The Tor Network Saal 1 Links to video: CCC-TV: http://media.ccc.de/browse/congress/2013/30C3_-_5423_-_en_-_saal_1_-_201312272030_-_the_tor_network_-_jacob_-_arma.html Youtube: https://www.youtube.com/watch?v=CJNxbpbHA-I (easier for transcription because it reacts to left/arrows for rwd/fwd) You can also use shift-tab at amara. At least in the old editor. Amara Link: http://www.amara.org/de/videos/ogSRd61FX656/en/627819/ ------------------------------------------------------------------------------------------------------------- Jacob Appelbaum: So, thanks very much to the guy who brought me a Mate. I learned his name is Alexander. It's never a good idea to take drugs from strangers, so I introduced myself before I drank it - thank you. First I wanted to say that following up after Glenn Greenwald is a great honor and a really difficult thing to do, that's a really tough act to follow, and he's pretty much one of, I think, our heroes. So, it's really great to be able to share the stage with him, even for just a brief moment. And I wanted to do something a little unconventional when we started and Roger agreed. Which is that we want people who have questions - since I suspect some things happened this year that arouse a lot of questions in people - we'd like you to write those questions down, pass them to an Angel or to just bring them to the front of the stage as soon as possible during the talk, so that we can answer as many of your questions as is possible. This is a lot of stuff that happened, there's a lot of confusion, and we wanna make sure that people feel like we are actually answering those questions in a useful way. And if you wanna do that, it'd be great, and otherwise, we're gonna try to have the second half of our talk be mostly space for questioning. So with that, here is Roger. Roger Dingledine: Okay, so, a lot of things have happened over this past year, and we're gonna try and cover as many of them as we can. Here's a great quote from either NSA or GCHQ, I'm actually not sure which one it is. But we're gonna start a little bit earlier in the process than this and work our way up to that. So, we're in a war, or rather, conflict of perception here. There are a lot - I mean, you saw Glenn's talk earlier - there are a lot of large media organisations out there that are trying to present Tor in lots of different ways, and we all here understand the value that Tor provides to the world, but there are a growing number of people around the world who are learning about Tor not from our website, or from seeing one of these talks or from learning it from somebody who uses it and teaches them how to use it. But they read the Time Magazine or Economist or whatever the mainstream newspapers are, and part of our challenge is how do we help you, and help the rest of the world do outreach and education, so that people can understand what Tor is for and how it works and what sorts of people actually use it. So, for example, GCHQ has been given instructions to try to kill Tor by, I mean, who knows, maybe they thought of it on their own, maybe we can imagine some nearby governments asked them to do it. And part of the challenge... they say "we have to kill it because of child porn". And it turns out that we actually do know that some people around the world are using Tor for child porn. For example, we have talked to a lot of federal agencies who use Tor to fetch child porn. [subdued laughter] I talked to people in the FBI who use Tor every day to safely reach the websites that they want to investigate. The most crazy example of this is actually the Internet Watch Foundation. How many people here have heard of the Internet Watch Foundation? I see a very small number of hands. They are the censorship wing of the British government. They are the sort of quasi-government organisation who is tasked with coming up with the blacklist for the internet for England. And, we got e-mail from them a few years ago, saying - not what you'd expect, you'd expect "Hey, can you please shut this thing down, can you turn it off, it's a big hassle for us." - the question they asked me was: "How can we make Tor faster?" [laughter, claps] It turns out that they need Tor, because people report URLs to them, they need to fetch them somehow. It turns out that when you go the URL with the allegedly bad stuff on it and you're coming from the Internet Watch Foundation's IP-address, they give you kittens. [laughter] Who would have known? [laughter, applause] So it turns out that these censors need an anonymity system in order to censor their internet. [laughter] Fun times. So another challenge here: at the same point, one of my side hobbies is teaching law enforcement how the internet works, and how security works and how Tor works. So, yeah, their job does suck, but it's actually not our fault that their job sucks. There are a lot of different challenges to successfully being a good, honest law enforcement person these days. So, for example, I went to Amsterdam and Brussels in January of this past year to try to teach various law enforcement groups. And I ended up having a four-hour debate with the Dutch regional police, and then another four-hour debate with a Belgian cybercrime unit and then another four-hour debate with the Dutch national police. And, there are a lot of good-meaning smart people in each of these organisations, but they end up, as a group, doing sometimes quite bad things. So part of our challenge is: how do we teach them that Tor is not the enemy for them? And there are a couple of stories that I've been trying to refine using on them. One of them they always pull out, the "But what about child porn? What about bad people? What about some creep using Tor to do bad things?". And one of the arguments that I tried on them was, “Okay, so on the one hand we have a girl in Syria who is alive right now because of Tor. Because her family