Cheers for this, I'm the author - AMA! :) A big motivation in writing the book was to feature the voices of the people we often don't hear from in the Tor community (which is why there's a whole chapter on the people who run the relays).
It seems antithetical to the spirit of releasing a book about Tor and "future of privacy", and to then not only watermark each PDF, but to not explicitly state that this is the case, let alone explain why.
andirk 10 days ago [-]
And several analytics type of tracking pixels on the page as well. Not a big deal nor likely controllable by the author.
Zuiii 8 days ago [-]
I initially read this as there being tracking pixels in the PDF. I'm hate that I have to ask this, but are tracking pixels a thing in the PDF format? (Execluding embedded js, ofc)
Can PDFs be crafted such that they would ping remote servers when opened in most PDF viewers?
ametrau 9 days ago [-]
It's the mit press who's publishing it no? I very highly doubt the author has access to tracking decisions made by the org putting the work out.
giancarlostoro 10 days ago [-]
Watermark? In the original link the thread is based on, there is no watermarks, its probably something the publisher that sells is just happens to do.
matthberg 9 days ago [-]
I agree it seems a bit scummy, yet likely unavoidable for the author due to the way MIT Press distributes things.
It's thankfully licensed under Creative Commons Attribution-NonCommercial-NoDerivatives 4.0, which allows for converting the content to other formats (given attribution and non-commercial use, same license, etc etc) [0]. I'd reckon that making a de-fingerprinted version and redistributing it as an epub, md, or pdf again would be allowed, then.
As for getting a clean copy to work from, using Tor would be quite fitting. I plan to convert the version I downloaded to epub for ereader use, maybe downloading it a couple times over different routes and combining to see if that has any impact on the fingerprinting. I'll comment with a download if I get to that and feel it's of a quality worth sharing.
What are your thoughts on the integrity of the network against state actors?
susan_segfault 10 days ago [-]
There's a lot in the book about this - it depends what you mean. Tor has a lot of social and technical design elements that try as best they can to minimise this risk. It would be pretty hard for intelligence services to compromise the Tor organisation in ways that meant they were deploying malicious code, for example. Plus, the way it's grown over the years has also given them some protections.
In terms of deanonymising people through surveillance (for example, by spying on the whole Internet and tracing you through the Tor network), Tor explicitly doesn't protect you against this. The decision was made early on - they switched all the high-security design elements to 'off' to make the network faster. They calculated that a hyper-secure network that was so slow no-one used it was less secure - i.e. made less privacy exist in the real world - than one that was less secure but used by millions, because that would give you a huge crowd of people to hide in. This gets really complicated - because you also want lots of different kinds of people using the network, so they can't tell if you're a drug dealer, an activist, a spy etc. just because you're using Tor.
Individual bits of major intelligence organisations can probably deanonymise you at some times, and not at others. The real question is if they can do so in a way that's dangerous to you in a sustained way, and if it's actually useful for them to do this. Usually, it's easier to do this through simpler mechanisms (bribing your friends, putting a camera in your bedroom, figuring out who you are etc.) than compromising the Tor network. Some security services absolutely will be researching and developing ways to deanonymise larrge numbers of Tor users at a given time - but in general, the budget for this is going to be quite high on a per-user basis (so you'd have to be a prime target for it to be worth it), and a lot of the complexity of the Internet geography makes this quite hard itself.
Ultimately, for any given high value target, there are usually easier ways to get them than through breaking Tor. In almost every case, a person will make a basic OPSEC error long before mass-scale traffic analysis gets them.
generalizations 10 days ago [-]
The scenario that I understand is more plausible, is when state level actors might control some large fraction of tor nodes. Not that they have visibility into the entire internet (not ruling that out, though). The rule of thumb I've heard is that if you're a sufficiently valuable target, best assume Tor is compromised.
belorn 9 days ago [-]
Controlling a large fraction of tor nodes is possible, but there is a large cost associated with it. Tor has a reputation system when it comes to nodes, and in order to gain a large fraction of tor nodes you need to continuously have a presence for a long period of time. Having such long term presence also risk gaining visibility and become detected, and require good and consistent secops. As the network expands this also mean the attacker need to expand in equal rate.
It is a assumed vulnerability of the network. The biggest question is if any state actor would consider it economical to do it compared to alternative methods. Personally I suspect that it is actually cheaper to have visibility into the entire internet, since that method bring value beyond tor and you do not need major secops to pull it off.
generalizations 9 days ago [-]
Wouldn't the long term cost of doing that be amortized over all the potential targets it would help provide information on? Seems like it would be a valuable capability to maintain in the long term. Hundreds or even thousands of tor nodes would likely be a minor fraction of the budget of whichever state actor cared about doing that.
jazzyjackson 9 days ago [-]
"don't become an enemy of the state" is my go-to security posture
llmblockchain 7 days ago [-]
"don't become an enemy of any state" which is a little trickier.
geraldhh 9 days ago [-]
same, though there are ppl that become so by chance or occupation
barbariangrunge 8 days ago [-]
What about whistleblowers?
generalizations 9 days ago [-]
I mean, the upstream question we're discussing is whether tor is appropriate if your threat model includes state actors.
CommitSyn 9 days ago [-]
If you have a suspected target and you can shape traffic on the internet (state actor) there's a much easier way to gain access to the websites visited by your target than by controlling a large number of nodes. It's still noisy, but doesn't generate any scary warnings in tor browser (unless you look at the logs, or pay attention to your connected nodes like with the Onion Circuit GUI in Whonix).
Use a DoS attack against nodes, like the 2-3 years ongoing attack which has lately progressed to a 100% CPU usage DoS against any targeted node. You still have to control a decent number of nodes, but you simply DoS (or DDoS, much noisier) the nodes that your target is connecting to. Once you have them connected to your guard, relay, and exit nodes, you continue the DoS on other nodes until you get the data you need - shorter time is better. I believe this method is being used currently, as I read a post from someone about it recently and noticed something similar happening when I started paying attention to nodes, although it seems it may have stopped for now.
I'm sure there are many vulnerability chains being exploited in tor. Here's an interesting tidbit from the Snowden leaks, which most people took that screenshot of "tor stinks :(" to mean it's safe. At least with JavaScript completely disabled, right?
