[tor-relays] How can we trust the guards?

[Rana]

@Andreas
>It will not go quite unnoticed when the set of major relays changes substantially over a few months.

Tor exists for what, 10 years? 30 new rogue relays per month (monthly quantity designed to be proportional to the recent months growth statistic) would go totally unnoticed and would get the attacker to the control of 4000 relays today. NSA certainly has the long term planning capacity to do exactly this, and the required resources are negligible.

@Mirimir, @Andreas
> >This assumes that there is only one entity wanting to do that.
> >When there are multiple the game isn't that easy.

>Yes, that is a great Tor feature! Dueling adversaries strengthen Tor against each other.

That's wishful thinking at best. Assuming that there are enough non-colluding adversaries attacking Tor and destroying each other's efforts is futile. This is not Blockchain where hundreds of thousands of greedy selfish genes are working together for non-collusion.  A practically zero-effort collusion of already fully cooperating FIVE EYE agencies (US, UK, Canada, Australia, New Zealand) is needed to sprinkle several tens of rogue relays every month all over the globe, hosted at unsuspected hosters, looking perfectly bona fide. All they need is maintain some bandwidth and stability (why not?) and wait 70 days and - hop! - they are guards. Sprinkling middle relays is even easier. I am not even talking about the broader 14-EYE intelligence cooperation that includes 14 countries (https://en.wikipedia.org/wiki/UKUSA_Agreement#9_Eyes.2C_14_Eyes.2C_and_other_.22third_parties.22)

That US agencies are actively working to destroy anonymity of (hopefully only selected, but who knows?) Tor users is an undisputable fact. Your implicit assumption that Russia is also attacking Tor is, however, unfounded. I mentioned that they have the resources to do so. Russia has arguably MORE resources that the US because instead of paying for hacking services and infrastructure all they need to do is  threaten to put the ringleaders of their internationally renowned criminal hacking gangs in jail. There is, however, ZERO evidence that they are going head to head with America doing that. They seem to be much more interested in attacking weakly protected email servers of DNC. 

@Aeris
>Having $$$$ is not enough. You can’t just send $$$$ in hardware and expect to be guard. You need to prove your worth to the network to have guard flag.
>And you also need intelligence, because your node must be VERY differents each others or only few of your guard will be used (same /16 network, same country, same operator => never 2 nodes on a circuit or guard set).

Ditto

>Controlling all guards is NOT a serious problem ’til you also control other nodes (middle or exit).

Yep. Modify my previous posts and replace "guards" by "Guards and exits". Here you go.

>If you think such attacker exists, just don’t use Tor, this is EXACTLY the threat model Tor can’t avoid and expressed on the paper.

I think I already covered the "if it exists" part. Sticking to the original (old) design doc of Tor is not a practically useful strategy. I believe that Tor has MOSTLY such strong adversaries, the others do not matter much. You do not really use Tor to protect yourself from petty hackers, do you?

I believe that what is needed is changing Tor to accommodate a lot of small relays running by a very large number of volunteers, and to push real traffic through them. The current consolidation most of the Tor traffic in a small number of stable, high bandwidth relays was NOT anticipated by the Tor design paper and makes contamination of the majority of the network by rogue relays a very easy job indeed.

Rana