/dev/Sep-2008/msg00016.html > but attacks on anonymity are subtle and cumulative in nature). > I present to you this anonymously authored, non-peer reviewed > communication to do with what you will. Should anyone actually cite > this work in a published paper, I will ask my brethren to leave their > garbage cans unmolested for the rest of their days. Thanks, I think I am actually going to have to reference that.___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Iran cracks down on web dissident technology
On Mon, Mar 21, 2011 at 10:09:43PM -0700, Mike Perry wrote: > Thus spake Joe Btfsplk (joebtfs...@gmx.com): > > > On 3/21/2011 2:39 PM, Paul Syverson wrote: > > >On Mon, Mar 21, 2011 at 02:06:04PM -0500, Joe Btfsplk wrote: > > >Last comments for a while. (All I have time for, sorry.) I'm just > > >going to respond to specific issues about system threats and the > > >like. > > > I don't pretend to know the answers, but know when to ask questions. > > For all I know, the US wants the enemy to use Tor for plotting, thinking > > they're anonymous, when they're not. No one's answering my specific > > questions, possibly because if they knew them, they'd be in top level > > govt positions, sworn to secrecy. For those doubting any of this has > > any merit, are you still waiting for them to find WMDs in Iraq? > > Despite Lucky closing the thread in response to your conspiracy theory > in favor more productive matters, I didn't get enough sleep last night > to be productive, so I feel like trying to inject some reason into > this thread. > I think you also did a nice job of finding the Tor relevance buried therein. I'll respond to those parts where I think I might have something to contribute. > > To distill your argument down, you've said so far: > [snip] > > 4. Governments have inconceivable power. > [snip] > > You seem to have somewhat independently argued that #4 means that Tor > cannot be trusted against (any) large government(s). This, > unfortunately, may be true for some governments. Extremely well funded > adversaries that are able to observe large portions of the Internet > can probably break aspects of Tor and may be able to deanonymize > users. This is why the core tor program currently has a version number > of 0.2.x and comes with a warning that it is not to be used for > "strong anonymity". (Though I personally don't believe any adversary > can reliably deanonymize *all* tor users, for similar reasons as > detailed here: http://archives.seul.org/or/dev/Sep-2008/msg00016.html > but attacks on anonymity are subtle and cumulative in nature). > > > The goal of Tor is to balance the interests of as many different > parties as possible to provide distributed trust, and to raise the > amount of resources that any one adversary must have before it can > compromise the network. Academic research also focuses on ways to > improve the network characteristics of tor to defend against > wide-scale observation (think dummy traffic and Paul's topology > research), but so far none of these approaches has proved either > robust or lightweight enough to actually deploy. > > In fact, the best known way we have right now to improve anonymity is > to support more users, and more *types* of users. See: > http://www.freehaven.net/doc/wupss04/usability.pdf > http://freehaven.net/~arma/slides-weis06.pdf > Distributing trust is also not just the number and diversity of users (and relay providers) but how they are related in intentions and other things. When going up against The Man*, you can't just assume a uniform distribution on relays, users, and network links between those wrt likelyhood-of-being-run-by-a-hostile/resilience-to-attack/etc Which means numbers and even diversity isn't the whole picture. I go into more on this in "Why I'm not an Entropist". It is also the basis of the trust-based routing we have been working on, which is basically how do you route if you consider the possibility that significant portions of the network might be under the view/control of your adversary even if the network has 1 relays. And since I'm really going to try to resist responding any more to this thread, Thanks Mike for your other message containing the stab at a soundbite-sized and coherent expression of what I was trying to say about how the non-tech-savvy could trust Tor with the best justification to effort ratio. > [snip] > > Of course, it still is concerning that any entity that can fit into > argument #4 might be able to break tor, but hey, it's still 0.2.x. > We're working on it ;). Right. See above. -Paul *My name for a nation-state/organized-crime/your-favorite-big-scary adversary. Gratis to Nick for enthusiastically liking this name in a partially related discussion on trust based routing models and thus encouraging me to use it. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Iran cracks down on web dissident technology
