If you think the Tor project is working on an important problem, consider running a relay. It's inexpensive, easy to administer, no hassle (if not an exit) and I think the scale is such that a couple thousand additional relays would make a noticeable difference to the network.
My sibling comment points out that Tor Cloud is discontinued anyway, but I have some concerns about running a relay on a cloud provider. If a lot of people do this, it seems like it could pose a risk to Tor users' anonymity.
Tor works by bouncing traffic across a few nodes. In an ideal case, these nodes are run by different people in different countries, so even if a vulnerability in a server or legal action exposes the traffic across a single relay, the other nodes are not accessible to the attacker and the users' anonymity is maintained.
If a large number of people start running nodes on cloud services, then this centralizes the nodes under the control of Amazon or whatever cloud provider. Even if you trust Amazon (there are many use cases where you shouldn't) a vulnerability in their cloud services could expose data from ALL of the nodes running on their cloud. I haven't done any specific analysis on this, but my guess is that if 5% of the nodes in the Tor relay system had their data completely exposed, the nodes would include all the nodes along routes for a significant number of users. Combine this with traffic analysis and other attacks, and even more users could be de-anonymized.
I'm by no means an expert on Tor, so I can't say with confidence whether or not this is a concern. Perhaps someone with more knowledge will weigh in.
One interesting thing I read recently is that, when building a circuit, Tor actively avoids picking more than one relay sharing a common attack vector.
Basically, it will not pick more than one relay with the same family id, router or /16 subnet.
Your point is still valid, since AWS and other big web hosts like OVH obviously have a lot of /16 subnets and distinct router addresses, but it's good to see this was anticipated by the design.
To be fair, I suspect there is already a similar problem simply due to economics: running a relay costs money, so the vast majority of relays are running in the first world, which correlates well with countries that have extradition treaties with the US, for example.
The node constructs the path it uses. As concentration in one area becomes a concern, those nodes can be identified as Amazon based on IP so clients know not to use more than 1 or 2 nodes there.
If you want to run a tor exit node, you can improve the security by subscribing to a rigorous hygiene process that provides accountability of your security upkeep.
* System Hardening
* Log Monitoring
* Intrusion Prevention
* Write proceses
* Perimeter Control
A compromised tor exit node is no good because all it takes is switching on NetFlow and all those sensitive packets are captured.
> safely bypass surveillance from across the world
Is this true, for a global passive adversary? If all of the nodes which route your link go through a friendly IC that shares ToR traffic patterns, I'm pretty sure traffic analysis can disclose where you are browsing or which hidden service you are visiting (or at least where it's hosted).
Does anyone know more about how a ToR link is chosen, whether you can control it, and what some alternatives might be?
A global passive adversary is the most commonly
assumed threat when analyzing theoretical anonymity
designs. But like all practical low-latency systems,
Tor does not protect against such a strong adversary.
Thanks for the correction, I'm not sure why I decided to upper case the R :)
To clarify what I think you meant to refer me to, the Tor client actually chooses the three nodes in the path of a circuit, doesn't use two nodes on the same subnet, nor ones the network classifies as belonging to the same "family" (although I'm having trouble determining what this means in practice).
Given that there is a hard limit of three nodes in a route, I'm still have trouble thinking of an adversary that Tor protects you against that a VPN to a jurisdiction of your choosing doesn't, and a VPN is significantly faster...
The NSA isn't really global, though. For example, if enough ToR traffic were routed via Asia or South America, I imagine they would not be able to perform much traffic analysis on it.
The NSA is very much global and according to the Snowden leaks tapped into a large number of major internet exchanges and sea cables, including the largest internet exchange of the world (Germany, DECIX[1]) as well as the largest exchange in Asia (Hong Kong, HKIX[3]) and South America (Brazil, BRIX[4]) respectively.
From what we know the NSA has global coverage with google-style indexing[1] since at least 2012, possibly earlier.
