Silk Road forums
Discussion => Security => Topic started by: kmfkewm on September 21, 2013, 08:46 am
-
added to front page of Tor site
Update: it may be that Tor can't protect you against NSA's large-scale Internet surveillance, and it may be that no deployed anonymous communication tool can. We're also working on educational materials to explain the issues. Stay tuned!
-
I don't know how he is perceived in his native America but, to me, Edward Snowden is a hero!
-
Well that doesn't sound good.
I'm assuming this has something to do with speculation around that QUICK ANT?
-
That is a surprising admission, coming from them. I guess they can't pussyfoot around the issue anymore.
So, other than writing materials to better explain how fucked we are, are they planning ways to improve Tor? I don't mean decreasing the number of entry guards and increasing the rotation period. Entry guards don't really matter anymore if you are an American, because the NSA is likely tapping many points between you and every entry guard.
Do we need to scrap Tor and put the efforts of the privacy/anonymity community behind a completely different system?
Where do we go from here?
-
Do we need to scrap Tor and put the efforts of the privacy/anonymity community behind a completely different system?
Yes.
where do we go from here
Mixnet + PIR
-
added to front page of Tor site
Update: it may be that Tor can't protect you against NSA's large-scale Internet surveillance, and it may be that no deployed anonymous communication tool can. We're also working on educational materials to explain the issues. Stay tuned!
Well all the signs have been pointing in that direction, time for completely new system, the Tor life support machine just had the plug pulled :(
-
Guys this has been in the "issues" and changelog documentation for ages, at least implicitly. It's saying something though when they come out and state it explicitly.
Why are you saying to scrap TOR and start from scratch?? The problem with PUBLIC networks such as tor is that ANYONE can access them. The most secure model could be one that relies on requiring PHYSICAL access. But this doesn't seem at all realistic now does it? We got to stick with the interwebs for now.
-
Broadly speaking, don't most known Tor deanonymization attacks affect users who visit clearnet sites rather than hidden services?
-
no
-
So how will we all go about this, In my opinion we should all change from tor before the shit hits the fan.
KMF can you tell us a bit more about mixnet + PIR? Thank you.
This just got very hazardous.
-
Guys this has been in the "issues" and changelog documentation for ages, at least implicitly. It's saying something though when they come out and state it explicitly.
Why are you saying to scrap TOR and start from scratch?? The problem with PUBLIC networks such as tor is that ANYONE can access them. The most secure model could be one that relies on requiring PHYSICAL access. But this doesn't seem at all realistic now does it? We got to stick with the interwebs for now.
that is not the problem with networks like Tor, at all. The more people who use an anonymity network, the better it is. Physical anonymous communication sounds, well, not feasible at all for a large group of people around the entire world to do? Not very anonymous probably, depending on how it is implemented? We saying scrap Tor and start from scratch because Tor model is fucked. I2P model is fucked. VPN model is fucked. Proxy model is fucked. These were always toy technologies to begin with. The real anonymity has always been in the mix network designs. When they made these low latency solutions they said "high latency is not really that user friendly, but it assumes a super strong attacker. Let's try to make it user friendly by assuming a vastly weaker attacker, and hope that there are no super strong attackers". There was a super strong attacker, it was NSA. And GCHQ. And other SIGINT agencies. And they shared intelligence with police, which was a surprise to many including myself. And they networked together into essentially international massive intelligence cooperatives, Australia + UK + Canada + USA SIGINT = tremendously powerful attacker, the type of attacker that the mix networks hoped to protect from but way way past what Tor was ever meant to protect from, way way past what I2P or proxy or VPN was ever meant to protect from. Not only that, but research into these technologies ended up showing over time that they were not even as good against the weaker attackers they set out to protect from as they hoped to be at first. And that research is just stacking up paper after paper. They aimed to add user friendlyness to anonymity by making these technologies, and the cost was to protect from a much weaker attacker than the mix networks. But they under estimated the strength of the attackers in reality and they under estimated how much their designs would weaken the anonymity properties of their networks against the weaker attackers they aimed to protect from. The end result is that their networks are not safe to trust your life to, because not only are there big powerful attackers in reality who they thought they didn't need to protect from because they thought they didn't exist, but the weaker attackers they tried to protect from who they knew existed turned out to be able to do a lot more against their networks than they originally thought they would be able to do. It is a double whammy combo punch and the result is these technologies are KO'ed. Time to bring in the heavy weight boxers, and those are the mix networks, the PIR based solutions, the DC-net based solutions, the covert channel based solutions, etc. Not the low latency proxy with some fancy encryption and padding solutions.