On 3/22/2011 12:09 AM, Mike Perry wrote: To distill your argument down, you've said so far: 1. Tor was/is funded by a government. 2. Governments only act out of self-interest. 3. Governments often have ulterior movies. 4. Governments have inconceivable power. Please, please - everyone (probably including me) is making the topic way more complicated than my main question. No one's addressed the main question. If there's no answer, that's fine. Forget conspiracy theories. If you have a plausible, possible explanation to one question, great. Why would any govt create something their enemies can easily use against them, then continue funding it once they know it helps the enemy, if a govt has absolutely no control over it? It's that simple. It would seem a very bad idea. Stop looking at it from a conspiracy standpoint & consider it as a common sense question. Number 1 & 3 on your list are either fact or common knowledge. # 2 - I didn't say govts ONLY act out of self interest. # 4 is very likely for large govts - espec. for something like (electronically) monitoring internet traffic / email, listening to phone calls. These actions are well documented in several countries. It's not conspiracy - was well documented & investigated by US Congress & covered in documentaries. Fact, not conspiracy. How does that behavior relate to Tor? Don't know - that's the question. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Iran cracks down on web dissident technology
On 3/21/2011 6:38 PM, Al MailingList wrote: That's a very good point klaus. Joe - if you think the US Government is one big cohesive entity that funds projects consistently from a single pool of resources and money then I would politely suggest you may not have had much to do with them :P Don't think that at all. Don't believe I said anything that even suggested. I'm speaking in general terms. My comments also regard more than one govt. In any govt project, there could be one or dozens of depts involved. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Iran cracks down on web dissident technology
On Tue, Mar 22, 2011 at 11:23 AM, Joe Btfsplk wrote: > Why would any govt create something their enemies can easily use against > them, then continue funding it once they know it helps the enemy, if a govt > has absolutely no control over it? It's that simple. It would seem a very > bad idea. Stop looking at it from a conspiracy standpoint & consider it as > a common sense question. Because it helps the government as well. An anonymity network that only the US government uses is fairly useless. One that everyone uses is much more useful, and if your enemies use it as well that's very good, because then they can't cut off access without undoing their own work. Sincerely, Watson Ladd ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Iran cracks down on web dissident technology
On Tue, Mar 22, 2011 at 11:23 AM, Joe Btfsplk wrote:
> Why would any govt create something their enemies can easily use against
> them, then continue funding it once they know it helps the enemy, if a govt
> has absolutely no control over it? It's that simple. It would seem a very
> bad idea. Stop looking at it from a conspiracy standpoint & consider it as
> a common sense question.
I hesitated in responding because it's just so easy to run of an infinite
series of explanations. While any particular reason might not actually
be valid, there are enough plausible ones that your argument of
inconceivability can not be support.
E.g.
Because governments are not monolithic entities, because people don't have
perfect foresight, because the benefit to your interests can outweigh
the benefit against your interests, and communications technology arguably
disproportionally benefits larger groups.
Interests outweighed: Funding something like TOR may be the most cost
effective way to achieve a particular end. In particular, a US government
only anonymity network would likely not be very useful ("I don't know who
this is, but it's a fed"). Regardless of it helping the enemy too, it
can still be a net win to support.
Not monolithic entities: If you have an organizational unit charged with
accomplishing X they will work to accomplish X. Sometimes they may work
so hard at it that stop another unit from accomplishing Y, even if Y was
more important to the overall mission. This happens frequently in
all kinds of large organizations.
No perfect foresight: It's not always obvious to everyone that some move
may turn net negative in the future. E.g. the US supporting the Taliban.
(http://en.wikipedia.org/wiki/Taliban#United_States)
Larger groups: If just you and I want to communicate with secrecy we
can do so without something like TOR— we can send coded messages hidden
in innocuous usenet posts or Wikipedia articles. The value of a network
is related more to the square of its communicating members. If you're the
bigger party it can help you more than it helps your smaller enemies.