> Tor users often turn off vulnerable services like scripts and Flash when using Tor, making it difficult to target those services. Even so, the NSA uses a series of native Firefox vulnerabilities to attack users of the Tor browser bundle.
> According to the training presentation provided by Snowden, EgotisticalGiraffe exploits a type confusion vulnerability in E4X, which is an XML extension for Javascript. This vulnerability exists in Firefox 11.0 – 16.0.2, as well as Firefox 10.0 ESR – the Firefox version used until recently in the Tor browser bundle. According to another document, the vulnerability exploited by EgotisticalGiraffe was inadvertently fixed when Mozilla removed the E4X library with the vulnerability, and when Tor added that Firefox version into the Tor browser bundle, but NSA were confident that they would be able to find a replacement Firefox exploit that worked against version 17.0 ESR.
The Quantum system
> To trick targets into visiting a FoxAcid server, the NSA relies on its secret partnerships with US telecoms companies. As part of the Turmoil system, the NSA places secret servers, codenamed Quantum, at key places on the internet backbone. This placement ensures that they can react faster than other websites can. By exploiting that speed difference, these servers can impersonate a visited website to the target before the legitimate website can respond, thereby tricking the target's browser to visit a Foxacid server.
> In the academic literature, these are called "man-in-the-middle" attacks, and have been known to the commercial and academic security communities. More specifically, they are examples of "man-on-the-side" attacks.
> They are hard for any organization other than the NSA to reliably execute, because they require the attacker to have a privileged position on the internet backbone, and exploit a "race condition" between the NSA server and the legitimate website. This top-secret NSA diagram, made public last month, shows a Quantum server impersonating Google in this type of attack.
> The NSA uses these fast Quantum servers to execute a packet injection attack, which surreptitiously redirects the target to the FoxAcid server. An article in the German magazine Spiegel, based on additional top secret Snowden documents, mentions an NSA developed attack technology with the name of QuantumInsert that performs redirection attacks. Another top-secret Tor presentation provided by Snowden mentions QuantumCookie to force cookies onto target browsers, and another Quantum program to "degrade/deny/disrupt Tor access".
It's quite clear to me the US (and the other major Western players) are preparing for a large-scale war and know a great deal of spies are already living in the country. Warrantless wiretaps for any connections outside of the USA, and mandatory KYC for any cloud providers (VPS etc) within the US. In other words, the surveillance dragnet is now operating at a complete and full scale. Privacy is dead. If you would like to be an activist or give valid criticisms of the government, just know that your devices are likely going to be hacked and your communications decrypted. Airgapped computers may for now be safe with a faraday cage and components stripped out. Mesh networks like Briar are only useful as long as your phone is secure.
I assume that TOR is vulnerable to the 51% attack? If so I would imagine that state actors have the ability to spin up a million containers each hosting a node and easily take control (or at least be able to start tracing connection from entry to exit node).
However Im sure this would be immediately obvious (unless they have been slowly doing this since the begining of TOR)
bombcar 10 days ago [-]
IIRC there is at least one known case where a moderately major criminal was let go rather than the government disclosing how they got the evidence on him. The assumption has been that they had a way of compromising TOR that they didn't want to reveal.
generalizations 10 days ago [-]
One implication of that - make sure there's no available means of parallel construction, and it's ok if they catch you in some way they don't want to reveal. As long as you're not valuable enough, that is.
bombcar 10 days ago [-]
That's the real bar for any security, really - make it so it's not worth the while of people who could defeat it.
Because eventually, no matter what you do, if you're up against a nation state, they'll just make you dead.
10 days ago [-]
tarruda 10 days ago [-]
One thing I'm curious about Tor: What are the incentives for running a node?
If there are no monetary incentives, then how does it achieves decentralization? Also, what stops a malicious actor with enough resources (a government) from controlling a big portion of the network?
susan_segfault 10 days ago [-]
(with the understanding that I'm only speaking for what I found, not for the Tor project or the relay community)
Most of the people I spoke to saw themselves as providing a service - they wanted to help do something to bring a particular kind of future Internet about and found it rewarding to be a part of that. A number of them found the act of running a relay interesting and fun in itself - something they could get better at. Plus, membership of the relay community itself (especially now) is a kind of shared experience of community - and that's attractive to people in itself.
In terms of malicious actors, Tor does a lot to avoid this, from hunting down bad relays actively, monitoring the network as best as it can, continuously developing the algorithms which select routes through the network, and other mechanisms, like forcing relays to operate for a while before they get trusted with a lot of connections.
janandonly 9 days ago [-]
> from hunting down bad relays actively
If there is a mechanism to block , let’s say, CSAM, then the same mechanism can be used to block dissident political speech, no?
DisgracePlacard 9 days ago [-]
AFAIK there is no mechanism for content blocking. The "bad relays" are relays that deanonymize, store,
delay, or in any other way hamper user's traffic.
LordDragonfang 10 days ago [-]
People can do things altruistically - there doesn't always need to be a bitcoin-style monetary incentive. Lots of people run exit nodes because they believe in privacy and freedom of information.
That said, you're absolutely right about large entities being able to control a large number of nodes, which is why a great number of nodes are controlled by governments trying to do so and also prevent foreign adversaries from being able to.
tredre3 10 days ago [-]
> Lots of people run exit nodes because they believe in privacy and freedom of information.
I used to do that. But I've ultimately decided that the prospect of fighting accusations of abuse or crimes committed through my network wasn't that enticing. Proponents will try to downplay the risks by using vague ideological nonsense like "don't worry, an IP doesn't legally represent a person ;)" which, even if true, won't prevent a rather unpleasant ordeal.
Running a relay is likely fairly low-risk and still a good thing for the network, though.
Dunedan 10 days ago [-]
> People can do things altruistically - there doesn't always need to be a bitcoin-style monetary incentive.
For a few years Oniontip [1] allowed tipping Tor relay operators with Bitcoin. In my opinion that was a quite nice combination of technologies, as it allowed to anonymously tip operators of a service providing anonymity on the internet.
Bit coin is not anonymous. It is literally a ledger of every transaction ever made. Monero is what you want if you value anonymity.
