[HN Gopher] Tor: From the Dark Web to the Future of Privacy
___________________________________________________________________
Tor: From the Dark Web to the Future of Privacy
Author : bauruine
Score : 93 points
Date : 2024-04-25 07:07 UTC (15 hours ago)
(HTM) web link (direct.mit.edu)
(TXT) w3m dump (direct.mit.edu)
| susan_segfault wrote:
| Cheers for this, I'm the author - AMA! :) A big motivation in
| writing the book was to feature the voices of the people we often
| don't hear from in the Tor community (which is why there's a
| whole chapter on the people who run the relays).
| datadrivenangel wrote:
| What are your thoughts on the integrity of the network against
| state actors?
| alt227 wrote:
| I assume that TOR is vulnerable to the 51% attack? If so I
| would imagine that state actors have the ability to spin up a
| million containers each hosting a node and easily take
| control (or at least be able to start tracing connection from
| entry to exit node).
|
| However Im sure this would be immediately obvious (unless
| they have been slowly doing this since the begining of TOR)
| bombcar wrote:
| IIRC there is at least one known case where a moderately
| major criminal was let go rather than the government
| disclosing how they got the evidence on him. The assumption
| has been that they had a way of compromising TOR that they
| didn't want to reveal.
| generalizations wrote:
| One implication of that - make sure there's no available
| means of parallel construction, and it's ok if they catch
| you in some way they don't want to reveal. As long as
| you're not valuable enough, that is.
| bombcar wrote:
| That's the real bar for any security, really - make it so
| it's not worth the while of people who could defeat it.
|
| Because eventually, no matter what you do, if you're up
| against a nation state, they'll just make you dead.
| susan_segfault wrote:
| There's a lot in the book about this - it depends what you
| mean. Tor has a lot of social and technical design elements
| that try as best they can to minimise this risk. It would be
| pretty hard for intelligence services to compromise the Tor
| organisation in ways that meant they were deploying malicious
| code, for example. Plus, the way it's grown over the years
| has also given them some protections.
|
| In terms of deanonymising people through surveillance (for
| example, by spying on the whole Internet and tracing you
| through the Tor network), Tor explicitly doesn't protect you
| against this. The decision was made early on - they switched
| all the high-security design elements to 'off' to make the
| network faster. They calculated that a hyper-secure network
| that was so slow no-one used it was less secure - i.e. made
| less privacy exist in the real world - than one that was less
| secure but used by millions, because that would give you a
| huge crowd of people to hide in. This gets really complicated
| - because you also want lots of different kinds of people
| using the network, so they can't tell if you're a drug
| dealer, an activist, a spy etc. just because you're using
| Tor.
|
| Individual bits of major intelligence organisations can
| probably deanonymise you at some times, and not at others.
| The real question is if they can do so in a way that's
| dangerous to you in a sustained way, and if it's actually
| useful for them to do this. Usually, it's easier to do this
| through simpler mechanisms (bribing your friends, putting a
| camera in your bedroom, figuring out who you are etc.) than
| compromising the Tor network. Some security services
| absolutely will be researching and developing ways to
| deanonymise larrge numbers of Tor users at a given time - but
| in general, the budget for this is going to be quite high on
| a per-user basis (so you'd have to be a prime target for it
| to be worth it), and a lot of the complexity of the Internet
| geography makes this quite hard itself.
|
| Ultimately, for any given high value target, there are
| usually easier ways to get them than through breaking Tor. In
| almost every case, a person will make a basic OPSEC error
| long before mass-scale traffic analysis gets them.
| htrp wrote:
| The rubber hose cyptography xocd comes to mind
|
| https://xkcd.com/538/
| generalizations wrote:
| The scenario that I understand is more plausible, is when
| state level actors might control some large fraction of tor
| nodes. Not that they have visibility into the entire
| internet (not ruling that out, though). The rule of thumb
| I've heard is that if you're a sufficiently valuable
| target, best assume Tor is compromised.
