[tor-talk] Bridge Communities?

adrelanos adrelanos at riseup.net
Sat Apr 13 03:37:41 UTC 2013


Hi Alex,

these are interesting thoughts. I wrote something related a while ago.

Tor: lobbies vs lobbies - Who will prevail?:
https://lists.torproject.org/pipermail/tor-talk/2012-August/025109.html

Alex M (Coyo):
> Is Tor ever going to include support for isolated, independent bridge
> relay communities that can host their own bridge directory authorities
> without relying on the centralized tor directory hosted by Peter
> Palfrader, Jacob Appelbaum and associates?

Good idea in general. (Although I don't share your reasons for it.)

> From lurking here on the mailing lists and other places, Jacob and other
> core Tor staff and advocates generally seem to have a worryingly
> optimistic attitude toward the possibility of coordinated Tor
> censorship, crackdowns, network manipulation and attack, coordinated
> government raids upon Tor directory servers,

I am interested, where did they say so?

> or even assassinations
> against Jacob Appelbaum and other core staff and volunteers involved in
> the Tor project.

Why assassinations? I've heard the some mafia style groups have a better
method than violence. They catch a child after school, make up some
"Your parents told me to catch you today, I am your Uncle Sam." story,
aren't violent or threatening at all and go into some Disney land copy,
bring back the child afterwards. Not sure if that happens in reality,
but I am sure that works better than violence.

Other than that, it seems obvious to me that killing people isn't
effective as turning them around. Why wouldn't they rather use violence
to force them to put a backdoor into next Tor version?

As far I know no Tor developer has been harassed for Tor yet. (Please
tell me if I am wrong.) Jacob has been harassed like in a totalitarian
state because of his connections to wikileaks. I also wonder how Jacob
could stay so calm after all what happened to him, not being already a
broken man. I admire the Tor developers for doing their work in such a
dangerous country (US), knowing about waterbording and that stuff.

> Is it really so difficult to conceive of situations that involve violent
> raids against the datacenters hosting Tor directory servers and their
> mirrors, attacks, possibly physically violent, involving full military
> force against Jacob Appelbaum and other critical developers, staff,
> volunteers and advocates?

If that happens, that would be the worst case. I think without Tor
servers in the US and without the Tor developers, there is more Tor
network, since most Tor servers are in the US. Most other Tor servers
are in countries which the US can pressure as well. When the US decides
to take down Tor, it's pretty much over anyway.

> You really think the governments of the industralized "first world"
> countries won't stoop that low?

Maybe they don't have to. When I understood Jacob in his speeches right,
he doesn't believe that Tor does defeat the NSA. Why should they break
Tor if it's an open book already to them already anyway?

> One day, they will accuse Jacob and the other core developers of being
> domestic terrorists or whatever as an excuse to fire upon native
> citizens on domestic soil.
>
> They will do it, one day.

Only in case they can't easily break Tor already anyway.

> This is why providing relatively trivial means to deploy one's own
> bridge communities with many pluggable transports in order to prepare
> for that inevitability.

I don't see how that helps after hosting Tor servers has been made
illegal in US and most other countries.

> The Bitcoin core developers and advocates will also be assassinated or
> eliminated militarily as well. It is inevitable.

> You really think our governments won't stoop that low? They are little
> more than pan-handling bums attempting to justify their jobs at the
> taxpayer's expense, and feel entitled to our money.

> Not only that, but they have the sheer unabashed chutzpa to presume they
> are legitimate in their entitlement, and have full authority to use our
> own taxpayer money against us, to enforce unjust laws, to inflict
> injustice against their own citizenry.
>
> If they have absolutely no compunction about shoving CISPA or SOPA down
> our throats, feel no remorse for warrantless wiretapping and unlawful
> deep packet inspection, or forcing internet service providers into
> spying on their own paying customers,

Agreed.

> what makes you think they won't
> slay Jacob Appelbaum where he stands?

Answered above already.

> They will. They will, mark my words.
> 
> And when that happens, we must be ready. Jacob's legacy needs to live
> on. Christian Fromme, Roger Dingledine, Nick Mathewson, Andrea Shepard,
> Dr. Paul Syverson..., their legacy must live on, regardless of whether
> the government shoves them against a cinderblock wall and shoots them
> dead where they stand.

As far I understand, Dr. Paul Syverson works for Naval Research
Laboratory and can be told to stop working on Tor and work for something
else instead.

The others, already covered that above.

> We must prepare for this inevitability. We need more pluggable
> transports, we need to break up the Tor relay network into distinct
> domains, we must make the tor relay network far more resilient to
> coordinated attacks, we need to decentralize the directory authorities
> and mitigate the horrifying damage in the event of directory authority
> compromise, and the subjugation and subversion of directory authorities,
> hidden services, user privacy and the physical safety of relay operators.

I value pluggable transports in general, but I don't see how they help
against the attack you are describing. Pluggable transports help
obfuscating connections from Tor users to Tor bridges. Bridges alone
won't create a Tor network. Who hosts relays and exit relays once Tor
developers are in prison, Tor servers get raided and/or illegal?

> We need far more stringent entry and exit guard node policies, more
> flexible and informative relay server statistics and circuit routing
> control.

A nice to have, but I don't think it defeats your threat model.

> We need bridge relay communities with independent bridge directory
> authorities that can be run by semi-isolated communities, including
> bridge communities within other overlay networks such as private
> OpenVPN, CJDNS or AnoNet networks. As it is, if the Tor client cannot
> connect to the centralized high-value targets controlled by the Tor
> project team, Tor is absolutely worthless and useless.
> 
> This must change. Tor should be usable by independent relay communities,
> specifically bridge relay communities with 100% use of obfuscation
> protocols or even clandestine communications methods.
>
> For those who forgot, 'clandestine' means no one can even determine any
> communication is occurring, while 'covert' means that enemies can
> determine that communications are occurring, but not the content, and
> not necessarily the specifics as to who is communicating with whom.
> 
> Some people term it 'covert communication' where heavy use of
> steganography and obfuscation is used to hide traffic from detection and
> interception, but goes further than that, and makes traffic itself
> plausibly deniable, not just the content of or parties to a particular
> instance of communication.
> 
> Tor needs to evolve very rapidly and become impossible to detect,
> manipulate, intercept or interfere with, or it is going to very rapidly
> become irrelevant and useless.

How do you propose to obfuscate connections between relays and (exit)
relays? The list of them is public, that's the basic Tor design.
Therefore a state can take them easily down as soon as they made them
illegal.

I don't think Tor can ever defeat your threat model. Tor is build around
the idea, that there are free countries where Tor is legal. If there are
no countries left where Tor is legal, Tor will surely cease to exists.

One important step to detect if developers have been threatened are
Deterministic builds. (Which would allow third parties to check if
downloads The Tor Projects is providing actually match the source code
the Tor Project claims to have used for compilation, or if they where
forced to include a backdoor while keeping the extra source secret or if
the build machine has been compromised.)
https://trac.torproject.org/projects/tor/ticket/3688

> Don't say I didn't warn you.

In conclusion, the threat model you are making up isn't unrealistic.
However, Tor can't defeat it by design. Friend to Friend networks such
as RetroShare could defeat it, in theory, all that's missing in
RetroShare are pluggable transports to obfuscate traffic to friends.

Cheers,
adrelanos


More information about the tor-talk mailing list