-
Guys this has been in the "issues" and changelog documentation for ages, at least implicitly. It's saying something though when they come out and state it explicitly.
Why are you saying to scrap TOR and start from scratch?? The problem with PUBLIC networks such as tor is that ANYONE can access them. The most secure model could be one that relies on requiring PHYSICAL access. But this doesn't seem at all realistic now does it? We got to stick with the interwebs for now.
that is not the problem with networks like Tor, at all. The more people who use an anonymity network, the better it is. Physical anonymous communication sounds, well, not feasible at all for a large group of people around the entire world to do? Not very anonymous probably, depending on how it is implemented? We saying scrap Tor and start from scratch because Tor model is fucked. I2P model is fucked. VPN model is fucked. Proxy model is fucked. These were always toy technologies to begin with. The real anonymity has always been in the mix network designs. When they made these low latency solutions they said "high latency is not really that user friendly, but it assumes a super strong attacker. Let's try to make it user friendly by assuming a vastly weaker attacker, and hope that there are no super strong attackers". There was a super strong attacker, it was NSA. And GCHQ. And other SIGINT agencies. And they shared intelligence with police, which was a surprise to many including myself. And they networked together into essentially international massive intelligence cooperatives, Australia + UK + Canada + USA SIGINT = tremendously powerful attacker, the type of attacker that the mix networks hoped to protect from but way way past what Tor was ever meant to protect from, way way past what I2P or proxy or VPN was ever meant to protect from. Not only that, but research into these technologies ended up showing over time that they were not even as good against the weaker attackers they set out to protect from as they hoped to be at first. And that research is just stacking up paper after paper. They aimed to add user friendlyness to anonymity by making these technologies, and the cost was to protect from a much weaker attacker than the mix networks. But they under estimated the strength of the attackers in reality and they under estimated how much their designs would weaken the anonymity properties of their networks against the weaker attackers they aimed to protect from. The end result is that their networks are not safe to trust your life to, because not only are there big powerful attackers in reality who they thought they didn't need to protect from because they thought they didn't exist, but the weaker attackers they tried to protect from who they knew existed turned out to be able to do a lot more against their networks than they originally thought they would be able to do. It is a double whammy combo punch and the result is these technologies are KO'ed. Time to bring in the heavy weight boxers, and those are the mix networks, the PIR based solutions, the DC-net based solutions, the covert channel based solutions, etc. Not the low latency proxy with some fancy encryption and padding solutions.
Well said kmf, perhaps you could create a thread and tell people about it and perhaps add a basic how to. I have a very uneasy feeling that tor is about to be compromised, The fact that the tor website has posted that on their homepage now has taken the element of surprise away from the NSA, as If they could break the encryption or exploit tor easily enough, then I bet they would not let people know until they were breaking down the doors of some HVT's.
Now that that surpise has been taken away from them, the logical thing to do is strike as fast as possible. I am getting very uneasy about it all now.
SW
-
...There was a super strong attacker, it was NSA. And GCHQ. And other SIGINT agencies. And they shared intelligence with police, which was a surprise to many including myself. And they networked together into essentially international massive intelligence cooperatives, Australia + UK + Canada + USA SIGINT = tremendously powerful attacker, the type of attacker that the mix networks hoped to protect from but way way past what Tor was ever meant to protect from, way way past what I2P or proxy or VPN was ever meant to protect from...
kmfkewm, two things immediately spring up: how do the people who implement the anonymity networks for accessing our dear sites, such as SR, set up an (essentially, and correct me if I'm wrong) brand-new network using this mixnet and PIR?
And two, how do the end users such as ourselves, go about using these technologies to access our dear sites (SR, etc.)? Keeping in mind that the vast majority of people, myself included, are not tech-savvy like you and astor. This will be a hell of a challenge.
How long will such a hypothetical changeover take? To say I'm worried is a vast understatement.
goblin
-
I am still supremely confident in my anonymity practices.
I use a super powerful antenna to pick up a free WiFi signal from half a mile away. I log onto this signal with a Linux computer bought with cash that is not used for anything else but SR. I then open a VPN connection from a VPN company in a country that disallows keeping log records. I then open up Tor. And THEN I log onto SR.