LordDragonfang 10 days ago [-]
I mean, bitcoin is a lot more anonymous if you host your own wallet and don't cash out through an exchange (or don't cash out at all) - you're just a number. That's definitely not the modal use case today (where its primary use is as a vehicle for ~~gambling~~financial speculation denominated in dollars), but was a lot more common 10 years ago when that project was created.
llm_trw 9 days ago [-]
Or you just use a crypto currency with anonymity build in.
LordDragonfang 9 days ago [-]
Sure, but that was probably pretty hard to do ten years ago when this was being developed, because, y'know, Monero didn't exist yet (or had only existed for a few months and had no users)
Also, bitcoin actually was more private back then, because KYC rules were much more lax.
6LLvveMx2koXfwn 10 days ago [-]
There are no incentives for running a Tor node except altruism and the perhaps nebulous claim that by doing so you will be making the network better.
There is nothing stopping a state actor controlling a large percentage of nodes thus increasing the likelihood that your anonymous communications are nothing of the sort.
Scoundreller 10 days ago [-]
But warring state actors competing with each other on that offers me some protection.
ykonstant 9 days ago [-]
Assuming they compete. If I were a state entity with a vested interest to compromise tor, I would cooperate with peers to that end, enemies or not. It is in every state's interest to have protocols in place for conditional cooperation with hostile states. At the agency or team level, these protocols can be quite effective.
After all, the field agents probably meet once or twice a year at some math/CS conference in France anyway.
anon012012 9 days ago [-]
And this is why governmental privacy is unethical... All should be open to peer review. For the people, and for the world.
ykonstant 9 days ago [-]
I don't see how this would help. Such protocols may not even be written down, but rather implicitly passed from mentors to mentees in security agencies. I am all for government transparency, but no amount of transparency will reveal that a cluster in Utah is in direct link with a cluster in St. Petersburg is in direct link with a cluster in Kiyv to provide unmasking services to their administrators.
These administrators can then launder the information to their respective agencies by means of any number of play-pretend activities you can write up for the transparency committee. The agency doesn't even need to (officially) know.
ghthor 10 days ago [-]
You can connect through a locally running node, which reduces latency to some degree.
spookie 10 days ago [-]
Aren't there ways to filter out untrusted nodes?
(Edit: I say this, but in reality I also think it's pretty safe to assume most are government controlled)
Scoundreller 10 days ago [-]
> What are the incentives for running a node?
It costs my ISP resources but I pay a flat rate. That would have value to me.
eddd-ddde 9 days ago [-]
Don't most ISPs have a bandwidth cap?
xandrius 9 days ago [-]
Not in EU.
chii 9 days ago [-]
if enough customers of the ISP do this, they will no longer charge a flat rate. It's just that some people manage to consume resources that other customers don't atm.
Scoundreller 9 days ago [-]
My ISP situation is olipolistic (and perhaps a colluding duopoly once you distill it down enough).
I’m confident it’s not an efficient market and they’re charging what the market can bare, not a tight markup over their actual costs.
bauruine 10 days ago [-]
There are no incentives. I'm pretty sure the vast majority does it for altruistic reasons. At least all those I've met. Many run relays with spare resources they pay for anyway. Others rent a cheap VPS to run a relay. $10 gives you a surprisingly large amount of bandwidth if you avoid the cloud like the plague.
Governments have other possibilities. Why should they run a relay if they can force the ISP to mirror the traffic of all relays to them?
rank0 9 days ago [-]
Can you expand on that last bit? I don’t understand how this compromises the entire network or any individual user. The ISPs only have layer 3 data in plaintext. We can perform timing/throughput analysis attacks against individuals, but not the entire network. These operations are VERY expensive/difficult.
bauruine 9 days ago [-]
Not an expert at all but from my understanding a traffic correlation attack doesn't require someone to run the relay he just needs to see what traffic enters and leaves it. So the German BND for example can just go to Hetzner (15% Tor traffic) and ask them to mirror the traffic of all relays to them. They don't have to run any relays themselves.
Alt227 has a point but the Tor network is centered around a handful countries where traffic is cheap and there aren't that many huge IXs and Tier 1 ISPs where much of the traffic flows through.
I'm not saying that this is done but it's IMHO more likely than state actors running thousands of relays.
rank0 9 days ago [-]
I think we have the same understanding. I read this as
“a state actor has the physical capabilities/resources to perform an attack that determines Alice was speaking to Bob.”
I totally agree. Im just pointing out that we still have layer 5 encryption to protect the contents of our messages. Also at that point, if you’re so important they would just grab a warrant and raid your home.
alt227 10 days ago [-]
Governments dont have authority outside of their borders. They cannot force foreign ISP to give over the same information. Therefore they could only mirror nodes on IP addresses issued to companies in their country.
throwaway48476 9 days ago [-]
Governments will just get other governments to let them tap their fiber.
alt227 9 days ago [-]
Right, like China and Russia are going to let USA tap their fibre?
throwaway48476 9 days ago [-]
Conveniently, tor nodes are blocked by the Chinese and Russian governments.
alt227 8 days ago [-]
Your post was 'Governments will just get other governments to let them tap their fiber.'
You have, conveniently, moved your point back to tor when I pointed out the folly of your statement.
throwaway48476 8 days ago [-]
The discussion is about tor. If you look at the countries where tor nodes are hosted fiber tapping is a relevant attack vector.
alt227 3 days ago [-]
And I was pointing out that governments need to be on particularly friendly terms to achieve this, which doesnt make it a universal attack vector.
By running a node you maintain tor you might use yourself. If tor goes away, you won't be able to use it.
mmcdermott 10 days ago [-]
Couldn't running an exit node be a cover for other activity? One that provides a reasonable doubt as to whether it was the operator or some other actor who did something unsavory from an IP address?
schoen 9 days ago [-]
I thought there was a classic statement from the Tor developers that you shouldn't do this, but the closest that I found on the site is the part about not running an exit node from home (as it might make law enforcement more interested in seizing your home computer).
also seems to imply that it might be useful to run a node to provide cover for your own traffic (though not an exit node in your home), but that it isn't known for sure how useful that is.