was able to communicate safely and the Syrian military didn’t break in and murder all of them." "On the other hand, we have a girl in America who is getting hassled by some creep on the internet who is stalking her over Tor." So the question is, how do we balance, how do we value these things? How do we assign a value to the girl in Syria and how do we assign a value to the girl in America so that we can decide which one of these is more important? And actually the answer is, you don’t get to make that choice, that’s not the right question to ask. Because if we take Tor away from the girl in Syria, she’s going to die. If we take Tor away from the creep in America, he’s got a lot of other options for how he can be a creep and start stalking people. So if you’re a bad person, for various definitions of bad person, and you’re willing to break laws or go around social norms, you’ve got a lot of other options besides what Tor provides. Whereas there are very few tools out there like Tor for honest, I'd like to say law-abiding, but let's go with civilization-abiding citizens out there. Jacob Appelbaum: And it’s important to understand that this hypothetical thing is actually also true for certain values. So at our Tor developer meeting that we had in Munich recently, that Syrian woman came to us, and thanked us for Tor. She said, I’m from a city called Homs. You might have heard about it, it’s not a city anymore. I used Tor. My family used Tor. We were able to keep ourselves safe on the internet thanks to Tor. So I wanted to come here to Munich to tell you this. Thank you for the work that you’re doing. And for people who - this was their first dev meeting - they were completely blown away to meet this person. - 'Wow, the stuff that we're working on, it really does matter, there are real people behind it.' And, I think, we were all really touched by it, and all of us know someone who has been on the receiving end of people being jerks on the internet. So this is a real thing where there are real people involved, and it's really important to understand that if you remove the option for that woman in Syria - or you here in Germany, now that we know what Edward Snowden has told the world - those bad guys, those jerks, for different values of that, they always have options. But very rarely do all of us have options that will actually keep us safe. And Tor is certainly not the only one, but right now, and we hope in this talk you'll see that we're making the right tradeoff by working on Tor. [Roger Dingledine] One of the other talks that I give to them, one of the other stories that I give to them, one of the big questions they always ask me is: "But what about terrorists? Aren't you helping terrorists?" And we, we can and we should talk about "What do you mean by terrorists?" because in China they have a very different definition of terrorists and in Ghaza they have a very different definition of terrorists, and in America, they are always thinking of a small number of people in some Middle-Eastern country who are trying to blow up buildings or something - [Jacob Appelbaum] Mohamed Badguy, I think is his name. [Roger Dingledine] Yes, that - [Jacob Appelbaum] In the NSA slides. [Roger Dingledine] Yes. So, scenario one: I want to build a tool that works for millions of people, it will work for the next year, and I can tell you how it works, so you can help me evaluate it. That's Tor's problem. Scenario two: I want to build a tool that will work for the next two weeks, it will work for 20 people and I'm not going to tell you about it. There are so many more ways of solving scenario two than solving scenario one. The bad guys for all sorts of definitions, the bad guys have a lot more options on how they can keep safe. They don't have to scale, it doesn't have to last forever, they don't want peer review, they don't want anybody to even know that it's happening. So the challenge that Tor has is that we wanna build something that works for everybody and that everybody can analyze and learn about. That's a much harder problem, there are far fewer ways of solving that. So, the terrorists, they got a lot of options. That sucks. We need to build tools that can keep the rest of the world save. [Jacob Appelbaum] And it's important, really, to try to have some good rethorical arguments, I think. I mean, we sort of put a few facts up here. One interesting point to mention is that people who really don't want anonymity to exist in a practical sense, maybe not even in a theoretical, human rights sense either, but definitely in a practical sense, they're not really having honest conversations about it. For example, this DOJ study, the Department of Justice in the United States, they actually started to do a study where they classified traffic leaving Tor exit nodes. Which is interesting - that they were basically probably wiretapping an exit node to do that study, I wonder how they went about that - but nonetheless, they came up with the number of three percent of the traffic being bad and then they aborted the study because they received many DMCA takedown notices. [laughter] [Roger Dingledine] Yes, they - [Jacob Appelbaum] Apparently even the DMCA is a problem to finding out answers. [unintelligible] [Roger Dingledine, interrupts] They asked a university to run the Tor exit for them and they were just starting out doing their study, and then the university started getting DMCA takedowns and said: "Well, we have to stop, the lawyers told us to stop!", and the Department of Justice said: "We're the Department of Justice, keep doing it.", and then they turned it off. [laughter] So, not sure how the balance of power goes there, but the initial results they were looking towards were about three percent of the traffic coming out of that Tor exit node was bad, but I haven't figured out what they mean by "bad". But I'll take it if it's three percent. [Jacob Appelbaum] Jake dislikes the term 'war' when talking about the internet. The BBC has articles on their website on using Tor + Silk Road to buy drugs. We don't do that - even though Bitcoin is amazing, it's not anonymous. BBC has a 'man-bite-dog'-approach, they run with everything which looks a bit interesting. We dont wan tthat: we want for every person to have the right and possiblity to express themselves. When the BBC ran a story about Tor, everyone was thankful, then they posted another article on Tor+Silk Road. That has a serious problem, the war on drugs becomes intertwined with the war on Tor. Agent who showed 'massive drop ' in Tor traffic after Silk Road shut down, was with US govt. Such publicty always leads to drop, not necessarily directly connected. Then they checked the data, see graph, and saw almost no drop. Can you guess where the drop the agent talks about occurred? It didn't go down by 50%. Agent waswrong. Qrrow where it would have dropped according to agent. Here's a graph of the overall network growth over the past three years. Multiple relays added after Snowden revelations. The Dark Web (or other scary names) is media trying to produce as many articles as they can. Definitions range from 'every webpage that Google can't index' (so every govt database, etc), '98% of pages are in dark web', 'only way to access dark web is through Tor'. These statements together sell many articles, people are shocked. REality is that it's not actually the case. People here know this: these stories are clickbait'. Few hands go up about Tor hidden se (lost connection for a minute) These things also bring out much negative attention. The Freedom Hosting was relentlessly attacked, because the topics the other sites have pull on peoples' hearts in a big way. First issue of WikiLeaks was really hard on many people. The news also picks up on that in negative ways. You could call that a cultural conflict. I heard from a DEA person who was involved in Farmer's Market takedown. Old drug webiste, Tor was not involved. DEA wanted to take it down. They sent a letter to take it down, [...] People used hushmail. Year or two later people discovered Tor. SIx months later there were all these newspaper articles about how Tor hidden services are broken. They were using PayPal directly. Story is 'don 't use Hushmail'. Don't use lawful interception-compliant or backdoored services, such as Hushmail, especially if you traffic drugs. As a result, we have seen some pretty crazy stuff happen. In this case, this year we saw one of the most intersting exploits we have seen deployed againts a broad scale of users. Not sure who was behind it. Claimed by an FBI agent, IP space may be NSA-owned. Exploit in Firefox. Traditionally, if you don't use Tor, they go to your house and install gear or intercept your connection. They find out who you are, target you, serve you an exploit. Here, they had taken over a Tor hidden service and explited old versions of Tor browser. Not used as fresh zero-day. When the FBI did this, they give this exploit to other regimes as well. They would like to be able to be more up to speed with Firefox. HOwever, there is still desynchronisation. They have probably hired some people from this community - fuck you- and have them write their exploits. Now we're looking into Chrome, which has a differen t and sometimes more secure architecture. We're hoping to work on using Chrome, anyone want to help? Please do. Diversity of funding - a lot of funding comes from governmetns. There are ten things we want to work on, if you want to fund one of those ten, you can focus our interests. Government funding helps to do many cool things. people can be payed to work on Tor, on the other hand governments can influence our priorities. We will not put backdoors in Tor. People have approached us to put backdoors in Tor. It is a serious committment to not do this. We fix everything as soon as we find out that something is wrong. There are people who have tried to have us change that committment. When we say we are non-profit, they are dumbfounded. US DoJ person approached, Congress has given us right to backdoor everything, you have to make a backdoor so that we can use our rights to surveil everybody. You abuse the righst you have been given by our country. Then they said they are nonprofit and the conversation bascially ended. Part of what they need to do: continue to make safe tools. Everyone wants to help for anti-censorship, noone wants to pay for better anonimyt. People are often dependent on the anonimity Tor allows. There is a tradeoff with a lot of our founders, they don't like us as much when we say really outrageaous thiings. We want funders who want the same things as you and us: if you know someone, please approach us. It's easy to say we should not be political. It's also crazy to say so, because the idea of haveing free speech and freedom of information is a very political idea. Especillay after the summer of Snowden, we realize almost no tools can resist NSA/GCHQ. They can't get all Tor users, we made it very expensive for them to do mass surveillance. Please note that the solution is not partisan: all people are equally good or bad. The common good of every one having these rights protected is an important thing to build and to have. That is the best kind of political solution we can have. We however need [...] We need everyone in the same network, diversity of users. From a technical perspective, so that they can keep each other safe. We all get better when the others are involved. Having Jake talk to LE is not the most effective way. Lawyer said "Never miss a chance to shut the fuck up". Therefore we instruct everybody: corporations, civil righst groups, LE. We need you to be involved and share the word in your co [...] We're pretty good in fighting back against policies and legal changes. If ISPs hate exit relays, it