[tor-talk] New paper : Users Get Routed: Traffic Correlation on Tor by Realistic Adversaries

Joe Btfsplk joebtfsplk at gmx.com
Thu Oct 17 00:42:41 UTC 2013 

On 10/16/2013 4:50 PM, Roger Dingledine wrote:
> On Sun, Sep 01, 2013 at 10:10:56PM -0400, Roger Dingledine wrote:
>>
>> Yep. They're part of the Tor research community. I have plans for writing
>> a blog post about the paper, to explain what it means, what it doesn't
>> mean, what we should do about it, and what research questions remain
>> open.
> Here it is:
>
> https://blog.torproject.org/blog/improving-tors-anonymity-changing-guard-parameters
>
> --Roger
I read the paper - good job. Some of it will be over the heads of some, 
but that's unavoidable unless make it 10+ pages, in newbie language, 
then few would read it all, so...
I'm not bashing Tor here, so leave your pitchforks in the barn. Just 
asking questions, making observations that may / may not have an answer 
or even be useful.

One thing jumps out, Tor doesn't know for sure who's running Guard or 
exit nodes - & can't unless they start doing (regular, repeated) 
extensive personal interviews, background checks, giving polygraph 
tests, injecting sodium pentathol  to those wanting to run nodes.  I 
guess more so for Guards.

Since apparently now LEAs from (some) countries are teaming up, sharing 
info, etc., seems possible the problem of LEAs (or any adversaries) 
running a higher % of nodes could get worse, not better.  If adversary 
nodes as a % of all nodes doesn't increase (new good guy nodes keeps up 
w/ increase of adversarial ones), then overall risk hasn't changed.  But 
how can Tor (or any group) determine the risk if they have no reasonably 
reliable way to determine the REAL intention / identity of node 
operators (spies infiltrating Tor Network)?

Governments, crooks have proven themselves VERY resourceful over 
decades, or 100's of yrs.  The U.S., let alone other industrialized 
nations partnering together, has a lot more manpower, resources & money 
than Tor Project.  I don't think we can out spend "them," for setting up 
nodes.  How many full / part time programmers or "idea people" does Tor 
have (as good as they are) VS. one agency of one industrialized nation?

Is there any way - in the future, that Tor could run a much larger % of 
nodes or at least, instead of constantly trying to figure how to "beat / 
drastically improve the odds" that an adversary won't accidentally 
control the entry / exit nodes on circuits?  Perhaps a noble, but losing 
game, if gov'ts band together & decide Tor, or the entire internet, IS 
worth serious monitoring.  Perhaps reasonable anonymity on a world wide 
party line is too ambitious? (Those that don't know what a "telephone 
party line" was, can "Startpage it."  [stop saying "Google it"] :)

What about somehow getting a better handle on who actually runs the 
nodes?  With its current policies & design, Tor is in a very tough 
position to "ensure quality" (anonymity).  Tor isn't supposed to see any 
real data on the network - for one, so they can't be forced to give 
anything up (again, noble), but that prevents some (a lot of?) 
capability for quality control.  No company would / could handle its own 
security that way.  It's a Catch 22 situation for Tor, because of legal 
threats that many gov'ts impose, that many corporations don't face.  And 
if they had some REALLY secret stuff to send abroad, they'd fly it in 
their own jet.

What about a COMPLETELY different approach, rather than trying to 
develop methods to "beat the odds," *ad infinitum,* against what COULD 
become an ever increasingly larger PERCENTAGE of gov't / adversary run 
nodes?  Surely, it'd be worthwhile to look way down the road & see where 
Gov'ts / LEAs may be going w/ this & whether they can be "bested," by 
following the same course that Tor is on (even with improvements along 
the way)?  I have no idea - I'm just saying, sometimes the only way 
businesses, technologies, gov'ts survive & thrive is to completely 
change course.   For all of history, gov'ts have gone to GREAT lengths 
to spy on citizens & adversaries & have often done pretty well at it.

Well liked corporations can often be as secretive as they want - they're 
"protecting corporate data & assets."  Tor is looked at in part (*by 
gov'ts & LEAs*), as a tool for terrorists, criminals - of all sorts.  
They couldn't care less if honest people, whistle blowers swim near 
schools of criminals & terrorists, whether some will get caught in the 
same net.  Maybe, like Corporations that get away w/ figurative murder, 
Tor Project should start contributing heavily to key political figures, 
to ensure they'll "be left alone?"  :D

You laugh, but that's exactly why big business, who by current STATUTES, 
break JUST AS MANY OR MORE laws, as Gov'ts / LEAs *ASSUME* that Tor 
users do?   Big Business is left alone & entities like Tor are on the 
hit list.

More information about the tor-talk mailing list