I think the core argument against your suggestion is (1) having your devices more likely to be seized is just plain harmful to you; (2) if you're personally doing something that law enforcement cares about, having your devices more likely to be seized increases you risk that they could discover that by seizing those devices; and (3) there may be traffic analysis techniques that law enforcement could use to distinguish between your own traffic and your exit traffic, like trying to correlate inbound Tor circuit activity with exit traffic, and attributing the traffic to you if it couldn't be matched up with an inbound circuit.
throwaway48476 9 days ago [-]
This is a bad idea because the police will break down your door based on IP.
It might be a good idea in a prosecution to raise reasonable doubt. Few people are willing to play punching bag for the police to find out. Also the general technical skill of the average cop and prosecutor is quite low.
dustfinger 10 days ago [-]
I have no significant knowledge of how TOR works, so I might be off the mark here. Perhaps one incentive is that by running your own node, you can utilize it as an entry or exit node for your own activities over TOR. By controlling either the entry or the exit node, you know that a bad actor does not control both of the nodes involved in your own usage. Just a thought. Maybe this strategy is flawed somehow. Please chime in and correct me if you see a flaw in this strategy.
electroly 10 days ago [-]
Nothing at all stops that, and there's scarce incentive for independent node operators. Indeed, it is commonly surmised that many node operators have a hidden incentive: they're explicitly trying to control enough nodes to deanonymize traffic because they are law enforcement agencies.
cess11 9 days ago [-]
You learn a lot, make friends and enemies, and get privileged access to a node.
It's also a bit like picking up trash when you're out for a walk, it's just a nice and proper thing to do to make society a better place to live in.
It seems, at the beginning of the 90s there were a lot of expectations in regard to DC-nets, considered to be a way better alternative to remailers of the time [1]. At least that's my impression after reading Tim May's FAQ (The Cyphernomicon) [2]. Any progress on this front?
This is a question I always find really interesting. There are still a lot of alternative systems circulating - often in the mid-latency space - which aim to solve design issues of Tor. Someone releases something intended to be a Tor killer every few years, but they rarely last. Tor still remains the only anonymity solution currently operating at global scale without depositing all your trust in e.g. a VPN provider, partly due to network effects (the installed size of the user base is its own protection, so any competitor system is going to perform worse at the outset regardless), the relative lack of tolerance for anything but the lowest possible latency, highest possible usability system for almost all users, and Tor's lasting success in establishing itself culturally as a global brand that can appeal differently to very different user groups. Tor's devs have also been very good at modularising and standardising the tech so it's been great at getting itself incorporated at the ground level of other technologies - and upcoming changes are only going to make that more the case. I do think that there's a good chance for other systems and models to take off that make different design decisions, but they would have a lot of economic, technical, and cultural barriers to circumvent. Not all of them are to do with the theoretical security of the system - for example, DC-net designs were always traditionally quite vulnerable to Denial of Service attacks via collision, and some of the best attacks against anonymity systems can use 'higher security' properties against them. There's a discussion of some of this in Chapters 4, 5, and 6 of the book if it's of interest - also a huge amount written about this by scholars in PETS, WEIS, and other conferences (and blogs, papers, textbooks etc. in cryptospace).
photochemsyn 9 days ago [-]
I don't think much of this writing style. What's the tor attack surface? Are all the tor boxes on the internet backdoored by the NSA? Is tor a honeypot or is tor not a honeypot?
As far as I can tell tor was designed by spooks to allow remote agents operating in foreign countries a means to communicate with headquarters without being traced. It was never designed to allow two entities to communicate anonymously. The metadata always gets exposed, doesn't it?
Using tor also violates the hide in plain view principle, which all real spooks adhere to religiously.
throwaway48476 9 days ago [-]
There was a guy in a dorm who thought he was anonymous using tor on the schools website. They caught him because it turns out he was the only one using tor. In some ways it is a honeypot.
LinuxBender 8 days ago [-]
He should have run tor from a VPS node and then created a SSH socks tunnel to reach it. It's common to see SSH sessions and large packets flowing through it could easily be SFTP. Even if someone should suspect anything it's still plausible deniability.
Capricorn2481 9 days ago [-]
Which story is this? I've heard a few famous stories of people getting caught using Tor, but none that were like this.
Yeah, that's the one I meant. It would've been fine if he was the only one using Tor, but:
- Guerilla mail let the FBI know it was being accessed with Tor (or they saw it in the email header)
- You have to login to use Harvard wifi with your student account, which means they could see who was using Tor.
If anything, Harvard wifi is the honeypot.
etc-hosts 8 days ago [-]
I think the takeaway from this is you can hide your origin from a web server, but if you use an uncommon pathway to the server, your traffic sticks out.
My memory of this case is that Harvard was able to easily determine who had recently used tor, possibly through netflow logs.
Same sort of thing used to happen with Signal traffic to their servers in AWS. I've been in countries where Signal does not work at all because the local government blocked Signal traffic after lobbying from companies that profit from expensive SMS charges.
I've read privacy activists stress that it's great that e2e encryption exists, but that intelligence agencies are mostly interested in the metadata (who you communicate with, how you communicate with them).
Capricorn2481 7 days ago [-]
Completely
Bu9818 8 days ago [-]
The take away of that story is: don't post a message from Tor that gives out the network that you're entering Tor from.
> Wealth and power, the complicity of institutions, governments and communities that ignore the rights of children and disbelieve and disempower them—all of these provide far better privacy protections for child sex abusers than the Tor relay network ever could.
Either the technology is good enough to make people anonymous despite their lack of wealth, power, complicity of institutions, or it's not. It can't be a weak technology only in the context of the biggest problem with Tor.
> Some pointed out that it was bizarre for Tor to condemn neo-Nazis using its network when it had been largely silent on the documented issues of child abuse... much of the negative reaction to the activist turn in Tor was motivated by a reactionary queasiness towards feminism.
Well yeah, that is bizarre. You're making it sound like, if we understood the tribe of college and graybeard libertarians better, compared to better-known, run-of-the-mill progressives and "intersectionality," then we can forgive how "bizarre" this sounds.