| susan_segfault wrote:
| Also - it's completely free open access, but you can also buy a
| copy here if you like spending money:
| https://mitpress.mit.edu/9780262548182/tor/
| Algemarin wrote:
| > it's completely free open access
|
| Why are the PDFs individually watermarked?
|
| It seems antithetical to the spirit of releasing a book about
| Tor and "future of privacy", and to then not only watermark
| each PDF, but to not explicitly state that this is the case,
| let alone explain why.
| tarruda wrote:
| One thing I'm curious about Tor: What are the incentives for
| running a node?
|
| If there are no monetary incentives, then how does it achieves
| decentralization? Also, what stops a malicious actor with enough
| resources (a government) from controlling a big portion of the
| network?
| LordDragonfang wrote:
| People can do things altruistically - there doesn't always need
| to be a bitcoin-style monetary incentive. Lots of people run
| exit nodes because they believe in privacy and freedom of
| information.
|
| That said, you're absolutely right about large entities being
| able to control a large number of nodes, which is why a great
| number of nodes are controlled by governments trying to do so
| and also prevent foreign adversaries from being able to.
| tredre3 wrote:
| > Lots of people run exit nodes because they believe in
| privacy and freedom of information.
|
| I used to do that. But I've ultimately decided that the
| prospect of fighting accusations of abuse or crimes committed
| through my network wasn't that enticing. Proponents will try
| to downplay the risks by using vague ideological nonsense
| like "don't worry, an IP doesn't legally represent a person
| ;)" which, even if true, won't prevent a rather unpleasant
| ordeal.
|
| Running a relay is likely fairly low-risk and still a good
| thing for the network, though.
| Dunedan wrote:
| > People can do things altruistically - there doesn't always
| need to be a bitcoin-style monetary incentive.
|
| For a few years Oniontip [1] allowed tipping Tor relay
| operators with Bitcoin. In my opinion that was a quite nice
| combination of technologies, as it allowed to anonymously tip
| operators of a service providing anonymity on the internet.
|
| [1]: https://github.com/DonnchaC/oniontip
| llm_trw wrote:
| Bit coin is not anonymous. It is literally a ledger of
| every transaction ever made. Monero is what you want if you
| value anonymity.
| LordDragonfang wrote:
| I mean, bitcoin is a lot more anonymous if you host your
| own wallet and don't cash out through an exchange (or
| don't cash out at all) - you're just a number. That's
| definitely not the modal use case today (where its
| primary use is as a vehicle for ~~gambling~~financial
| speculation denominated in dollars), but was a lot more
| common 10 years ago when that project was created.
| 6LLvveMx2koXfwn wrote:
| There are no incentives for running a Tor node except altruism
| and the perhaps nebulous claim that by doing so you will be
| making the network better.
|
| There is nothing stopping a state actor controlling a large
| percentage of nodes thus increasing the likelihood that your
| anonymous communications are nothing of the sort.
| Scoundreller wrote:
| But warring state actors competing with each other on that
| offers me some protection.
| spookie wrote:
| Aren't there ways to filter out untrusted nodes?
|
| (Edit: I say this, but in reality I also think it's pretty
| safe to assume most are government controlled)
| ghthor wrote:
| You can connect through a locally running node, which reduces
| latency to some degree.
| petre wrote:
| > What are the incentives for running a node?
|
| You are workng for the FBI.
| Scoundreller wrote:
| > What are the incentives for running a node?
|
| It costs my ISP resources but I pay a flat rate. That would
| have value to me.
| electroly wrote:
| Nothing at all stops that, and there's scarce incentive for
| independent node operators. Indeed, it is commonly surmised
| that many node operators have a hidden incentive: they're
| explicitly trying to control enough nodes to deanonymize
| traffic because they are law enforcement agencies.