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Iran cracks down on web dissident technology
Hi Joe, On Tue, Mar 22, 2011 at 9:23 AM, Joe Btfsplk wrote: > > Please, please - everyone (probably including me) is making the topic way > more complicated than my main question. No one's addressed the main > question. If there's no answer, that's fine. Forget conspiracy theories. > If you have a plausible, possible explanation to one question, great. > > Why would any govt create something their enemies can easily use against > them, then continue funding it once they know it helps the enemy, if a govt > has absolutely no control over it? It's that simple. It would seem a very > bad idea. Stop looking at it from a conspiracy standpoint & consider it as > a common sense question. The US government is a very large group of individuals which extends beyond the DoD / CIA / etc borders that I believe you may only be considering. For example, consider the NSF. The NSF is a US government agency that will fund large amounts of research which have nearly or entirely no return to the US government directly[1]. I'm very certain that many of the NSF projects can in fact be used by anyone---the resulting research is published internationally---regardless as to whether they are working in the US government's classified world or whether they are working for US enemies. Tor is funded in part by the NSF[2], but obviously not extensively. The NSF is just a counter example to your claim. I'm only discussing your use of the word ``[US] government'', but the same idea will apply to nearly every relatively large subtree within the US government. Of course, if Tor was only funded from one subtree, say the imaginary "US Monitoring Internet Communications Agency" then you might have some reason to be concerned. Take care, Kasimir [1] http://www.nsf.gov/pubs/1999/nsf99172/nsf99172.htm [2] https://www.torproject.org/about/sponsors.html.en -- Kasimir Gabert ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Iran cracks down on web dissident technology
On 3/22/2011 11:38 AM, Kasimir Gabert wrote: Of course, if Tor was only funded from one subtree, say the imaginary "US Monitoring Internet Communications Agency" then you might have some reason to be concerned. Take care, Kasimir No idea why funding from one source is an issue. Not a requirement for an organization or project to do well or go south. Some of Watson's, Gregory's & Kasimir's possible explanations are at least plausible. They may not be correct, but who's to say - & they didn't require conspiracy. I'm not quite as naive as some seem to think. When I refer to "govt(s)", I mean which ever dept(s) are involved in a specific endeavor. Even diff depts involved in same project may not agree. That's weakly related to my question. The point about supporting the Taliban is well taken. That's happened many times. So are several others - like govts in general, making bad decisions. One of my main questions was about, if Tor is * indeed * anonymous to govts in general, it is one of the most powerful tools for terrorist groups (not nations). Now, if one wants to argue that govt agencies being able to communicate w/ whomever outweighs terrorist groups being able to communicate openly, constantly, w/o fear of intercepted info - how can I argue? I'm not sure most advanced countries are that stupid. Don't know the answer, but know there's usually more than meets the eye. Doesn't matter who ALL funds Tor (or any project); what matters is who is / can do what w/ the technology or info. It's great lots of people fund it, but doesn't prove anything one way or other. Saying that there's a possibility govtS know (or can do) more about intercepting ANY kind of anonymous communications than the developers, universities, private researchers THINK that govts know, is no more a conspiracy theory than the (now) fact that individuals or depts working on the A bomb did not know what the other depts were doing, or how it would all fit together. That was for the purpose of national security. They would be the same w/ Tor or anything other technology - protect the national security. To say the same thing as in WWII hasn't repeatedly happened or won't continue to, is naive - for Tor or anything else. I DON'T KNOW if ANY govt, anywhere can intercept Tor communications. *If* they could, I know no govt(s) agencies or developers would be allowed to say so. Like I said, it's a hard sell. People are still waiting for WMDs to be found "over there," because that's what they were told. Good night & have a pleasant tomorrow. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Iran cracks down on web dissident technology