becomes harder to run one. We're doing ok in that respect. Third one we have not focused on as much as we could. Growing number of places are just rejecting Tor users. Wikipedia, Skype. Microsoft hangs up on you if you want to Skype, because of blacklist from some company, they blakclist Tor exit relays. We need help learning how to teach all these companies to not judge users on their IP adresses. When a company does not want to give you location anonimity, maybe there's a reason for that. OFten they don't have metrics for not having location data. In a few cases it's better that Tor is blocked, because they don't allow anonymous logins when Tor is allowed. We need to show that it is the best thing right now. We need people to help us understand the overlap between the Tor community and their community (especially Wikipedia). If Iḿ not abusive on Wikipedia, I should be able to login anonymously. Especially since the only way to anonymously use wikipedia is through Tor. The last point is this one (graph). People started yelling 'IPO'. Aparrently, some person signed up his entire botnet. It's good to know scalability measures work. We had to make some changes. Using elliptic curves as really helped to lower work on the relasy. If this had been a real attacker against the Tor network, it probably would have been fatal. Microsoft has the power to remove the things they think are malicious. Tor clients on these bots are often still installed. Botnet happening in same time as Snowden revelations makes it hard to assess the impact of these revelations on Tor use. Bots connecting are a really serious threat to the Tor network. It would make it significantly harder to damage the Tor network if more people were involved. When talking of funding for better anonimity, how much do you need? If you're wiilling to fund it, it wuold be great if you could match what government funders bring to the table. Or as much money as you have, both are great. If it ends up on the 2 million USD we have no money for extras. We have to build all sorts of tools that are not directly related to Tor. It's not enough to have Tor, hyou need tools to work with Tor. We haven't really experimented with that. The NSA and GCHQ have decided that they don't like anonimity and want to eradicate it. A few exceptions. I will talk about this on monday. On the Tor side, Quick Ant is a [...]. It is recording data about TLS sessions, pulled from a larger pile that is called FLYINGPIG. That program is kind of scary, but not too much. Quantum INsert is a scary man on the side attack. FOXACID is a targeted attack, sort of awatering hole attack. When you use Tor they make your server redirect to their malicious code and hit you. It took them eight months to hit one Tor user. That's great. It really takes much effort to hit one person, they need that person to be caught. Quantom Cookie is a program to retrieve other browser connections to find out concurrent browser activity. Then they would insert other things the browser would request to see what other activity you have. Solution is HTTPS EVerywhere, whihc also allows session isolation. On the other hand, not every website allows TLS. The thing that makes it interseting is that they do it at internet scale. You would imaginge that not routing through Five Eyes countries makes you safer. On the other hand, in the Five Eyes countries you have some protections. The key point to take home is that every single person here has the same problems if they're not useing Tor. The story here is they look at Tor traffic coming out of Tor relays they don't know who it is. On the one hand, they need borad attacks (not targeted). DNI sent out a press release that they are never attacking US citizens. {...]James Platter is an asshole (:) ) I talked to an NSA person a couple of weeks ago ... You have to attack all non-Americans/ No, only if they are the person who we are attacking. I wish we had 90000 Tor nodes, that would be incredible. When the NSA ran tor notdes, that was about a dozen. They can watch your Tor relays, which is as good as having their own relay. We should not be worried they're runnning relays. It's a concern, but the bigger concern is that they're watching the whole internet. The problem is not so much are they running relays but how many normal relays can they watch. A large adversary like the NSA: a third? Half/ We don't know. Who here uses a VPN or some kind of VPN service [about 1/4]? This is a big problem, the hide-my-ass problem. They basically promote their service for revolution in Egupt, but turn around when aimed at the UK. We need to build decentralized systems In some cases we know that VPN proxies have data retion for 10-15 year, that 's bad news. The news on VPNs is not in your favor. What happens with this stuff? It could be that the silk road fellow used VPN. It could also be that the NSA has tracked him in some other way. Parallel construction is a really serious problem, if we could expand Tor network, we would make it significantly harder to do that. We live in a world were intelligence services and LE are merging together. That is a sierious problem for Tor. NSA is doing bad stuff, why should that affect FBI? They said they told the FBI. Do they anonymously tip the FBI? Is there a third party anonymous whistleblower? From the FBI point of view, thats basically the same. We are able to adress some questions. Summaries: We want to improve hidden services. We want to make them strong, especially improve performance. The more mainstream they become, the more use we will be seeing. It should be esay to use them. The most important things for cypherpunks to understand. If you like, use Bitcoin. If you want to give us lots of BItocins, do not get dsicouraged. In Noisy Square, there is now a talk on helping Tor. We need you to teach other poeple on why Tor is important. Thank you [no time for Q/A left]