I don't think that stuff matters. The commentary from the operators makes the whole effort look insincere. I don't think that relay operator actually cares that much about Turkish dissidents or whatever. That operator is definitely interested in being dramatic and provocative. That's how most libertarian ideas sound. They could align in some ways with social justice, but its failure in the marketplace of ideas is as simple as insincerity + drama.
susan_segfault 10 days ago [-]
Those are fair points. I would argue that it's not the tech that's weak, but that the protection that powerful people get from institutions, local networks, status in their communities etc. often give them so much access to practical power that they essentially don't need anonymity - because these institutions protect them.
In terms of condemning particular use cases (or deciding not to), I'm more trying to represent a particular argument that some people make about Tor (and lots of other technologies) - i.e. that the tech itself shouldn't carry explicit values/politics, those should all be down to the users. The argument is particularly strongly made by some privacy advocates as they see things like Tor becoming the foundations of a new Internet - and hence needing the broadest possible base of support. There's obviously a lot of good arguments against this philosophy, but I figured I should try to represent the different ways people think about Tor in as good faith as possible.
Obviously sometimes when people argue that they just have an issue with feminist values - sometimes it is definitely disingenuous. But I think there was a wider moment in the Tor community - in which a lot of people were concerned about the transition to a much more professional NGO, more strongly aligned with liberal, 'digital democracy' visions of US geopolitics, and away from a more chaotic and anarchic coalition. While I think there was a clear need for Tor to change and this was as much about its place amid wider changes in the landscape of digital rights, US tech, and hacker politics as anything else, it does give us a way (I think) of understanding the conflicts and choices that might emerge in Tor and other privacy enhancing infrastructures in the future.
llm_trw 10 days ago [-]
>Obviously sometimes when people argue that they just have an issue with feminist values - sometimes it is definitely disingenuous. But I think there was a wider moment in the Tor community - in which a lot of people were concerned about the transition to a much more professional NGO, more strongly aligned with liberal, 'digital democracy' visions of US geopolitics, and away from a more chaotic and anarchic coalition. While I think there was a clear need for Tor to change and this was as much about its place amid wider changes in the landscape of digital rights, US tech, and hacker politics as anything else, it does give us a way (I think) of understanding the conflicts and choices that might emerge in Tor and other privacy enhancing infrastructures in the future.
Yes, you need to be a toxic slug or you will be eaten.
I was around for the transition and it was anything but clean. The only reason why tor didn't implode like women who code recently did is that it has a clear core product which the old developers kept chugging along despite the best efforts of the new 'professionals'.
doctorpangloss 10 days ago [-]
> because these institutions protect them.
All I am saying is that you could replace your antagonists in that line with "journalists" and you'd be like, "no wait, that's not true," and you'd be as wrong about journalists as anyone else.
Either there are some powerful institutions protecting journalists too, OR Tor is powerful enough to protect journalists. If it's not good enough for journalists, why bother? If it's good enough for journalists, listen, it's also good enough for criminals.
Anyway, some journalists are themselves powerful people! Maggie Haberman, John Carreyrou and Ronan Farrow are powerful people, and they don't need anonymity. There are powerless criminals too, I'm sure, who need anonymity to engage in criminal conduct without getting caught. You could live on an island with a Starlink Internet connection, literally divorced from institutions and communities, and you could engage in anonymous criminal activity with Tor, it would be your only way of doing that. It would be practicable and realistic. Where we really disagree is: I think the average person already lives in a metaphorical island, this isn't a fringe opinion, and thus no matter what they are doing, Tor is providing them not with anonymity - they are already anonymous in almost all ways that matter, already nobody cares what the average person is up to - Tor is providing them protection from law enforcement.
> chaotic and anarchic coalition
Those high drama characters were the only ones foolish enough to run exit nodes or relays. I am confident this is true but I have not investigated: not a single professional NGO employee or grant recipient, living in New York or Los Angeles, under the age of 40, is personally running a Tor exit node.
Those professionals are absolutely correct in their assessment that they would receive a much harsher punishment for so much as breathing on the third rail criminal activity on Tor compared to their colleagues who engage in some civil disobedience on highways here or there. And without exit nodes or relays, there's no Tor.
susan_segfault 10 days ago [-]
I would absolutely agree that there's journalists who get significant power and protection from their proximity to major institutions and centres of power. Tor is useful for protecting journalists in situations where they don't have access to that kind of protection. I would agree as you say that's also the case for people that it protects who want to commit really awful forms of harm (who might not have access to this kind of protection). But I'd argue that - in most cases - the majority of really serious and widespread forms of harm are able to exist because of their proximity to different kinds and systems of power. That's not always the case - and these systems of power can compete with one another - but I think it generally holds.
And given that the vast majority of online crime of all kinds isn't anonymous but goes entirely un-enforced against by law enforcement, I would argue that Tor's efforts to distribute power online make relatively little impact on the kinds of crime and harm we see online compared to a lot of other infrastructures built on top of the Internet. I've generally found the more I do this kind of research, the less convinced I am by technical fixes to major social problems - I don't think Tor is a 'fix' to the problem of power, but I think it opens up the battleground a bit for more different (and possibly more hopeful) kinds of future Internet to be built and asserted, that look less like the locked down and centralised versions we're being pitched just now. But I take your points and appreciate you engaging with the arguments in the book.
Actually the relay community is pretty diverse - they have some colourful characters but actually a lot of them are just IT professionals, activists, and people working for libraries or universities. They have come up with some ways (which I talk about in the book) of making them much less likely to get hassle for running an exit - and generally most exit relay operators proceed just fine.
doctorpangloss 6 days ago [-]
> Actually the relay community is pretty diverse - they have some colourful characters but actually a lot of them are just IT professionals, activists, and people working for libraries or universities.
Unless the son or daughter of an important politician, journalist or rich person, there are no pedigreed Ivy League people under 40 running exit nodes. No chance. There are tons of them working for NGOs. I am just trying to distill the cultural divide that people are really complaining about.
A great example of this is the Stanford student who won that journalism award, who was the son of a very important New York reporter. No chance a "normal" student would have gotten away with the campaign against the admins that he did, and yet, he gets the award! I mean bless his heart, but when talking about the most laudable aspect of Tor - protecting journalists - there's a complicated story there too, with bitter rivalries and dramas, that really characterize the "hair on fire" problem for most journalists.
ezbie 10 days ago [-]
[flagged]
ktbwrestler 10 days ago [-]
I don't think VPNs are the future of privacy in this context since whatever VPN tool you use or the service provider where you host your concentrator will always have to answer to a subpoena, right?
