[tor-talk] Bridge Communities?

[Alex M (Coyo)]

On 04/12/2013 10:37 PM, adrelanos wrote:
> Hi Alex,
>
> these are interesting thoughts. I wrote something related a while ago.
>
> Tor: lobbies vs lobbies - Who will prevail?:
> https://lists.torproject.org/pipermail/tor-talk/2012-August/025109.html
>
> Alex M (Coyo):
>> Is Tor ever going to include support for isolated, independent bridge
>> relay communities that can host their own bridge directory authorities
>> without relying on the centralized tor directory hosted by Peter
>> Palfrader, Jacob Appelbaum and associates?
> Good idea in general. (Although I don't share your reasons for it.)

What reasons would you have, then?

>>  From lurking here on the mailing lists and other places, Jacob and other
>> core Tor staff and advocates generally seem to have a worryingly
>> optimistic attitude toward the possibility of coordinated Tor
>> censorship, crackdowns, network manipulation and attack, coordinated
>> government raids upon Tor directory servers,
> I am interested, where did they say so?

I am too tired and physically ill with an upper-respiratory infection to 
dig through mailing list archives at the moment.

If it is important that I shoulder the burden of proof, remind me later 
when I'm not coughing up blood.

>> or even assassinations
>> against Jacob Appelbaum and other core staff and volunteers involved in
>> the Tor project.
> Why assassinations? I've heard the some mafia style groups have a better
> method than violence. They catch a child after school, make up some
> "Your parents told me to catch you today, I am your Uncle Sam." story,
> aren't violent or threatening at all and go into some Disney land copy,
> bring back the child afterwards. Not sure if that happens in reality,
> but I am sure that works better than violence.

I do not understand how "taking a child to a theme park" relates in any 
way to Jacob Appelbaum being tagged and bagged.

May I ask for a clarification here?

>
> Other than that, it seems obvious to me that killing people isn't
> effective as turning them around. Why wouldn't they rather use violence
> to force them to put a backdoor into next Tor version?

That isn't quite as trivial as you make it sound, and really, it's 
unnecessary.

It is a general consensus that the united states federal government has 
full access to the directory authorities and majority of guard nodes and 
exit nodes within the united states.

It is a general consensus that the Tor network provides only illusory 
anonymity to any user hostile to united states military supremacy.

The Tor network is a historical toy created by the united states 
military, and is just as possessed and controlled by the united states 
military as it has been from day one.

>
> As far I know no Tor developer has been harassed for Tor yet. (Please
> tell me if I am wrong.) Jacob has been harassed like in a totalitarian
> state because of his connections to wikileaks. I also wonder how Jacob
> could stay so calm after all what happened to him, not being already a
> broken man. I admire the Tor developers for doing their work in such a
> dangerous country (US), knowing about waterbording and that stuff.
>
>> Is it really so difficult to conceive of situations that involve violent
>> raids against the datacenters hosting Tor directory servers and their
>> mirrors, attacks, possibly physically violent, involving full military
>> force against Jacob Appelbaum and other critical developers, staff,
>> volunteers and advocates?
> If that happens, that would be the worst case. I think without Tor
> servers in the US and without the Tor developers, there is more Tor
> network, since most Tor servers are in the US. Most other Tor servers
> are in countries which the US can pressure as well. When the US decides
> to take down Tor, it's pretty much over anyway.

My point exactly.

>> You really think the governments of the industralized "first world"
>> countries won't stoop that low?
> Maybe they don't have to. When I understood Jacob in his speeches right,
> he doesn't believe that Tor does defeat the NSA. Why should they break
> Tor if it's an open book already to them already anyway?

Tor is not designed (in its current form) to even attempt to contest NSA 
control and manipulation.

>> One day, they will accuse Jacob and the other core developers of being
>> domestic terrorists or whatever as an excuse to fire upon native
>> citizens on domestic soil.
>>
>> They will do it, one day.
> Only in case they can't easily break Tor already anyway.

Tor is already broken.

Services like The Hidden Wiki, Silk Road, and other high-profile hidden 
services are obviously honeypots and sting operations, since those 
hidden services would have been raided immediately abd their admins 
arrested without a court hearing or judicial oversight of any kind. Do 
no pass Go, do not collect 200 worthless united states dollars, go 
directly to Guantanamo Bay (or whatever the current replacement is).

>> This is why providing relatively trivial means to deploy one's own
>> bridge communities with many pluggable transports in order to prepare
>> for that inevitability.
> I don't see how that helps after hosting Tor servers has been made
> illegal in US and most other countries.

Since when does the law matter?

>> The Bitcoin core developers and advocates will also be assassinated or
>> eliminated militarily as well. It is inevitable.
>> You really think our governments won't stoop that low? They are little
>> more than pan-handling bums attempting to justify their jobs at the
>> taxpayer's expense, and feel entitled to our money.
>> Not only that, but they have the sheer unabashed chutzpa to presume they
>> are legitimate in their entitlement, and have full authority to use our
>> own taxpayer money against us, to enforce unjust laws, to inflict
>> injustice against their own citizenry.
>>
>> If they have absolutely no compunction about shoving CISPA or SOPA down
>> our throats, feel no remorse for warrantless wiretapping and unlawful
>> deep packet inspection, or forcing internet service providers into
>> spying on their own paying customers,
> Agreed.
>
>> what makes you think they won't
>> slay Jacob Appelbaum where he stands?
> Answered above already.

In other words, Jacob Appelbaum is a united states military shill and 
collaborator?