They can know the DSN and it won't matter because it is the DSN of the VPN. They can find out the VPN network and it won't matter because there are no logs. They can know my actual physical address of the underlying initial internet access and it won't matter as it is half a mile away from me and not mine. They can hack into my computer and try to determine some identifying information from in it but it won't matter because the computer is clean and was paid for in cash. There is no way to identify me technology wise.
Look if all you use is Tor then they MIGHT be able to use massive amounts of resources representing billions and billions of dollars of several of the biggest countries in the world to find out a real IP for you but that is why you use LAYERS of security and not just one. We are talking about how it might be possible with massive amounts of resources to break this one layer, but add a couple more layers and see what happens. Even if it is technically possible it is just not practically possible.
-
Oh also. If any vendor here does get arrested and the investigation originated from your identity being revealed then your lawyer can most definitely assume the NSA was involved (they tip off FBI or DEA) and if he can get someone to admit it then your whole fucking case is getting thrown out. Of course finding this out will be expensive and your lawyer will have to be good since it was in the news the NSA coaches the DEA on how to lie about their involvement.
-
You have to consider that Tor was compromised at its inception. Look who invented it. ;)
That said, now consider in total the sort of LEO efforts that have occurred since Tor's inception. Kind of tells you who and what LEO is concentrating their efforts on.
You can't think that the Patriot Act was the start of NSA snooping on... everything.
-
To preface.. kmfkewm has obviously spent much more time thinking about this than I have. He's basically been saying exactly this for quite some time, and he's correct. Tor, or any "let's do really clever routing and encryption and padding to make it hard to figure out what's going on" method of low-latency anonymity, doesn't stand up to an adversary who can see a large portion of Internet traffic.
And so everyone understands what low-latency is: The web is low latency. FTP, IRC and chat are low latency. Streaming video is low-latency. You open a browser, make a connection, wait x many seconds, and you make a connection to a site and get your content. You open a chat client, type something, and it makes a connection to a server (or to me) and I see your message.
High latency networks (like mixnets, Freenet to some degree) don't provide instant gratification. You request a resource (a message, a copy of a static website, whatever), and that message gets bounced around for a while, and the content works its way back to you. Maybe in a minute, maybe in a day. Maybe in 30 seconds. But the key here is that it's not establishing a *connection* between two points (you and your server/destination) and grabbing the content. It's you, sending a message, waiting for a response. Email is high-latency. Usenet is high-latency. Downloading a video, then watching it is high-latency.
When you're talking about an adversary the size of NSA, they're always going to be able to see enough network traffic to follow *connections* around the Internet. High-latency Mix/etc networks separate the connection from the actual conversation. This lets them chop the conversation up into pieces, toss it in with other pieces of other people's conversations, and keep an adversary from saying "Aha! That specific request is from X! He's sending a message to Y!"
No technology is going to keep NSA from seeing that *your IP* is making connections and participating in an anonymity network. Nor is it going to keep someone that size from seeing what servers you're connecting to. Or seeing who else is connecting to the same server, and possibly correlating that traffic.
But it can provide massively better protection against those agencies identifying what you're doing. In some perfect, "everybody uses a perfect high-latency anonymity technology" world, NSA can still see that you're using anonymity technologies. Just not what you're doing. Maybe you're sending an message. Or participating in a group chat. Or downloading a catalog of products from a vendor and sending a message to transmit an order.
However, we're not just one missing piece of technology away from that happening this week. kmfkewm's project to build a PIR/etc system is fantastic. But even if he finishes it tomorrow, and it's ready for production, and he stands one up on the Internet, what you have is a single PIR server, sitting on the Internet, able to securely route messages from Client A to Client B, with nobody else able to see what they're doing. But they'll still be able to see all the clients connecting to the server. They can't know what they're doing, but they'll know they're using that server.
One single perfect PIR server doesn't fix the problem. It's a key part of the equation, but it's nowhere near the whole equation. Sure, it's cryptographically awesome, but from a practical anonymity perspective, if there's just one single server sitting on the Internet, doing amazing crypto stuff, it's really not that much better than a hidden webserver just routing PGP messages between users. If someone seizes that server, and backdoors it, they're going to be able to see that Client A sent something encrypted to Client B, and because of their NSA-level view of the world, they probably will know who Client A & B are. Not what they said, but everything else about their conversation.