Zuiii 8 days ago [-]
I'd also add that VPNs require payment so you basically have to trust them not to link your payment details or use impractical payment methods (e.g. mailing cash) and even then, that too can have issues.
Tor, in contrast, Just Works and is always available (Brave browser).
joshlemer 8 days ago [-]
Well, there's always crypto.
ezbie 8 days ago [-]
Unless you're living a North Korea or Iran, I think there's no reason why the average Joe needs anything more than a VPN.
There's a use case for Tor and the likes, but in my mind 99.5% of the people who think they need it are criminals or extremists.
rnd0 8 days ago [-]
No offense meant, but that seems to be a bit of an extremist and borderline authoritarian posistion itself. "You don't need privacy if you have nothing to hide" right?
Rendered at 11:28:45 GMT+0000 (Coordinated Universal Time) with Vercel.
Why are the PDFs individually watermarked?
It seems antithetical to the spirit of releasing a book about Tor and "future of privacy", and to then not only watermark each PDF, but to not explicitly state that this is the case, let alone explain why.
Can PDFs be crafted such that they would ping remote servers when opened in most PDF viewers?
It's thankfully licensed under Creative Commons Attribution-NonCommercial-NoDerivatives 4.0, which allows for converting the content to other formats (given attribution and non-commercial use, same license, etc etc) [0]. I'd reckon that making a de-fingerprinted version and redistributing it as an epub, md, or pdf again would be allowed, then.
As for getting a clean copy to work from, using Tor would be quite fitting. I plan to convert the version I downloaded to epub for ereader use, maybe downloading it a couple times over different routes and combining to see if that has any impact on the fingerprinting. I'll comment with a download if I get to that and feel it's of a quality worth sharing.
0: https://creativecommons.org/licenses/by-nc-nd/4.0/deed.en#re...
In terms of deanonymising people through surveillance (for example, by spying on the whole Internet and tracing you through the Tor network), Tor explicitly doesn't protect you against this. The decision was made early on - they switched all the high-security design elements to 'off' to make the network faster. They calculated that a hyper-secure network that was so slow no-one used it was less secure - i.e. made less privacy exist in the real world - than one that was less secure but used by millions, because that would give you a huge crowd of people to hide in. This gets really complicated - because you also want lots of different kinds of people using the network, so they can't tell if you're a drug dealer, an activist, a spy etc. just because you're using Tor.
Individual bits of major intelligence organisations can probably deanonymise you at some times, and not at others. The real question is if they can do so in a way that's dangerous to you in a sustained way, and if it's actually useful for them to do this. Usually, it's easier to do this through simpler mechanisms (bribing your friends, putting a camera in your bedroom, figuring out who you are etc.) than compromising the Tor network. Some security services absolutely will be researching and developing ways to deanonymise larrge numbers of Tor users at a given time - but in general, the budget for this is going to be quite high on a per-user basis (so you'd have to be a prime target for it to be worth it), and a lot of the complexity of the Internet geography makes this quite hard itself.
Ultimately, for any given high value target, there are usually easier ways to get them than through breaking Tor. In almost every case, a person will make a basic OPSEC error long before mass-scale traffic analysis gets them.
It is a assumed vulnerability of the network. The biggest question is if any state actor would consider it economical to do it compared to alternative methods. Personally I suspect that it is actually cheaper to have visibility into the entire internet, since that method bring value beyond tor and you do not need major secops to pull it off.
Use a DoS attack against nodes, like the 2-3 years ongoing attack which has lately progressed to a 100% CPU usage DoS against any targeted node. You still have to control a decent number of nodes, but you simply DoS (or DDoS, much noisier) the nodes that your target is connecting to. Once you have them connected to your guard, relay, and exit nodes, you continue the DoS on other nodes until you get the data you need - shorter time is better. I believe this method is being used currently, as I read a post from someone about it recently and noticed something similar happening when I started paying attention to nodes, although it seems it may have stopped for now.
I'm sure there are many vulnerability chains being exploited in tor. Here's an interesting tidbit from the Snowden leaks, which most people took that screenshot of "tor stinks :(" to mean it's safe. At least with JavaScript completely disabled, right?
> Tor users often turn off vulnerable services like scripts and Flash when using Tor, making it difficult to target those services. Even so, the NSA uses a series of native Firefox vulnerabilities to attack users of the Tor browser bundle.
> According to the training presentation provided by Snowden, EgotisticalGiraffe exploits a type confusion vulnerability in E4X, which is an XML extension for Javascript. This vulnerability exists in Firefox 11.0 – 16.0.2, as well as Firefox 10.0 ESR – the Firefox version used until recently in the Tor browser bundle. According to another document, the vulnerability exploited by EgotisticalGiraffe was inadvertently fixed when Mozilla removed the E4X library with the vulnerability, and when Tor added that Firefox version into the Tor browser bundle, but NSA were confident that they would be able to find a replacement Firefox exploit that worked against version 17.0 ESR. The Quantum system
> To trick targets into visiting a FoxAcid server, the NSA relies on its secret partnerships with US telecoms companies. As part of the Turmoil system, the NSA places secret servers, codenamed Quantum, at key places on the internet backbone. This placement ensures that they can react faster than other websites can. By exploiting that speed difference, these servers can impersonate a visited website to the target before the legitimate website can respond, thereby tricking the target's browser to visit a Foxacid server.
> In the academic literature, these are called "man-in-the-middle" attacks, and have been known to the commercial and academic security communities. More specifically, they are examples of "man-on-the-side" attacks.
> They are hard for any organization other than the NSA to reliably execute, because they require the attacker to have a privileged position on the internet backbone, and exploit a "race condition" between the NSA server and the legitimate website. This top-secret NSA diagram, made public last month, shows a Quantum server impersonating Google in this type of attack.
> The NSA uses these fast Quantum servers to execute a packet injection attack, which surreptitiously redirects the target to the FoxAcid server. An article in the German magazine Spiegel, based on additional top secret Snowden documents, mentions an NSA developed attack technology with the name of QuantumInsert that performs redirection attacks. Another top-secret Tor presentation provided by Snowden mentions QuantumCookie to force cookies onto target browsers, and another Quantum program to "degrade/deny/disrupt Tor access".