>> They will. They will, mark my words.
>>
>> And when that happens, we must be ready. Jacob's legacy needs to live
>> on. Christian Fromme, Roger Dingledine, Nick Mathewson, Andrea Shepard,
>> Dr. Paul Syverson..., their legacy must live on, regardless of whether
>> the government shoves them against a cinderblock wall and shoots them
>> dead where they stand.
> As far I understand, Dr. Paul Syverson works for Naval Research
> Laboratory and can be told to stop working on Tor and work for something
> else instead.
>
> The others, already covered that above.

Why does this not surprise me?

>> We must prepare for this inevitability. We need more pluggable
>> transports, we need to break up the Tor relay network into distinct
>> domains, we must make the tor relay network far more resilient to
>> coordinated attacks, we need to decentralize the directory authorities
>> and mitigate the horrifying damage in the event of directory authority
>> compromise, and the subjugation and subversion of directory authorities,
>> hidden services, user privacy and the physical safety of relay operators.
> I value pluggable transports in general, but I don't see how they help
> against the attack you are describing. Pluggable transports help
> obfuscating connections from Tor users to Tor bridges. Bridges alone
> won't create a Tor network. Who hosts relays and exit relays once Tor
> developers are in prison, Tor servers get raided and/or illegal?

Just because the Tor network is worthless and merely an interesting toy 
in its current form does not mean it cannot lead to the development of 
networks that actually promote Internet liberty and privacy rather than 
being a united states military plaything and elaborate honeypot.

What exists now does not determine what exists in the future.

>> We need far more stringent entry and exit guard node policies, more
>> flexible and informative relay server statistics and circuit routing
>> control.
> A nice to have, but I don't think it defeats your threat model.

No, only a complete redesign of Tor and a new security and network model 
will make Tor relevant to Internet privacy.

>> We need bridge relay communities with independent bridge directory
>> authorities that can be run by semi-isolated communities, including
>> bridge communities within other overlay networks such as private
>> OpenVPN, CJDNS or AnoNet networks. As it is, if the Tor client cannot
>> connect to the centralized high-value targets controlled by the Tor
>> project team, Tor is absolutely worthless and useless.
>>
>> This must change. Tor should be usable by independent relay communities,
>> specifically bridge relay communities with 100% use of obfuscation
>> protocols or even clandestine communications methods.
>>
>> For those who forgot, 'clandestine' means no one can even determine any
>> communication is occurring, while 'covert' means that enemies can
>> determine that communications are occurring, but not the content, and
>> not necessarily the specifics as to who is communicating with whom.
>>
>> Some people term it 'covert communication' where heavy use of
>> steganography and obfuscation is used to hide traffic from detection and
>> interception, but goes further than that, and makes traffic itself
>> plausibly deniable, not just the content of or parties to a particular
>> instance of communication.
>>
>> Tor needs to evolve very rapidly and become impossible to detect,
>> manipulate, intercept or interfere with, or it is going to very rapidly
>> become irrelevant and useless.
> How do you propose to obfuscate connections between relays and (exit)
> relays? The list of them is public, that's the basic Tor design.
> Therefore a state can take them easily down as soon as they made them
> illegal.

The solution is to not publicize relay servers.

You break up the entire tor relay network into relatively isolated relay 
domains, and manually peer domain router relays.

Domain router relays onion route tor circuits from within relays within 
the relay domain. All tor relay traffic is obfuscated, not just tor 
bridge relays. In other words, ALL tor relays behave as bridge relays 
and heavily obfuscate traffic to thwart interception and detection.

>
> I don't think Tor can ever defeat your threat model. Tor is build around
> the idea, that there are free countries where Tor is legal. If there are
> no countries left where Tor is legal, Tor will surely cease to exists.
>
> One important step to detect if developers have been threatened are
> Deterministic builds. (Which would allow third parties to check if
> downloads The Tor Projects is providing actually match the source code
> the Tor Project claims to have used for compilation, or if they where
> forced to include a backdoor while keeping the extra source secret or if
> the build machine has been compromised.)
> https://trac.torproject.org/projects/tor/ticket/3688

The solution to that is to maintain mirrored repositories and provide 
nightly snapshot builds yourself using jenkins or something on your own 
privately-hosted gitorious instance and host the binaries repositories 
for your bridge community (or in my model, your relay domain)

>> Don't say I didn't warn you.
> In conclusion, the threat model you are making up isn't unrealistic.
> However, Tor can't defeat it by design. Friend to Friend networks such
> as RetroShare could defeat it, in theory, all that's missing in
> RetroShare are pluggable transports to obfuscate traffic to friends.

The problem with RetroShare is that every time your IP changes, you are 
forced to manually renegotiate manual peering.

You think normal average users are going to have time for that?

Aint nobody got time fo dat.

Now, if RetroShare had a sophisticated DHT + PEX method for automated 
repeering with identities you have already permitted without 
compromising your RetroShare IP:port to malicious observers, that would 
make it a lot more practical and usable.

If RetroShare could be used over another overlay network such as GnuNET, 
CJDNS or Tor (once completely redesigned to eject NSA and Navy control 
from the network consensus and directory authorities), you would not 
really need to provide an elaborate automated repeering mechanism, but 
the RetroShare core developers are extremely hostile to the concept of 
tunneling RetroShare TLS links over an overlay.

General consensus is that RetroShare is nice, until one single 
friend-of-a-friend is careless and permits a law enforcement or military 
raid to reveal the existence of the F2F network, and from there, it's 
"like shooting fish in a barrel."