A hundred isolated PIR servers, acting as little individual islands of communication, still basically have the same problem. They have to be able to communicate with each other, forming a meshed network of mixing and content delivery, that actually decentralize the network.
Freenet solves a number of these problems, but ends up having huge problems of its own unless you're only talking to a limited group of people you already know. Namely, NSA can stand up a thousand other Freenet nodes and figure out who is sending what request for what content.
kmfkewm, I'd love to know where you see those technologies evolving, and how you see the world working after the actual implementation of PIR/etc technologies. Is every user node routing traffic for others? Or are they connecting to central servers? Do PIR storage servers talk to each other, or are they islands?
And everyone who said "We need an easy way to do that" is hitting the nail perfectly on the head. Even if the world's best anonymity network is built, if only two people are using it, then it's still not anonymous. You need more widespread adoption to get the true benefit from mix technologies. Basically, I have to have enough "other" traffic to mix my traffic with with before I can hide in that traffic.
-
Our Governments in the 'free world' have run trampled all over our human rights, shat on our privacy and ignored or broken our very own statutes, constitutions and basic fundamental laws.
Tor may well be vulnerable or even compromised but as I understand it despite misrepresentation from Governments and main stream media encryption still has them fucked, it protects you when used for important things like ........ the address's where the orders are going to 8).
more info in pretty plain english for us non-tech heads here http://publicaddress.net/onpoint/the-gift-that-keeps-on-making-me-barf/
I think on a grand scale it will be consumers and voters who help swing the tide against America and Co's world wide surveillance wet dream.
With the 'back doors' and insecurity's installed into things like microsoft, i-phones, androids, face-book etc etc etc these company's could lose MILLIONS of customers . USA cloud storage companies and start ups have just been killed by their own spook's and spys.
Other country's are looking to re-route internet traffic so it stays away from usa servers where it all gets collected and 'analyzed'.
So vote with your wallets and internet habits as a matter of course.
use encryption when it counts and have that program on a usb.
A modem stick as opposed to a phone jack seems logical.
And a virtual machine seems a good idea.
Most customers on SR are just buying small personal amounts and that in itself is a positive safety aspect for them.
Sellers are probably safer than selling drugs in the traditional manner
Just my opinion on this peaceful revolution :)
-
wow, the amount of FUD being slung around is incredible. for those not in the know this is the fundamental problem with tor or any low latency network; when you make a connection your computer sends a packet out and sooner than later the server you are connecting to receives it. This make it vulnerable to a correlation attack if an opponent like the NSA can see the entire network (particularly the entry node and the server you are connecting to), encrypted or not. Even through tors clever 3-hop proxy design (where each hop knows the previous hop and the next one but no more) keeps anyone with a partial view of the network from seeing whats happening if you have a birds eye view you can be fairly sure who is connecting to what. NOW b4 u all get paranoid, this is what keeps the NSA from knowing FOR SURE, its called ENCRYPTION and it prevents a passive observer from seeing what you are sending and who you are sending to.
NOW what is getting everyone all in a ruff over the security of tor are the recent revelation that the NSA MIGHT JUST HAVE COMPROMISED THE ENCRYPTION STANDARD THAT TOR RELIES UPON AND POSSIBLY EVERY ENCRYPTION STANDARD THERE IS. Very intelligent people are working on this at the moment but these things take time. AS IT STANDS CRYPTO MATH IS IMPOSSIBLE TO DECRYPT WITHOUT HAVING THE KEY EVEN WITH A MILLION BILLION SUPERCOMPUTERS, but the implementation of the math is where the NSA may have attacked, and has attacked before as revealed by the Snowden intel.
There however is another form of network, its called HIGH LATENTCY. As was described earlier in this thread, you send a request and it gets bounced around the network until it gets back to you. LATENTCY = TIME, so this type of network CANNOT BE USED FOR COMMERCE. The reason high latentcy is considered more secure is that it makes it impossible to do a timing correlation attack as every node takes it sweet fucking time. Also these networks typically provide PLAUSABLE DENIABILITY. That is everyone acts as a relay so its all but impossible to say any one node "requested" or sent information to or from another node.
This is where TOR needs to change. Timing attacks would mean diddly fucking squat if everyone acted as a relay (i2p's main strong point). Also this stupid fucking botnet bullshit TOR is suffering from could not happen if everyone acted as a relay, in fact it would make the network substantially stronger.
But then if NSA has compromised crypto then all is lost. But until then TOR needs to change from its leecher model and move towards a bittorrent/freenet/i2p/everyfuckingdecentsecurenetwork "give as much as you take" model. This can easily be achieved by following in freenets footsteps and make it hard to use the network without being logged in for x number of hours, this will train people to leave tor running. Another way would be to offer a "TOR on a router" package so people dont have to leave their computers running all the time.
my 2c.
-
I don't know how he is perceived in his native America but, to me, Edward Snowden is a hero!
He's the greatest hero of our generation.
-
Tor is useless if your adversary can basically watch the entire internet. I guess we'll eventually need to branch off from the global internet like that South American country (Brazil?) is doing. Packet radio anyone? lolol
I doubt the NSA is going to start deanonymizing SR users any time soon, but this does underscore the need for PGPing EVERYTHING and using a hardened live OS such as TAILS so that there is no record of your activities even if they you are found.
Any data that needs to be stored permanently should be encrypted via a dedicated box that is NEVER connected to the internet. If you are hiding something big, you may want to use a laptop so that it can be taken with you and not left behind to be exploited, bugged, keylogged, etc.
-
I am still supremely confident in my anonymity practices.
I use a super powerful antenna to pick up a free WiFi signal from half a mile away. I log onto this signal with a Linux computer bought with cash that is not used for anything else but SR. I then open a VPN connection from a VPN company in a country that disallows keeping log records. I then open up Tor. And THEN I log onto SR.
They can know the DSN and it won't matter because it is the DSN of the VPN. They can find out the VPN network and it won't matter because there are no logs. They can know my actual physical address of the underlying initial internet access and it won't matter as it is half a mile away from me and not mine. They can hack into my computer and try to determine some identifying information from in it but it won't matter because the computer is clean and was paid for in cash. There is no way to identify me technology wise.
Look if all you use is Tor then they MIGHT be able to use massive amounts of resources representing billions and billions of dollars of several of the biggest countries in the world to find out a real IP for you but that is why you use LAYERS of security and not just one. We are talking about how it might be possible with massive amounts of resources to break this one layer, but add a couple more layers and see what happens. Even if it is technically possible it is just not practically possible.
If you are in USA your traffic to your VPN goes through the same monitored IX's as everybody else, and after they locate the WiFi access point they can pinpoint you with directional antennas.
-
High latency networks (like mixnets, Freenet to some degree) don't provide instant gratification. You request a resource (a message, a copy of a static website, whatever), and that message gets bounced around for a while, and the content works its way back to you. Maybe in a minute, maybe in a day. Maybe in 30 seconds. But the key here is that it's not establishing a *connection* between two points (you and your server/destination) and grabbing the content. It's you, sending a message, waiting for a response. Email is high-latency. Usenet is high-latency. Downloading a video, then watching it is high-latency.
How long traffic mixes for is less important than how much other traffic it mixes with. If a message is delayed for two weeks but nobody else mixes traffic on that node, it might as well have been mixed for two seconds. If your traffic is mixed for two seconds but ten thousand other people sent traffic over that node, then it would be just the same as mixing for two weeks with ten thousand other people sending traffic over the node. So the more heavily used a mixnet is the faster it can go while still providing the same level of anonymity. Another technique is called alpha mixing, which is where the messages themselves have user defined time delays per hop. Old mixnets had various other strategies where the user was not in control of their own latency but it was decided by the individual mix nodes. Alpha mixing allows us to lower latency a little bit as well, provided not everybody does. Some people routing high latency traffic over the mixnet gives an anonymity benefit to everybody using the mixnet, including the people routing lower latency traffic over it. This isn't to say that you can use it with no time delays and be fine, but there are techniques to shave some latency away while still keeping anonymity intact.
When you're talking about an adversary the size of NSA, they're always going to be able to see enough network traffic to follow *connections* around the Internet. High-latency Mix/etc networks separate the connection from the actual conversation. This lets them chop the conversation up into pieces, toss it in with other pieces of other people's conversations, and keep an adversary from saying "Aha! That specific request is from X! He's sending a message to Y!"
The issue is that, because the NSA can watch most of the links between nodes on any given network, they can indeed follow the packets around. Low latency networks do not mix traffic, they get packets and forward them on as they come. If the attacker watches Alice send a packet to a server and then Bob sends a packet to the same server, he knows that the first packet out of the server belongs to Alice and the second packet out belongs to Bob. So he can follow their traffic around easily. In a mix network, Alice and Bob send their packet to the server as before, but the mix network holds them long enough that it can randomize their output order before sending them on. Now the first packet out has a 50% chance of belonging to Alice and a 50% chance of belonging to Bob. Throw in some randomly generated dummy packets between mixes, and it becomes even harder for the attacker to tell what is going on.
No technology is going to keep NSA from seeing that *your IP* is making connections and participating in an anonymity network. Nor is it going to keep someone that size from seeing what servers you're connecting to. Or seeing who else is connecting to the same server, and possibly correlating that traffic.
There are covert channel technologies that could make it harder for them to tell, something sort of like bridges on steroids could be made, but it is going to be really hard to protect from a global external attacker anyway. There are systems for Alice and Bob to talk with an extremely low probability of their act of communication being identified, even by an attacker who watches the links of the entire internet. But I think these techniques would work better for a spy to funnel information back to his home country than they would work for bridges to an anonymity network.
But it can provide massively better protection against those agencies identifying what you're doing. In some perfect, "everybody uses a perfect high-latency anonymity technology" world, NSA can still see that you're using anonymity technologies. Just not what you're doing. Maybe you're sending an message. Or participating in a group chat. Or downloading a catalog of products from a vendor and sending a message to transmit an order.
Pretty much.
However, we're not just one missing piece of technology away from that happening this week. kmfkewm's project to build a PIR/etc system is fantastic. But even if he finishes it tomorrow, and it's ready for production, and he stands one up on the Internet, what you have is a single PIR server, sitting on the Internet, able to securely route messages from Client A to Client B, with nobody else able to see what they're doing. But they'll still be able to see all the clients connecting to the server. They can't know what they're doing, but they'll know they're using that server.
A single mix is only good to protect from external attackers anyway. If the mix is bad it can link communicating parties. But a single good mix on a messages path can buy it significant anonymity. With CPIR (which PSS seems to be a type of) it doesn't matter if the server is bad. It is essentially cryptographic anonymity, nobody can tell the messages you download unless they can solve a hard math problem. Also, people would connect to the server via Tor anyway, so nobody who cannot break Tor can tell they are connecting to the server. But hopefully a network of volunteer nodes springs up pretty quickly.
One single perfect PIR server doesn't fix the problem. It's a key part of the equation, but it's nowhere near the whole equation. Sure, it's cryptographically awesome, but from a practical anonymity perspective, if there's just one single server sitting on the Internet, doing amazing crypto stuff, it's really not that much better than a hidden webserver just routing PGP messages between users. If someone seizes that server, and backdoors it, they're going to be able to see that Client A sent something encrypted to Client B, and because of their NSA-level view of the world, they probably will know who Client A & B are. Not what they said, but everything else about their conversation.
Well, one of the reasons it is better is because if a server routes GPG messages between users, it knows who is talking to who, and unless the users connect to it with Tor it can easily tell which IP address belongs to which person. With single PIR server the server cannot tell who communicates with who and it cannot link messages to IP addresses. No, even if somebody seizes the server they cannot tell anything. PSS assumes a malicious server the entire time. Unless they can solve a hard math problem, having the server buys them next to nothing. On the other hand if they seize a single mix it is game over because the owner of a mix can follow traffic through their own mix. A mix network needs at least two nodes operated by different individuals to protect from internal attackers, although a single mix can protect from external attackers like the NSA, unless they take the mix over.
A hundred isolated PIR servers, acting as little individual islands of communication, still basically have the same problem. They have to be able to communicate with each other, forming a meshed network of mixing and content delivery, that actually decentralize the network.
Certainly they need to form a mesh network. A hundred isolated PIR servers wouldn't work very well.
kmfkewm, I'd love to know where you see those technologies evolving, and how you see the world working after the actual implementation of PIR/etc technologies. Is every user node routing traffic for others? Or are they connecting to central servers? Do PIR storage servers talk to each other, or are they islands?
I see things evolving past the point of browser based applications in many ways, and toward custom security oriented software packages for specific goals. The anonymity of a mix network is actually hurt if it is too big, pretty much the opposite of Tor. The theoretically ideal mix network would consist of one node, from a traffic analysis perspective (or two nodes if you want protection from internal attackers), but in practice it needs more nodes to ensure the two people running nodes don't turn to the darkside etc. The more concentrated traffic is over the mix nodes the better, and the more mix nodes there are the less concentrated traffic over them is. If all users are mix nodes, traffic wont be mixing with much other traffic at any given hop.
I envison a mesh network of maybe 50 or so nodes, each node being a mix and a PIR server, with messages being distributed through the servers with everybody gets everything PIR or something. The shittiest part of this system is the fact that all PIR servers need to have the same database, and that means they need to share all messages they get with each other similar to how BitMessage shares all messages with all users of the system. It would be much nicer if we could have messages segmented and spread across the network to different nodes, instead of a single database mirrored over each node. Doing it this way is kind of crappy, because for one it wastes probably hundreds of terabytes of storage space that will be dedicated to the same mirror, for two it opens up the risk of DDoS attacks since sending a packet to a single node echos it to all nodes, etc. And it is hard to keep good content that is accessed a lot, because the protocol itself prevents anybody from knowing what is being accessed and what is not. So this is not ideal, but I cannot think of a better system that doesn't introduce traffic analysis vulnerabilities. Certainly we can not have different messages tied to different PIR servers, or else Alice could cause Bob to access the various servers in a pattern that she can then identify. Bob could have a single server associated with his pseudonym where all messages to him are sent, but then his anonymity set size immediately falls to the users using that node, and what happens when that node is taken down? If it is malicious it doesn't matter because of PIR, but if it is taken down he needs to go to a new server, this will introduce traffic analysis vulnerabilities as well. So I cannot think of a way to do it other than a mirrored database over all the servers, but what to do about the risk of DDoS , plus it is a fucking shame to waste so many terabytes of space mirroring the same thing over and over again. The biggest win from mirroring the database instead of having it on a single server is that the bandwidth load of clients downloading messages will be distributed, but in reality a single CPIR server is no more insecure than 100 CPIR servers. It doesn't matter if your CPIR server is compromised or not.
If you can think of a better way to manage inter-CPIR server communications etc please let me know.
And everyone who said "We need an easy way to do that" is hitting the nail perfectly on the head. Even if the world's best anonymity network is built, if only two people are using it, then it's still not anonymous. You need more widespread adoption to get the true benefit from mix technologies. Basically, I have to have enough "other" traffic to mix my traffic with with before I can hide in that traffic.
Yeah one of the hardest issues will be bootstrapping an anonymity set to start with. I will probably suggest people run it sending dummy traffic, but not using it for anything, until it has at least a thousand members.
-
NOW b4 u all get paranoid, this is what keeps the NSA from knowing FOR SURE, its called ENCRYPTION and it prevents a passive observer from seeing what you are sending and who you are sending to.
In some cases it can prevent them from seeing what you are sending, but it cannot prevent them from seeing who you are sending it to. And in many cases knowing who you are sending something to is enough for them to determine what you are sending. If NSA is correlating my traffic right now, they can see I sent a message of a certain size to SR forum. Quick timing and stream size analysis will allow them to determine this is the message I sent, despite the fact that it was encrypted all the way to the server.
NOW what is getting everyone all in a ruff over the security of tor are the recent revelation that the NSA MIGHT JUST HAVE COMPROMISED THE ENCRYPTION STANDARD THAT TOR RELIES UPON AND POSSIBLY EVERY ENCRYPTION STANDARD THERE IS. Very intelligent people are working on this at the moment but these things take time. AS IT STANDS CRYPTO MATH IS IMPOSSIBLE TO DECRYPT WITHOUT HAVING THE KEY EVEN WITH A MILLION BILLION SUPERCOMPUTERS, but the implementation of the math is where the NSA may have attacked, and has attacked before as revealed by the Snowden intel.
We are not by any means only worried about the NSA cracking 1,024 bit DH and RSA. We are also worried about traffic analysis, and hacking of Tor relays to aide in traffic analysis. Also, some people now think the NSA can crack 1,024 bit DH and RSA without the key.
There however is another form of network, its called HIGH LATENTCY. As was described earlier in this thread, you send a request and it gets bounced around the network until it gets back to you. LATENTCY = TIME, so this type of network CANNOT BE USED FOR COMMERCE. The reason high latentcy is considered more secure is that it makes it impossible to do a timing correlation attack as every node takes it sweet fucking time. Also these networks typically provide PLAUSABLE DENIABILITY. That is everyone acts as a relay so its all but impossible to say any one node "requested" or sent information to or from another node.
