On 5/2/19, Herbert Karl Mathé mail@hkmathe.de wrote:
I strongly believe certain issues need be brought up into conscious, and into presence: into discussion, actually.
Therefore appreciating this as it might fit too well into context
Keeping things below surface, or trying so, has too often proven to be a very bad idea as these will come up sooner or later anyway, then with much higher magnitude. Even worse, trust is then destroyed.
As said before, the category of Anti Sybil Web of Trust Projects needs considered, and could even cover such speculative subjects.
It's not about analysing the meta of one node or one operator, even if a true positive hit, in general the yield is approximately zero percent of any overlay network's nodes, it's about stepping back and agnostically analysing them all.
Go investigate and collate all the possible meta informations...
Node location, payment, OS, ISP, uptimes, anon / nym / PGP / GovID, workplace, politic, blogs, whatever else you can imagine, including incorporating what's already in the consensus, contact, MyFamily, nickname, both real world and virtual infos, operator to operator p2p Web of Trust...
No node has to supply any infos.
Put it all in a db and give users tools to select node sets.
Some users might select State's, or State's workers or even Statist's nodes, over say anon nodes, as maybe they feel they have to play by some "rules" that anon nodes don't. Others might reject operators that post stupid pics on Facebook. Or all Ubuntu relays. Or nodes that engage in free speech they don't like, some in Tor Project would love that selector, lol.
It doesn't matter, it's a meta project, with it you can accept or reject on whatever whim you wish by node fingerprints in your client.
And if the Sybil WoT project ends up discovering some interesting potential threats classes among the entire node set, you win. Until then, you are potentially missing all of that, and are not raising Sybil's costs of doing business by forcing them to expend much resource into playing real world Web of Trust against users who might select to use various positive-meta-ranking and or WoT structures. Right now Sybil's cost is only a little hosting.
If not, you can still report bad exits and other actual technical node and traffic mangling to tor-relays and or bad-relays, at least until someone DHT's or otherwise distributes tor away from the more centralized DA design.
Note that Tor's architecture does not protect much against Global Passive Adversary of NSA style fiber Vampires, that threat does not require Sybil nodes, nor do they have to be Global or Govt, even Tier-N backbones can tap, analyse, and do nefarious things like and with that, including sell, give, and partner it all away. Though they can and do run Sybil nodes to help inject, manipulate, block, see, etc traffic, nodes, and clients.
On flip perspective, maybe you really don't want to develop WoT's and such, simply because enabling creeping featureism of it all can lead to exclusivity and control whereby valuable anon diversity is selected away from and purged. That would be very bad.
Either way, other than the usual design, protocol, code, and "Lawfare" exploit space, and the coming Quantum Compute adversary, Sybil and Vampire are likely todays biggest remaining threats to overlay networks.
None of todays networks seem to be trying to do anything to stop Sybil, and only a few networks put Vampire as any sort of priority [1]. While Vampire may perhaps be solved with some technical measures, Sybil may require some sort sort of human based measures.
[1] Curiously, cryptocurrencies do employ Anti-Sybil in various proofs of work (adversary cost raising), and can help defund Vampires.
On Thu, May 02, 2019 at 04:01:52PM -0400, grarpamp wrote:
On 5/2/19, Herbert Karl Mathé mail@hkmathe.de wrote:
I strongly believe certain issues need be brought up into conscious, and into presence: into discussion, actually.
Therefore appreciating this as it might fit too well into context
Keeping things below surface, or trying so, has too often proven to be a very bad idea as these will come up sooner or later anyway, then with much higher magnitude. Even worse, trust is then destroyed.
As said before, the category of Anti Sybil Web of Trust Projects needs considered, and could even cover such speculative subjects.
It's not about analysing the meta of one node or one operator, even if a true positive hit, in general the yield is approximately zero percent of any overlay network's nodes, it's about stepping back and agnostically analysing them all.
Go investigate and collate all the possible meta informations...
Node location, payment, OS, ISP, uptimes, anon / nym / PGP / GovID, workplace, politic, blogs, whatever else you can imagine, including incorporating what's already in the consensus, contact, MyFamily, nickname, both real world and virtual infos, operator to operator p2p Web of Trust...
Note that we created a research system for gathering such data, reasoning about the trust implications, and applying it to routing decisions. we wrote a paper on it that we presented at PETS 2015. "20,000 In League Under the Sea: Anonymous Communication, Trust, MLATs,and Undersea Cables" https://www.petsymposium.org/2015/papers/04_Jaggard.pdf
I don't know that anyone has done much with this since, but I hope that's helpful information.
aloha, Paul
No node has to supply any infos.
Put it all in a db and give users tools to select node sets.
Some users might select State's, or State's workers or even Statist's nodes, over say anon nodes, as maybe they feel they have to play by some "rules" that anon nodes don't. Others might reject operators that post stupid pics on Facebook. Or all Ubuntu relays. Or nodes that engage in free speech they don't like, some in Tor Project would love that selector, lol.
It doesn't matter, it's a meta project, with it you can accept or reject on whatever whim you wish by node fingerprints in your client.
And if the Sybil WoT project ends up discovering some interesting potential threats classes among the entire node set, you win. Until then, you are potentially missing all of that, and are not raising Sybil's costs of doing business by forcing them to expend much resource into playing real world Web of Trust against users who might select to use various positive-meta-ranking and or WoT structures. Right now Sybil's cost is only a little hosting.
If not, you can still report bad exits and other actual technical node and traffic mangling to tor-relays and or bad-relays, at least until someone DHT's or otherwise distributes tor away from the more centralized DA design.
Note that Tor's architecture does not protect much against Global Passive Adversary of NSA style fiber Vampires, that threat does not require Sybil nodes, nor do they have to be Global or Govt, even Tier-N backbones can tap, analyse, and do nefarious things like and with that, including sell, give, and partner it all away. Though they can and do run Sybil nodes to help inject, manipulate, block, see, etc traffic, nodes, and clients.
On flip perspective, maybe you really don't want to develop WoT's and such, simply because enabling creeping featureism of it all can lead to exclusivity and control whereby valuable anon diversity is selected away from and purged. That would be very bad.
Either way, other than the usual design, protocol, code, and "Lawfare" exploit space, and the coming Quantum Compute adversary, Sybil and Vampire are likely todays biggest remaining threats to overlay networks.
None of todays networks seem to be trying to do anything to stop Sybil, and only a few networks put Vampire as any sort of priority [1]. While Vampire may perhaps be solved with some technical measures, Sybil may require some sort sort of human based measures.
[1] Curiously, cryptocurrencies do employ Anti-Sybil in various proofs of work (adversary cost raising), and can help defund Vampires. _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Hi All,
On 02/05/2019 21:15, Paul Syverson wrote:
On Thu, May 02, 2019 at 04:01:52PM -0400, grarpamp wrote:
Node location, payment, OS, ISP, uptimes, anon / nym / PGP / GovID, workplace, politic, blogs, whatever else you can imagine, including incorporating what's already in the consensus, contact, MyFamily, nickname, both real world and virtual infos, operator to operator p2p Web of Trust...
Note that we created a research system for gathering such data, reasoning about the trust implications, and applying it to routing decisions. we wrote a paper on it that we presented at PETS 2015. "20,000 In League Under the Sea: Anonymous Communication, Trust, MLATs,and Undersea Cables" https://www.petsymposium.org/2015/papers/04_Jaggard.pdf
This reminds me of the Contact Info Sharing Specification.
There are details on the specification at:
https://github.com/nusenu/ContactInfo-Information-Sharing-Specification
You can also automatically generate the Contact Info string using this tool (I've not checked this out yet):
https://torcontactinfogenerator.netlify.com/
Currently Tor Metrics doesn't do anything with this data (except archive it) because not that many relay operators are using it, but if more operators were sharing the information using this specification then it would help Metrics understand the network better, and help with research projects that want to better understand the network to improve path selection too.
I've just set the Contact Info on my two relays to conform to this specification (might take an hour or two to show up on Relay Search).
Just checking now, only 70 relays use this specification, which is approx 1% of the running relays. If we can get this up to 4-5% then Tor Metrics may look more closely at this.
Thanks, Iain.
On 5/2/19, grarpamp grarpamp@gmail.com wrote:
Node location, payment, OS, ISP, uptimes, anon / nym / PGP / GovID, workplace, politic, blogs, whatever else you can imagine, including incorporating what's already in the consensus, contact, MyFamily, nickname, both real world and virtual infos, operator to operator p2p Web of Trust...
Syverson writes:
Note that we created a research system for gathering such data, reasoning about the trust implications, and applying it to routing decisions. we wrote a paper on it that we presented at PETS 2015. "20,000 In League Under the Sea: Anonymous Communication, Trust, MLATs,and Undersea Cables" https://www.petsymposium.org/2015/papers/04_Jaggard.pdf
Its mentioned modularity is a nice feature wherein here any number of module author groups could collate data in their areas of interest / knowledge into modules that then get plugged into the node selection framework.
Usually on the lists people often seek to avoid or stay with certain countries, so that leads to a "jurisdiction / MLAT" module. There could be "seabed fiber owner operator" module. A human-to-human operator WoT module. Many more you can think up.
Tor currently offers perhaps only three, they are in essence the default modules... - random selection and exit policy - bandwidth / consensus weights - DA decisions
Keep the defaults, or go with community assemblings, or choose whichever modules you want and any specific configuration each provides, add them into the node selection engine under any relative weighting you choose, point the engine at the controller, or otherwise load it into the overlay daemon.
It would not be difficult to conceive how such framework could be extended for use with many of the node based overlay networks.
Is it wise to override the defaults of any such network? Perhaps until there are networks strongly or completely resistant to Sybil, Vampires, and any other classes of attacks... there may be cases and conditions where it is, and many where it isn't... one size might not fit all.
There would probably be some interest out there in developing a list of all potential modules. And even coding and datafeeding the more popular ones, say the "Human WoT", as a proof of concept exploration.
Note Bittorrent "Here's a bunch of random nodes, good luck"... for which many communities collate and maintain published lists of known or suspect nodes to block (MAFIAA networks, LEA, etc) by plugging them into clients, resolvers, and packet filters, in an effort to reduce risk of Sybil beyond the defaults.
tor-relays@lists.torproject.org
-
grarpamp -
Iain Learmonth -
Paul Syverson