From https://www.theguardian.com/world/2013/oct/04/tor-attacks-ns...
Let's not forget about the NSA backdooring internet backbone routers and slurping data from undersea cables https://en.m.wikipedia.org/wiki/ANT_catalog
It's quite clear to me the US (and the other major Western players) are preparing for a large-scale war and know a great deal of spies are already living in the country. Warrantless wiretaps for any connections outside of the USA, and mandatory KYC for any cloud providers (VPS etc) within the US. In other words, the surveillance dragnet is now operating at a complete and full scale. Privacy is dead. If you would like to be an activist or give valid criticisms of the government, just know that your devices are likely going to be hacked and your communications decrypted. Airgapped computers may for now be safe with a faraday cage and components stripped out. Mesh networks like Briar are only useful as long as your phone is secure.
I wish I was simply being overly paranoid.
https://www.brennancenter.org/our-work/research-reports/refo...
https://torrentfreak.com/u-s-know-your-customer-proposal-wil...
https://www.ic3.gov/Media/Y2024/PSA240425
https://www.gov.uk/government/news/new-powers-to-seize-crypt...
DoS'ing a server and correlating timeouts is a well-known but still discernible technique.
Random delays and packet data have been added to help bugger against this and timing/padding/other side-channel attacks.
At this point most servers operate multiple random timeouts + blackouts + array of mirrors/jugglers to mitigate this de-anonymization technique.
https://xkcd.com/538/
However Im sure this would be immediately obvious (unless they have been slowly doing this since the begining of TOR)
Because eventually, no matter what you do, if you're up against a nation state, they'll just make you dead.
If there are no monetary incentives, then how does it achieves decentralization? Also, what stops a malicious actor with enough resources (a government) from controlling a big portion of the network?
Most of the people I spoke to saw themselves as providing a service - they wanted to help do something to bring a particular kind of future Internet about and found it rewarding to be a part of that. A number of them found the act of running a relay interesting and fun in itself - something they could get better at. Plus, membership of the relay community itself (especially now) is a kind of shared experience of community - and that's attractive to people in itself.
In terms of malicious actors, Tor does a lot to avoid this, from hunting down bad relays actively, monitoring the network as best as it can, continuously developing the algorithms which select routes through the network, and other mechanisms, like forcing relays to operate for a while before they get trusted with a lot of connections.
If there is a mechanism to block , let’s say, CSAM, then the same mechanism can be used to block dissident political speech, no?
That said, you're absolutely right about large entities being able to control a large number of nodes, which is why a great number of nodes are controlled by governments trying to do so and also prevent foreign adversaries from being able to.
I used to do that. But I've ultimately decided that the prospect of fighting accusations of abuse or crimes committed through my network wasn't that enticing. Proponents will try to downplay the risks by using vague ideological nonsense like "don't worry, an IP doesn't legally represent a person ;)" which, even if true, won't prevent a rather unpleasant ordeal.
Running a relay is likely fairly low-risk and still a good thing for the network, though.
For a few years Oniontip [1] allowed tipping Tor relay operators with Bitcoin. In my opinion that was a quite nice combination of technologies, as it allowed to anonymously tip operators of a service providing anonymity on the internet.
[1]: https://github.com/DonnchaC/oniontip
Also, bitcoin actually was more private back then, because KYC rules were much more lax.
There is nothing stopping a state actor controlling a large percentage of nodes thus increasing the likelihood that your anonymous communications are nothing of the sort.
After all, the field agents probably meet once or twice a year at some math/CS conference in France anyway.
These administrators can then launder the information to their respective agencies by means of any number of play-pretend activities you can write up for the transparency committee. The agency doesn't even need to (officially) know.
(Edit: I say this, but in reality I also think it's pretty safe to assume most are government controlled)
It costs my ISP resources but I pay a flat rate. That would have value to me.
I’m confident it’s not an efficient market and they’re charging what the market can bare, not a tight markup over their actual costs.
Governments have other possibilities. Why should they run a relay if they can force the ISP to mirror the traffic of all relays to them?
Alt227 has a point but the Tor network is centered around a handful countries where traffic is cheap and there aren't that many huge IXs and Tier 1 ISPs where much of the traffic flows through.
I'm not saying that this is done but it's IMHO more likely than state actors running thousands of relays.
“a state actor has the physical capabilities/resources to perform an attack that determines Alice was speaking to Bob.”
I totally agree. Im just pointing out that we still have layer 5 encryption to protect the contents of our messages. Also at that point, if you’re so important they would just grab a warrant and raid your home.
You have, conveniently, moved your point back to tor when I pointed out the folly of your statement.
Here, have an example:
https://www.telegraph.co.uk/news/worldnews/asia/japan/104090...
This question
https://support.torproject.org/relay-operators/#relay-operat...
also seems to imply that it might be useful to run a node to provide cover for your own traffic (though not an exit node in your home), but that it isn't known for sure how useful that is.
I think the core argument against your suggestion is (1) having your devices more likely to be seized is just plain harmful to you; (2) if you're personally doing something that law enforcement cares about, having your devices more likely to be seized increases you risk that they could discover that by seizing those devices; and (3) there may be traffic analysis techniques that law enforcement could use to distinguish between your own traffic and your exit traffic, like trying to correlate inbound Tor circuit activity with exit traffic, and attributing the traffic to you if it couldn't be matched up with an inbound circuit.
It might be a good idea in a prosecution to raise reasonable doubt. Few people are willing to play punching bag for the police to find out. Also the general technical skill of the average cop and prosecutor is quite low.
It's also a bit like picking up trash when you're out for a walk, it's just a nice and proper thing to do to make society a better place to live in.
You are workng for the FBI.
https://support.torproject.org/#about_why-is-it-called-tor
[1]: https://en.wikipedia.org/wiki/Anonymous_remailer
[2]: https://hackmd.io/@jmsjsph/TheCyphernomicon
As far as I can tell tor was designed by spooks to allow remote agents operating in foreign countries a means to communicate with headquarters without being traced. It was never designed to allow two entities to communicate anonymously. The metadata always gets exposed, doesn't it?
