On Thu, Jan 26, 2012 at 10:35:20AM +0200, Maxim Kammerer wrote: > I see, so is that an optional feature that can be turned on by a MIX > router operator once served by a surveillance order? It seems to me > that it's an advantage over Tor, where relay operators can be served > with an order and some Tor patches that they wouldn't be able to turn > down to to the absence of a similar feature in Tor.
On Thu, Jan 26, 2012 at 06:07:39PM +0100, Moritz Bartl wrote: > I would very much fight against authorities trying to force me into > logging anything. There is no basis in German law for them to do so, and > I don't see what properties they could specify to me other than "retain > all connection data". There is no such thing as "an order and some Tor patches that they wouldn't be able to turn down". You always have the option of stopping your relay. If you fail to fight the request, you should shut down your relay, and then tell the world. Backdoored Tor relays will hurt the network -- and hurt the general fight to legitimize anonymous communication around the world -- more than they help it. This was the trap that the JAP and Anon folks fell into -- and at the time their network was small enough that they basically had the choice of shutting down the network or deploying the backdoor. They reasoned that it was better to have a service that provided anonymity to some people than to have no service at all. The exact details made the decision even messier (for example, it involved the police basically threatening a university official at his house on a weekend; and the lawyers who had signed up to fight such requests were not thrilled that the backdoor was deployed without giving the lawyers enough time or warning to fight it). Unfortunately, while "never install a backdoor; turn it off instead" is an easy heuristic to follow, it's not enough by itself to ensure Tor's anonymity. Remember that the best way to beat Tor is to observe both the traffic flow going into the Tor network and also the traffic flow leaving the Tor network, and then use statistics to realize they're correlated. So people with bad orders can just go a hop upstream from your relay, where your ISP generally cares more about its business than its users. And if you somehow have a better ISP than that, just go to *its* upstream. The traffic confirmation attack is the best way to beat the mix cascade topology too -- and in that case there are fewer places to watch, and you know exactly which exit point to watch for a given entry point. Bad news. But don't lose sight of the really big picture: the differences in philosophy and threat model between Tor and JonDoNym are much smaller than the differences between distributed-trust anonymity designs and a single-hop centralized proxy like hidemyass.com. --Roger _______________________________________________ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk