[tor-project] "Capture the onion" + Tor village at next Defcon
Tom Ritter
tom at ritter.vg
Wed Jan 17 04:25:54 UTC 2018
Defcon's Call for Everything is now open, with a deadline of March 1.
https://defcon.org/html/defcon-26/dc-26-calls.html
-tom
On 5 September 2017 at 13:25, Tom Ritter <tom at ritter.vg> wrote:
> On 1 September 2017 at 17:09, Roger Dingledine <arma at mit.edu> wrote:
>> tl;dr I would like to (A) design a "capture the onion" contest to get
>> people trying to break the next-gen onion service protocol and code,
>> and run the contest at the next Defcon; (B) craft a funding proposal to
>> help us do A well; and (C) run a Tor village at the next Defcon too.
>
> I'm so glad you wrote this email. I lamented the lack of Tor exposure
> at Defcon this year, but didn't feel I was in a position to say
> anything.
>
> While I was briefly at Defcon this year, I wandered around the vendor
> area - which, if you've never been, is part vendors selling things
> like lockpicks and various hacking hardware like wifi pineapples and
> part charities and organizations like EFF, Calyx, ACLU. I had the
> overwhelming thought "Tor should be here."
>
> ---------
>
> I am completely sold on the idea of getting more representation at
> Defcon. I am not sold on the idea of a Capture the Onion contest being
> the best way to do it. Firstly, contests are a lot of work. I'm
> wondering how much attention and time developing and testing and
> reviewing it will detract from other efforts.
>
> Secondly, while I think we could be creative in finding ways to hide
> flags in a contest network, I think the number of flags that we would
> be able to hide that are 'Tor-specific' would be dwarfed by the number
> that are more general application-security or crypto-specific. Maybe
> the answer to this concern is just to brainstorm ideas for a few weeks
> and see what we come up with though.
>
> Thirdly - right now, the techniques used to perform attacks on .onions
> are public, but the code is not (AFAIK.) If we run this contest, we
> should expect this code to be published and expect to see an increase
> in the amount of relays we have to detect and block. The lack of
> public code is Security through Obscurity - obscurity doesn't provide
> protection, but it does reduce the amount of attackers you have to
> deal with. And we have to do manual work to counter each attacker.
> This isn't a terribly strong point (maybe by next summer a whole suite
> of attack tools on .onions will be published and it doesn't matter if
> two more are floating around) - but I wanted to mention it. Especially
> if we intend to keep the old-style onions limping along for multiple
> years. (Alternately this would accelerate their obsolete.)
>
> Fourthly, I am also worried about the maintenance of the contest
> infrastructure. If we can't keep it up and running, and debug
> problems, the contest will flop.
>
> Finally, I'm worried about participation. Some people will play in the
> contest, but the number of people who we reach with the contest will
> be two or three order of magnitudes smaller than the number we reach
> through efforts like a vendor table or the village. (And I think we
> should direct our efforts appropriately.)
>
> I like Part B2 - if the goal of the contest is to give a focus on
> getting the new .onion code reviewed, I think it would be more
> effective to do a Pwnium style contest/prize. Pwnium was Google's old
> contest (which ran for months) giving enhanced payouts on certain
> targets.
>
> If the goal is to get more Tor mindshare at Defcon, I think a contest
> would do that, but I'm not certain it hits the right balance of return
> on investment.
>
> ---------
>
> I love the idea of a village, especially an evening village (I'm
> imaging something like 5 to 10 or 11.) I think we should definitely
> make it more than a just 'hang out with Tor' space. I think we can
> come up with a lot of things we could do here; and we should aim to
> have both 'active' and 'passive' experiences.
>
> Active would be something like "At 6PM we're going to do an hour long
> (45min+questions) deep technical walkthrough of how the new .onion
> design works". Passive would be something like "We have sketchbooks
> and colored pencils. Are you artistic? Sketch some Tor/onion artwork
> and we'll share it on our blog!"
>
> ---------
>
> I am not sure if a Village satisfies the same purpose as a vendor
> table though. Nearly everyone at Defcon will walk through the vendor
> area once. Not everyone will go to Defcon in the evening or go to a
> village they aren't directly interested in. I think we should have
> both (and our own table, separate from Calyx/EFF), but I recognize it
> means we would effectively need twice as many people at the conference
> to staff the table and the village (since we couldn't expect the same
> people to commit to doing both.)
>
> I think we should bring a pile (a very large pile) of T-shirts to
> sell, as well as other things (which we can brainstorm.) Free
> pamphlets on how to use Tor (which I think we have) and ones on how to
> run a relay (which we can make.) I'm also imagining a special
> brand-new sticker design we can give out to relay operators who stop
> by.
>
> ---------
>
> I am completely psyched about this. I have a bunch of ideas I didn't
> put in this email (and more details/ideas about what I did mention). I
> am totally volunteering to do a lot of brainstorming, planning, and
> logistics works. I am _hopeful_ I will be able to attend next year and
> help staff everything.
>
> -tom
More information about the tor-project
mailing list