| susan_segfault wrote:
| (with the understanding that I'm only speaking for what I
| found, not for the Tor project or the relay community)
|
| Most of the people I spoke to saw themselves as providing a
| service - they wanted to help do something to bring a
| particular kind of future Internet about and found it rewarding
| to be a part of that. A number of them found the act of running
| a relay interesting and fun in itself - something they could
| get better at. Plus, membership of the relay community itself
| (especially now) is a kind of shared experience of community -
| and that's attractive to people in itself.
|
| In terms of malicious actors, Tor does a lot to avoid this,
| from hunting down bad relays actively, monitoring the network
| as best as it can, continuously developing the algorithms which
| select routes through the network, and other mechanisms, like
| forcing relays to operate for a while before they get trusted
| with a lot of connections.
| bauruine wrote:
| There are no incentives. I'm pretty sure the vast majority does
| it for altruistic reasons. At least all those I've met. Many
| run relays with spare resources they pay for anyway. Others
| rent a cheap VPS to run a relay. $10 gives you a surprisingly
| large amount of bandwidth if you avoid the cloud like the
| plague.
|
| Governments have other possibilities. Why should they run a
| relay if they can force the ISP to mirror the traffic of all
| relays to them?
| alt227 wrote:
| Governments dont have authority outside of their borders.
| They cannot force foreign ISP to give over the same
| information. Therefore they could only mirror nodes on IP
| addresses issued to companies in their country.
| dustfinger wrote:
| I have no significant knowledge of how TOR works, so I might be
| off the mark here. Perhaps one incentive is that by running
| your own node, you can utilize it as an entry or exit node for
| your own activities over TOR. By controlling either the entry
| or the exit node, you know that a bad actor does not control
| both of the nodes involved in your own usage. Just a thought.
| Maybe this strategy is flawed somehow. Please chime in and
| correct me if you see a flaw in this strategy.
| mmcdermott wrote:
| Couldn't running an exit node be a cover for other activity?
| One that provides a reasonable doubt as to whether it was the
| operator or some other actor who did something unsavory from an
| IP address?
| doctorpangloss wrote:
| > Wealth and power, the complicity of institutions, governments
| and communities that ignore the rights of children and disbelieve
| and disempower them--all of these provide far better privacy
| protections for child sex abusers than the Tor relay network ever
| could.
|
| Either the technology is good enough to make people anonymous
| despite their lack of wealth, power, complicity of institutions,
| or it's not. It can't be a weak technology only in the context of
| the biggest problem with Tor.
|
| > Some pointed out that it was bizarre for Tor to condemn neo-
| Nazis using its network when it had been largely silent on the
| documented issues of child abuse... much of the negative reaction
| to the activist turn in Tor was motivated by a reactionary
| queasiness towards feminism.
|
| Well yeah, that is bizarre. You're making it sound like, if we
| understood the tribe of college and graybeard libertarians
| better, compared to better-known, run-of-the-mill progressives
| and "intersectionality," then we can forgive how "bizarre" this
| sounds.
|
| I don't think that stuff matters. The commentary from the
| operators makes the whole effort look insincere. I don't think
| that relay operator _actually_ cares that much about Turkish
| dissidents or whatever. That operator is definitely interested in
| being dramatic and provocative. That 's how most libertarian
| ideas sound. They could align in some ways with social justice,
| but its failure in the marketplace of ideas is as simple as
| insincerity + drama.
| susan_segfault wrote:
| Those are fair points. I would argue that it's not the tech
| that's weak, but that the protection that powerful people get
| from institutions, local networks, status in their communities
| etc. often give them so much access to practical power that
| they essentially don't need anonymity - because these
| institutions protect them.
|
| In terms of condemning particular use cases (or deciding not
| to), I'm more trying to represent a particular argument that
| some people make about Tor (and lots of other technologies) -
| i.e. that the tech itself shouldn't carry explicit
| values/politics, those should all be down to the users. The
| argument is particularly strongly made by some privacy
| advocates as they see things like Tor becoming the foundations
| of a new Internet - and hence needing the broadest possible
| base of support. There's obviously a lot of good arguments
| against this philosophy, but I figured I should try to
| represent the different ways people think about Tor in as good
| faith as possible.