Thanks for finding all of those sources. That is indeed a vast network of intercepts, however it's not necessarily "global" in the sense that they monitor all communication. If one could choose their Tor link to include enough paths not likely to be monitored by colluding parties, then one could be more certain they are not facing a "global adversary" in the sense that the Tor site means.
Not literally all communication in the global sense that Tor refers to. For a trivial example, the wifi signal between my computer and my router is not monitored.
Your references seem to talk about major exchanges all over the globe. Practically speaking, because a Tor client can choose the routers for the link it creates, it could choose three routers behind a single major exchange that is monitored (e.g. in Asia or South America), and hence remain anonymous, because the connections between those routers are not monitored.
because the connections between those routers are not monitored
A correlation attack[1] doesn't care about the intermediate routers. It only requires packet dumps from the entry and the exit node. Both of which, with very high probability, route through networks that are monitored by the NSA.
Good point. I wonder how useful that is in practice with the amount of traffic going through the Tor network. It seems to me that the more people use it, the harder it would be to get accurate correlations. That said, I wouldn't be surprised if some clever math can do so more accurately than has been published.
Will running a relay decrease the chances of my guard nodes fingerprinting me (because of other people's injected traffic)? Or maybe the relay traffic is completely different and detectable from the the normal Tor usage traffic?
I'm speculating, but I'd suspect that your traffic connects and initially passes through your guard node while traffic passing through your relay is probably going to other nodes in the network (since guard nodes are used for initial connections and as a relay you're already the middle node).
In this case it wouldn't help conceal anything extra from your guard node.
For those who don't know, guard nodes are the nodes you initially connect to. In Tor once established, your first hop is always to the same node - this is because it's assumed some nodes are bad actors and if the first node is randomly selected each time your chance of eventually connecting to a node trying to collect information is high and partial compromise isn't much better than fully compromised.
By selecting and using one guard node for your initial connection it's either a bad actor or not, but if it isn't then you're good to go from then on.
When you run a relay if your relay is fast, stable and online for a while (60 days I think) the Tor network will automatically turn your relay into a guard.
Generally speaking, running a relay node is considered to be fairly safe and hassle-free.
Running an exit node is more of a hassle, you'll usually be receiving a lot of DMCA notices and a lot of ISPs won't permit running exit nodes from their network.
There has been at least one case outside of the US where an exit node operator was prosecuted and found guilty of aiding in distributing child porn [1].
A relay which is not an exit is practically zero risk. The design of the Tor system means you'll be receiving an encrypted packet from one source, unwrapping one layer of encryption, and passing it on to the next relay in the chain, with no knowledge of the original source, final destination, or true packet contents.
Section 404 of the DMCA updates section 108 of the Copyright Act to allow libraries and archives to take advantage of digital technologies when engaging in specified preservation activities. The amendment to subsection 108(a)(3) is intended to ease the burden on libraries and archives of the current law's requirement that a notice of copyright be included on copies that are reproduced under section 108. Under this amendment, such notice would be required only where the particular copy that is reproduced by the library or archive itself bears a notice. The amendment to subsection 108(b) permits a library or archive to make up to three copies or phonorecords, rather than just one, for purposes of preservation and security or for deposit for research use in another library or archives, and permits such copies or phonorecords to be made in digital as well as analog formats. The amendment provides that any such copy in a digital format must not be otherwise distributed in that format and must not be available to the public outside the premises of the library or archives.
That isn't immunity to frivolous DMCA notices or the ability to ignore DMCA notices.
By serving as an exit node, they are able to take it off premises.
> The amendment provides that any such copy in a digital format must not be otherwise distributed in that format and must not be available to the public outside the premises of the library or archives.
Yeah, that's a specific example they point out in the guidelines.
But there's another section that also applies to higher ed institutions which remits all damages and criminal charges if they prove they had no knowledge of it (actively) going on. That's the provision they'll probably hide under.
edit: I should clarify, most DMCA complaints are from third parties who get paid from the settlements. Eliminating the financial incentive to pursue legal action pretty much eliminates the threat of prosecution.