On 03/22/2011 12:08 PM, Watson Ladd wrote: On Tue, Mar 22, 2011 at 11:23 AM, Joe Btfsplk wrote: Why would any govt create something their enemies can easily use against them, then continue funding it once they know it helps the enemy, if a govt has absolutely no control over it? It's that simple. It would seem a very bad idea. Stop looking at it from a conspiracy standpoint& consider it as a common sense question. Because it helps the government as well. An anonymity network that only the US government uses is fairly useless. One that everyone uses is much more useful, and if your enemies use it as well that's very good, because then they can't cut off access without undoing their own work. BINGO, we have a winner! The original *QUESTION* posed that led to the invention of Onion Routing was, "Can we build a system that allows for bi-directional communications over the Internet where the source and destination cannot be determined by a mid-point?" The *PURPOSE* was for DoD / Intelligence usage (open source intelligence gathering, covering of forward deployed assets, whatever). Not helping dissidents in repressive countries. Not assisting criminals in covering their electronic tracks. Not helping bit-torrent users avoid MPAA/RIAA prosecution. Not giving a 10 year old a way to bypass an anti-porn filter. Of course, we knew those would be other unavoidable uses for the technology, but that was immaterial to the problem at hand we were trying to solve (and if those uses were going to give us more cover traffic to better hide what we wanted to use the network for, all the better...I once told a flag officer that much to his chagrin). I should know, I was the recipient of that question from David, and Paul was brought into the mix a few days later after I had sketched out a basic (flawed) design for the original Onion Routing. The short answer to your question of "Why would the government do this?" is because it is in the best interests of some parts of the government to have this capability... Now enough of the conspiracy theories... -Michael ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Iran cracks down on web dissident technology
On 3/22/2011 3:57 PM, Michael Reed wrote: BINGO, we have a winner! The original *QUESTION* posed that led to the invention of Onion Routing was, "Can we build a system that allows for bi-directional communications over the Internet where the source and destination cannot be determined by a mid-point?" The *PURPOSE* was for DoD / Intelligence usage (open source intelligence gathering, covering of forward deployed assets, whatever). ... The short answer to your question of "Why would the government do this?" is because it is in the best interests of some parts of the government to have this capability... -Michael ___ Very interesting, Michael. You were a part of it (or knew of it) & it was because govt intelligence (you are aware many - not me - call that an oxy moron:)) wanted a system they could use for various purposes, where the source & destination can't be determined by one of the mid points? That does make sense. BTW, I never said conspiracy - others did. Besides, many use the word or concept incorrectly. A govt developing technology to use in defending the country isn't a conspiracy. Covering up illegal activities, for instance, would be a conspiracy (like Watergate). If some govt has figured out how to "decode" Tor traffic (or use it to great advantage) to thwart terrorists, that's not conspiracy. I'm going out on a limb to say that US intelligence does not believe Tor gives terrorists a great advantage - for what ever reason(s), or else they'd shut it down, or at least stop funding it. But then, we & other countries continue supplying arms to groups in various conflicts, which they often shoot back at us. That said, it may be an earlier poster's comment about lack of foresight may apply. It would seem that enemies *might* benefit from it as much as govts, unless govts are capable of more than many think they are. No one, except people w/ high level clearance (perhaps various countries) knows the full answer to that, and they're not talking. They thought the A-bomb was a good idea & no other country would get the technology. Huh. I was on the fence on that one. It *may* be much like other ideas, such as the famous introduction of cats to an island, where they had no natural enemies. It almost destroyed the island's eco system. http://edition.cnn.com/2009/WORLD/asiapcf/01/12/eco.macquarieisland/ For "what did you think might happen" sorts of things that individuals & govts do, I now reference them as "Introducing Cats to an Island" principles. Ideas that sound good at 1st, except for forgetting to ask (and seriously ponder) the most important question of all, "What's the worst that can happen if we..." "Hey, let's build nuclear reactors on major fault lines all over the world." "Yeah, that sounds good." Good night Mrs. Calabash, wherever you are. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Iran cracks down on web dissident technology
> I have done some work myself on understanding and trying to counter > endpoint eavesdroppers in both theory > "More Anonymous Onion Routing Through Trust" > www.cs.utexas.edu/~ajohnson/publications/trusted_sets-csf09.pdf > and practice > "AS-awareness in Tor Path Selection" > http://www.cs.rpi.edu/~edmanm2/ccs159-edman.pdf More things to consider when constructing paths... http://www.freelists.org/post/torservers/Rokabear-Icelandic-Hosting-for-Tor,8 ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