|
| Obviously sometimes when people argue that they just have an
| issue with feminist values - sometimes it is definitely
| disingenuous. But I think there was a wider moment in the Tor
| community - in which a lot of people were concerned about the
| transition to a much more professional NGO, more strongly
| aligned with liberal, 'digital democracy' visions of US
| geopolitics, and away from a more chaotic and anarchic
| coalition. While I think there was a clear need for Tor to
| change and this was as much about its place amid wider changes
| in the landscape of digital rights, US tech, and hacker
| politics as anything else, it does give us a way (I think) of
| understanding the conflicts and choices that might emerge in
| Tor and other privacy enhancing infrastructures in the future.
| doctorpangloss wrote:
| > because these institutions protect them.
|
| All I am saying is that you could replace your antagonists in
| that line with "journalists" and you'd be like, "no wait,
| that's not true," and you'd be as wrong about journalists as
| anyone else.
|
| Either there are some powerful institutions protecting
| journalists too, OR Tor _is_ powerful enough to protect
| journalists. If it 's not good enough for journalists, why
| bother? If it's good enough for journalists, listen, it's
| also good enough for criminals.
|
| Anyway, some journalists are themselves powerful people!
| Maggie Haberman, John Carreyrou and Ronan Farrow are powerful
| people, and they don't need anonymity. There are powerless
| criminals too, I'm sure, who need anonymity to engage in
| criminal conduct without getting caught. You could live on an
| island with a Starlink Internet connection, literally
| divorced from institutions and communities, and you could
| engage in anonymous criminal activity with Tor, it would be
| your only way of doing that. It would be practicable and
| realistic. Where we really disagree is: I think the average
| person already lives in a metaphorical island, this isn't a
| fringe opinion, and thus no matter what they are doing, Tor
| is providing them not with anonymity - they are already
| anonymous in almost all ways that matter, already nobody
| cares what the average person is up to - Tor is providing
| them protection from law enforcement.
|
| > chaotic and anarchic coalition
|
| Those high drama characters were the only ones foolish enough
| to run exit nodes or relays. I am confident this is true but
| I have not investigated: not a single professional NGO
| employee or grant recipient, living in New York or Los
| Angeles, under the age of 40, is personally running a Tor
| exit node.
|
| Those professionals are absolutely correct in their
| assessment that they would receive a much harsher punishment
| for so much as breathing on the third rail criminal activity
| on Tor compared to their colleagues who engage in some civil
| disobedience on highways here or there. And without exit
| nodes or relays, there's no Tor.
| susan_segfault wrote:
| I would absolutely agree that there's journalists who get
| significant power and protection from their proximity to
| major institutions and centres of power. Tor is useful for
| protecting journalists in situations where they don't have
| access to that kind of protection. I would agree as you say
| that's also the case for people that it protects who want
| to commit really awful forms of harm (who might not have
| access to this kind of protection). But I'd argue that - in
| most cases - the majority of really serious and widespread
| forms of harm are able to exist because of their proximity
| to different kinds and systems of power. That's not always
| the case - and these systems of power can compete with one
| another - but I think it generally holds.
|
| And given that the vast majority of online crime of all
| kinds isn't anonymous but goes entirely un-enforced against
| by law enforcement, I would argue that Tor's efforts to
| distribute power online make relatively little impact on
| the kinds of crime and harm we see online compared to a lot
| of other infrastructures built on top of the Internet. I've
| generally found the more I do this kind of research, the
| less convinced I am by technical fixes to major social
| problems - I don't think Tor is a 'fix' to the problem of
| power, but I think it opens up the battleground a bit for
| more different (and possibly more hopeful) kinds of future
| Internet to be built and asserted, that look less like the
| locked down and centralised versions we're being pitched
| just now. But I take your points and appreciate you
| engaging with the arguments in the book.