In 2006, Tor research was funded was through a no-bid
federal contract awarded to Dingledine’s consulting
company, Moria Labs. And starting in 2007, the Pentagon
cash came directly through the Tor Project itself —
thanks to the fact that Team Tor finally left EFF and
registered its own independent 501(c)(3) non-profit.
How dependent was — and is — Tor on support from
federal government agencies like the Pentagon?
In 2007, it appears that all of Tor’s funding came from
the federal government via two grants. A quarter million
came from the International Broadcasting Bureau (IBB), a
CIA spinoff that now operates under the Broadcasting Board
of Governors. IBB runs Voice of America and Radio Marti, a
propaganda outfit aimed at subverting Cuba’s communist
regime. The CIA supposedly cut IBB financing in the 1970s
after its ties to Cold War propaganda arms like Radio Free
Europe were exposed.
The second chunk of cash — just under $100,000 — came
from Internews, an NGO aimed at funding and training
dissident and activists abroad. Tor’s subsequent tax
filings show that grants from Internews were in fact
conduits for “pass through” grants from the US State
Department.
All this is public information, repeated many many times by the Tor developers themselves. It's on the "financial reports" section of torproject.org. Go and check it out.
It's good to be critical of things especially where security is concerned, but if the code is open, the protocol is open, the development is open, I don't see how it matters if it was a US Navy project?
Sincere question: don't these facts call the utility of SELinux and Tor into question?
If the answer is "because math", well... I don't speak math. Being illerate in this manner, I must depend on the reputations of the parties involved (and the reputations of the parties that report who was involved!).
So... Can a person who does not trust the NSA trust products they paid for?
> Can a person who does not trust the NSA trust products they paid for?
Remember a couple of things:
* The NSA relies on SELinux as a part of their internal computer security system. (However, as the NSA document leaks reveal, even the best system fails when poorly configured!)
* Both SELinux and Tor are open source software, developed in the open. It's not unthinkable that there's a problem with the design of the software of either project, but the commit history and mailing lists of both projects are available for public perusal and audit.
* Well regarded security researchers have looked at both Tor and SELinux and declared them to be reasonably well designed systems that do what they say on the tin.
Anyway. If the NSA involvement really squicks you out, there's always either Grsecurity and PaX [0] or AppArmor [1]. Grsecurity is primarily developed by Brad Spengler. PaX is developed by an anonymous cabal known as PaX Team. [2] AppArmor has been developed by Canonical (the Ubuntu guys) since ~2009.
Man, those STIGs are both a blessing and a curse for defense contractors.
A blessing, 'cause if your system is configured as per the STIG, there's not a damn thing the auditors can say when they roll through.
A curse for many folks deploying a Linux system, 'cause if your particular variant of Linux doesn't have a STIG, -regardless of how similar it is to one that does- IME there's next to nothing you can do to get an auditor to approve the hardening work you've done.
Slightly off-topic here, but flipping through this[1] Abstract Algebra textbook(2009), I found it amusing that the author thanks NSA for support among others :D.
You can definitely trust the sensational value in finding out that any project advocating freedom and data security would be exploited by a government.
That's what I do, it's not perfect but I love reading source code and figuring out how things work so I know others, much smarter than me, love that too.
The public cases of the US government going after Tor, for example, have all read like external attacks on the protocol design flaws to build a larger case.
I would be more suspicious over placing exit nodes in libraries because I assume they're state owned in the US. Don't know since I'm not from there though. I just think it's sort of ironic because the attacks that have been performed all required possession of exit nodes.
> I would be more suspicious over placing exit nodes in libraries...
Librarians are more often rabidly pro-privacy and pro-anonymity than not. They're often very well read, well educated, and know their history.
> I just think it's sort of ironic because the attacks that have been performed all required possession of exit nodes.