Using tor also violates the hide in plain view principle, which all real spooks adhere to religiously.
- Guerilla mail let the FBI know it was being accessed with Tor (or they saw it in the email header)
- You have to login to use Harvard wifi with your student account, which means they could see who was using Tor.
If anything, Harvard wifi is the honeypot.
My memory of this case is that Harvard was able to easily determine who had recently used tor, possibly through netflow logs.
Same sort of thing used to happen with Signal traffic to their servers in AWS. I've been in countries where Signal does not work at all because the local government blocked Signal traffic after lobbying from companies that profit from expensive SMS charges.
I've read privacy activists stress that it's great that e2e encryption exists, but that intelligence agencies are mostly interested in the metadata (who you communicate with, how you communicate with them).
Though do consider buying it if you like it!
Either the technology is good enough to make people anonymous despite their lack of wealth, power, complicity of institutions, or it's not. It can't be a weak technology only in the context of the biggest problem with Tor.
> Some pointed out that it was bizarre for Tor to condemn neo-Nazis using its network when it had been largely silent on the documented issues of child abuse... much of the negative reaction to the activist turn in Tor was motivated by a reactionary queasiness towards feminism.
Well yeah, that is bizarre. You're making it sound like, if we understood the tribe of college and graybeard libertarians better, compared to better-known, run-of-the-mill progressives and "intersectionality," then we can forgive how "bizarre" this sounds.
I don't think that stuff matters. The commentary from the operators makes the whole effort look insincere. I don't think that relay operator actually cares that much about Turkish dissidents or whatever. That operator is definitely interested in being dramatic and provocative. That's how most libertarian ideas sound. They could align in some ways with social justice, but its failure in the marketplace of ideas is as simple as insincerity + drama.
In terms of condemning particular use cases (or deciding not to), I'm more trying to represent a particular argument that some people make about Tor (and lots of other technologies) - i.e. that the tech itself shouldn't carry explicit values/politics, those should all be down to the users. The argument is particularly strongly made by some privacy advocates as they see things like Tor becoming the foundations of a new Internet - and hence needing the broadest possible base of support. There's obviously a lot of good arguments against this philosophy, but I figured I should try to represent the different ways people think about Tor in as good faith as possible.
Obviously sometimes when people argue that they just have an issue with feminist values - sometimes it is definitely disingenuous. But I think there was a wider moment in the Tor community - in which a lot of people were concerned about the transition to a much more professional NGO, more strongly aligned with liberal, 'digital democracy' visions of US geopolitics, and away from a more chaotic and anarchic coalition. While I think there was a clear need for Tor to change and this was as much about its place amid wider changes in the landscape of digital rights, US tech, and hacker politics as anything else, it does give us a way (I think) of understanding the conflicts and choices that might emerge in Tor and other privacy enhancing infrastructures in the future.
Yes, you need to be a toxic slug or you will be eaten.
I was around for the transition and it was anything but clean. The only reason why tor didn't implode like women who code recently did is that it has a clear core product which the old developers kept chugging along despite the best efforts of the new 'professionals'.
All I am saying is that you could replace your antagonists in that line with "journalists" and you'd be like, "no wait, that's not true," and you'd be as wrong about journalists as anyone else.
Either there are some powerful institutions protecting journalists too, OR Tor is powerful enough to protect journalists. If it's not good enough for journalists, why bother? If it's good enough for journalists, listen, it's also good enough for criminals.
Anyway, some journalists are themselves powerful people! Maggie Haberman, John Carreyrou and Ronan Farrow are powerful people, and they don't need anonymity. There are powerless criminals too, I'm sure, who need anonymity to engage in criminal conduct without getting caught. You could live on an island with a Starlink Internet connection, literally divorced from institutions and communities, and you could engage in anonymous criminal activity with Tor, it would be your only way of doing that. It would be practicable and realistic. Where we really disagree is: I think the average person already lives in a metaphorical island, this isn't a fringe opinion, and thus no matter what they are doing, Tor is providing them not with anonymity - they are already anonymous in almost all ways that matter, already nobody cares what the average person is up to - Tor is providing them protection from law enforcement.
> chaotic and anarchic coalition
Those high drama characters were the only ones foolish enough to run exit nodes or relays. I am confident this is true but I have not investigated: not a single professional NGO employee or grant recipient, living in New York or Los Angeles, under the age of 40, is personally running a Tor exit node.
Those professionals are absolutely correct in their assessment that they would receive a much harsher punishment for so much as breathing on the third rail criminal activity on Tor compared to their colleagues who engage in some civil disobedience on highways here or there. And without exit nodes or relays, there's no Tor.
And given that the vast majority of online crime of all kinds isn't anonymous but goes entirely un-enforced against by law enforcement, I would argue that Tor's efforts to distribute power online make relatively little impact on the kinds of crime and harm we see online compared to a lot of other infrastructures built on top of the Internet. I've generally found the more I do this kind of research, the less convinced I am by technical fixes to major social problems - I don't think Tor is a 'fix' to the problem of power, but I think it opens up the battleground a bit for more different (and possibly more hopeful) kinds of future Internet to be built and asserted, that look less like the locked down and centralised versions we're being pitched just now. But I take your points and appreciate you engaging with the arguments in the book.
Actually the relay community is pretty diverse - they have some colourful characters but actually a lot of them are just IT professionals, activists, and people working for libraries or universities. They have come up with some ways (which I talk about in the book) of making them much less likely to get hassle for running an exit - and generally most exit relay operators proceed just fine.
Unless the son or daughter of an important politician, journalist or rich person, there are no pedigreed Ivy League people under 40 running exit nodes. No chance. There are tons of them working for NGOs. I am just trying to distill the cultural divide that people are really complaining about.
A great example of this is the Stanford student who won that journalism award, who was the son of a very important New York reporter. No chance a "normal" student would have gotten away with the campaign against the admins that he did, and yet, he gets the award! I mean bless his heart, but when talking about the most laudable aspect of Tor - protecting journalists - there's a complicated story there too, with bitter rivalries and dramas, that really characterize the "hair on fire" problem for most journalists.
Tor, in contrast, Just Works and is always available (Brave browser).
There's a use case for Tor and the likes, but in my mind 99.5% of the people who think they need it are criminals or extremists.