|
| Actually the relay community is pretty diverse - they have
| some colourful characters but actually a lot of them are
| just IT professionals, activists, and people working for
| libraries or universities. They have come up with some ways
| (which I talk about in the book) of making them much less
| likely to get hassle for running an exit - and generally
| most exit relay operators proceed just fine.
| llm_trw wrote:
| >Obviously sometimes when people argue that they just have an
| issue with feminist values - sometimes it is definitely
| disingenuous. But I think there was a wider moment in the Tor
| community - in which a lot of people were concerned about the
| transition to a much more professional NGO, more strongly
| aligned with liberal, 'digital democracy' visions of US
| geopolitics, and away from a more chaotic and anarchic
| coalition. While I think there was a clear need for Tor to
| change and this was as much about its place amid wider
| changes in the landscape of digital rights, US tech, and
| hacker politics as anything else, it does give us a way (I
| think) of understanding the conflicts and choices that might
| emerge in Tor and other privacy enhancing infrastructures in
| the future.
|
| Yes, you need to be a toxic slug or you will be eaten.
|
| I was around for the transition and it was anything but
| clean. The only reason why tor didn't implode like women who
| code recently did is that it has a clear core product which
| the old developers kept chugging along despite the best
| efforts of the new 'professionals'.
| aendruk wrote:
| There's an "epubviewer" but no EPUB?
| susan_segfault wrote:
| Fully open access PDF version free here:
| https://direct.mit.edu/books/oa-monograph/5761/TorFrom-the-D...
|
| Though do consider buying it if you like it!
| crtasm wrote:
| Is there an EPUB for sale somewhere?
| susan_segfault wrote:
| Aye absolutely - some links here:
| https://www.penguinrandomhouse.com/books/744367/tor-by-
| ben-c...
| hhfghf wrote:
| It seems, at the beginning of the 90s there were a lot of
| expectations in regard to DC-nets, considered to be a way better
| alternative to remailers of the time [1]. At least that's my
| impression after reading Tim May's FAQ (The Cyphernomicon) [2].
| Any progress on this front?
|
| [1]: https://en.wikipedia.org/wiki/Anonymous_remailer
|
| [2]: https://hackmd.io/@jmsjsph/TheCyphernomicon
| susan_segfault wrote:
| This is a question I always find really interesting. There are
| still a lot of alternative systems circulating - often in the
| mid-latency space - which aim to solve design issues of Tor.
| Someone releases something intended to be a Tor killer every
| few years, but they rarely last. Tor still remains the only
| anonymity solution currently operating at global scale without
| depositing all your trust in e.g. a VPN provider, partly due to
| network effects (the installed size of the user base is its own
| protection, so any competitor system is going to perform worse
| at the outset regardless), the relative lack of tolerance for
| anything but the lowest possible latency, highest possible
| usability system for almost all users, and Tor's lasting
| success in establishing itself culturally as a global brand
| that can appeal differently to very different user groups.
| Tor's devs have also been very good at modularising and
| standardising the tech so it's been great at getting itself
| incorporated at the ground level of other technologies - and
| upcoming changes are only going to make that more the case. I
| do think that there's a good chance for other systems and
| models to take off that make different design decisions, but
| they would have a lot of economic, technical, and cultural
| barriers to circumvent. Not all of them are to do with the
| theoretical security of the system - for example, DC-net
| designs were always traditionally quite vulnerable to Denial of
| Service attacks via collision, and some of the best attacks
| against anonymity systems can use 'higher security' properties
| against them. There's a discussion of some of this in Chapters
| 4, 5, and 6 of the book if it's of interest - also a huge
| amount written about this by scholars in PETS, WEIS, and other
| conferences (and blogs, papers, textbooks etc. in cryptospace).
| paravirtualized wrote:
| PSA: It's Tor not TOR.
|
| https://support.torproject.org/#about_why-is-it-called-tor
___________________________________________________________________
(page generated 2024-04-25 23:00 UTC)