Unless you have information that I do not (if you do, please link to it) control of a single exit node gives you no more power than your ISP already has over you. What attacks were you thinking of? Keep in mind that Tor explicitly does not protect against:
* An adversary that can listen to the communication between a large number of nodes in the Tor network and targeted Tor users. (Similarly, Tor cannot protect against a malicious adversary who controls a very large number (1/3? 51%? I can't remember) of the nodes in the Tor network.)
* Tampering with or recording of the data that leaves or is returned by a Tor exit node. (Again, this is an attack that anyone between you and your communication partner can launch, whether you're using Tor or not.)
>Librarians are more often rabidly pro-privacy and pro-anonymity than not. They're often very well read, well educated, and know their history.
Few librarians are involved in network operations at the library though. I'm just speaking from my experience here in Sweden but that stuff is usually handled by a local IT department or out sourced to a company.
So the danger would be in having a federal oversight on network operations of libraries. I do not believe we have that in Sweden at least. Probably the US government allow libraries to manage themselves on that front too.
>Unless you have information that I do not (if you do, please link to it) control of a single exit node gives you no more power than your ISP already has over you. What attacks were you thinking of? Keep in mind that Tor explicitly does not protect against:
Exit nodes, as in plural.
So hypothetically if the federal government did manage network operations for libraries in the US, and the Tor network was successful in onboarding many libraries in this project, that could mean massive control of Tor exit nodes.
I don't think they're state-owned, but they depend on community and county (and maybe state and Federal) sources for funding. Depending on the community politics, libraries could face funding cuts for running exit nodes.
If the library staff are at all bureaucrat-savvy, they can probably obfuscate the activity. I hope so. I think this is a very good idea.
I think he means state-owned in the sense that the IC can easily watch the traffic going to and leaving the exit node, and with many exit nodes leveraging this into a passive attack on the network.
If this is true, if ToR is to stick to a goal of establishing truly anonymous browsing, ToR needs to establish links through a diverse number of jurisdictions.
That is interesting. Yes, many states have a "schools and libraries" WAN which public and private EDU-related facilities participate in. Said network is surely monitored by commercial network appliances. (BlueCoat et al.)
I haven't heard of them being monitored in more competent ways, but the opportunity is surely there.
Don't take this the wrong way, but... this is hardly news. From top of the Tor Project's "Who uses Tor?" page:
"Tor was originally designed, implemented, and deployed as a third-generation onion routing project of the Naval Research Laboratory.[0] It was originally developed with the U.S. Navy in mind, for the primary purpose of protecting government communications." [1]
The article you link to quotes one of the original TOR authors, but fails to link to his words. They're here. [2]
Even if Tor hadn't originally been built by the NRO, spooks would still be using it for their "open source" intelligence gathering: it is effective, well-built software that protects against the threats that it claims to protect against.
That Pando Daily article attempts to claim that the fact that NSA captures Tor traffic makes Tor a danger. The leaked NSA slides from which that fact comes from also reveal that NSA captures and stores (for a long time) all encrypted traffic that they cannot decrypt. [3] This means that connecting to a non-USian site using SSL/TLS makes you just as much a target as Tor usage. :)
I get that people freak out about government funding of this project or that project, but there are a few things to keep in mind here:
1) Tor is open source and is developed in the open. [4]
2) Respected cypherpunks and cryptographers have periodically evaluated the project and declared it to be effective and high quality.
3) A weakening of Tor or the Tor Network reduces its value for intelligence gathering and covert law enforcement operations.
[3] Other NSA slides reveal that the NSA can't actually break Tor. They have to rely on endpoint compromise or improper configuration of hidden services to unmask Tor users.
You can even have it AWS where it will get automatic updates with almost no effort: https://cloud.torproject.org/
If you want to run it on OS X: https://tor.stackexchange.com/questions/6567/how-do-i-manual...
I think it's pretty cool that you can help enable people to safely bypass censorship/surveillance from across the world.