Tor, the pentagon's cyberweapon

[Karl]

On Wed, Oct 14, 2020, 6:34 PM Peter Fairbrother <peter at tsto.co.uk> wrote:

> On 14/10/2020 18:22, jim bell wrote:
>
> > Last year, I tried to start a discussion to implement a new anonymity
> router network, perhaps using the Raspberry Pi computers.   I got a quote
> for 500 Raspberry Pi's, at $70 each.  I included a few ideas, some old,
> some new:
> >
> > 1.    Routers could be anywhere, but would include homes and small
> businesses.  Anyone who has an Internet service with an adequately-large
> data cap. (Recently, I saw that CenturyLink had removed the data cap from
> some of its internet services. especially fiber.
> https://www.highspeedinternet.com/resources/which-internet-service-providers-have-data-caps#:~:text=CenturyLink%20has%20a%201%20TB,you'll%20enjoy%20unlimited%20data
> .
> >
> >   And their data caps, where they still exist, are 1 terabyte/month,
> which I think would be plenty for an anonymity network.
>
> The problem is that a reliable cheap anonymising network for low-latency
> traffic like web traffic is basically impossible.
>
> Tor is about as good as we can get. When I was designing m-o-o-t I
> didn't include any web anonymiser for that reason.
>
> The problem is traffic volume and latency. If we want low-latency web
> traffic - nowadays [1] that's less than 4 seconds - we can't include
> fixed file sizes with realistic constraints on traffic.
>
> To put some BOTE numbers on that, suppose you want to provide for 1
> million concurrent users. You have about 150 TB per month user traffic
> to play with (500 x 1TB, ~3 hops), 150 MB per month per user, or 450 Baud.
>

Could you explain your math here?  How did 500TB/3 (am I wrong?) become
150MB?



> Ouch.
>
> > 2.    Extensive chaff.   (which, of course, is an old idea, strangely
> it's not yet implemented in TOR)
>
> Like fixed file sizes - essential for anonymity - chaff and covertraffic
> takes too much traffic, see above.
>

I don't see how what you said above is related to whether the data is real
or decoy.  Obviously you would keep the sum of the two constant.


> > 3.    "Output nodes" would output only in encrypted form, so that people
> generally could not get in trouble for acting as an output node:  Their
> output could be monitored, but not understood as to its content, since it
> would look like random data.
>
> That doesn't work - the users want to connect to any web server
> somewhere. You could enforce eg TLS but even that does not hide file
> sizes..
>

Enforcing TLS is much more reasonable nowadays.  (You could add a plugin to
use http tricks to hide file sizes.). Not what I would focus on once it
gets nonsimple.


> > 4.    I also thought of an idea that such a network should implement
> multiple algorithms for networking, simultaneously, limited only by
> people's imaginations:   People  frequently talk about new ideas for
> anonymity networks, but how might they try them out in practice?   If an
> anonymity network is fated to have ONLY ONE routing method, then all new
> such methods cannot be easily developed:  You'd have to physically build a
> new network, along with all such associated costs, for each new routing
> method.  That's completely illogical.
> >
> >     Should there be any limit to the number of kinds of routing done?
> It's all software.   One advantage of this feature is that all these
> different routing algorithms are mixed together, such it should be harder to
>
> That's OK if you are doing development, but not for production - unless
> the users decide the routing, as in eg Mixmaster. But you can't (or
> shouldn't) use an anonymiser if you don't know whether it is going to work!
>

Seems reasonable to make this pluggable.  Final use would need all users to
look the same, and no exits have a predictable source.


> > TOR is doubted for many good reasons, but if it is generally agreed that
> some form of anonymizing network is needed, then people should be willing
> to work to provide an alternative.
>

Seems to me the smaller it is to build the more likely it is to reach
completion and use.


>
> I was at some of the early meetings when Roger Dingledene, Paul
> Syverson, Lucky Green, Nick Matthewson, Len Sassaman, myself and others
> were talking about a web anonymiser, which later became Tor.
>
> Other people at those meetings included many if not most of the top
> anonymity researchers, and some of the top cryptographers, in the world
> at that time. Tor was not conceived as is was by accident or in
> ignorance [2], many people (including myself) thought it was about the
> best that could be done.
>
>
> Roger's thought was that TOR would make mass surveillance difficult and
> it would be worth doing for that reason, even though it wouldn't prevent
> targeted attacks by major adversaries. At a set of meetings the next
> year Roger had gotten some funding, iirc from the US Navy, and Nick had
> started work on coding.
>
> I bowed out almost immediately, Len and Lucky bowed out after a while,
> because we knew it couldn't be done securely on the user level.
>
> After that I pretty much lost interest, though I did keep an eye on the
> project.
>
>
>
>
> The problem is that it's a super Zooko's triangle - you simply can't get
> reliably anonymous, low-latency and cheap anonymous web traffic.
>
> You probably can't even get reliably anonymous and low-latency, at any
> price.
>
>
>
> Peter Fairbrother
>
>
>
> [1] Acceptable low latencies vary according to use and user expectations
> - fifteen years ago people would wait 20 seconds or more for a web page
> to load, nowadays they lose interest at 4 seconds. Actually maybe less
> now, that figure is several years old. And for interactive speech or
> video latencies should be subsecond.
>
> [2] or with evil intent, at least from Roger and Nick.
>
> I don't think Paul had any evil intent either, but he was USN and is
> therefore suspect. It's like my friend from GCHQ - we are friends and we
> were sort-of colleagues until I retired, but it's a bit like having a
> policeman live next door - even when you have done no wrong you are
> always aware that he is a policeman.
>

My gut is that evil intent is pretty rare in a group of like-minded people
putting work in.  It's more likely people are acting on differing
information or experiences, or can't escape something difficult.


>
> One curiousity, the .onion part of the TOR infrastructure was largely
> driven by Paul.
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 8811 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20201014/b6fd8eed/attachment.txt>