Freenet is the only network I am aware of that provides plausible deniability. It is kind of mid-latency. Mix networks do prevent timing correlation attacks, but they also prevent a hell of a lot of other attacks. Also, I see no reason why they cannot be used for commerce. Do you really need to get updates every two seconds? Or can you wait an hour or two after someone makes a post before you can see it? Do you need your posts to be visible right after you hit post, or can you wait and hour or two for people to see it? Even adding an hour or two of delay between messages being posted and messages being available will give the possibility of having exponentially more anonymity than Tor has.
This is where TOR needs to change. Timing attacks would mean diddly fucking squat if everyone acted as a relay (i2p's main strong point). Also this stupid fucking botnet bullshit TOR is suffering from could not happen if everyone acted as a relay, in fact it would make the network substantially stronger.
Wrong, timing attacks still work against I2P, especially in the face of a global external attacker. At best I2P might be able to (I bet it can) add plausible deniability from timing attacks if the attacker is only internal at the target (IE: the clients entry node, not the clients ISP). If everybody was a relay and the botnet was as well, the owner of the botnet would have broken Tor anonymity entirely. They have 5,000,000 nodes, there are like 500,000 legitimate Tor users a day.
But then if NSA has compromised crypto then all is lost. But until then TOR needs to change from its leecher model and move towards a bittorrent/freenet/i2p/everyfuckingdecentsecurenetwork "give as much as you take" model. This can easily be achieved by following in freenets footsteps and make it hard to use the network without being logged in for x number of hours, this will train people to leave tor running. Another way would be to offer a "TOR on a router" package so people dont have to leave their computers running all the time.
my 2c.
If Tor had the same model as I2P this Botnet would have totally deanonymized everybody.
-
Freenet is the only network I am aware of that provides plausible deniability. It is kind of mid-latency. Mix networks do prevent timing correlation attacks, but they also prevent a hell of a lot of other attacks. Also, I see no reason why they cannot be used for commerce. Do you really need to get updates every two seconds? Or can you wait an hour or two after someone makes a post before you can see it? Do you need your posts to be visible right after you hit post, or can you wait and hour or two for people to see it? Even adding an hour or two of delay between messages being posted and messages being available will give the possibility of having exponentially more anonymity than Tor has.
An hour? People get pissed when it takes more than 15 seconds to load a page.
If Tor had the same model as I2P this Botnet would have totally deanonymized everybody.
That might be true for tor and i2p, but its not true for freenet. I believe this isnt due to the high latency or the fact that they are just relays, but the fact the network is designed to relay data randomly and automatically (for data redundancy), therefore even if an attacker had a full view of the network they wouldnt be able to tell who requested what. The problem with tor/i2p is everything is on a command basis, so its trivial to say "well this server received a request for this data and this node sent a request for something within x timeframe therefore there is a high probably they are linked". I suppose this is the problem with low latency systems, it always comes down to resources otherwise the relays could just send junk data all day and it would be impossible for an attacker to tell what is real.
edit: wait, you are saying that all it would take is for the botnet owner to set all his zombies to run as relays to deanonymize TOR?
-
Freenet is the only network I am aware of that provides plausible deniability. It is kind of mid-latency. Mix networks do prevent timing correlation attacks, but they also prevent a hell of a lot of other attacks. Also, I see no reason why they cannot be used for commerce. Do you really need to get updates every two seconds? Or can you wait an hour or two after someone makes a post before you can see it? Do you need your posts to be visible right after you hit post, or can you wait and hour or two for people to see it? Even adding an hour or two of delay between messages being posted and messages being available will give the possibility of having exponentially more anonymity than Tor has.
An hour? People get pissed when it takes more than 15 seconds to load a page.
People gonna be even more pissed when feds kick their doors down.
That might be true for tor and i2p, but its not true for freenet. I believe this isnt due to the high latency or the fact that they are just relays, but the fact the network is designed to relay data randomly and automatically (for data redundancy), therefore even if an attacker had a full view of the network they wouldnt be able to tell who requested what.
Freenet would be more resistant to it but maybe not immune. I am not Freenet expert, but I think many attacks against Freenet require a local external attacker (IE: the users ISP) in order to easily get around plausible deniability. Freenet is the most resistant of all the current networks to anonymity attacks. Even I2P seems like it would be more resistant than Tor, because I2P has some plausible deniability except in the face of an external attacker as well. If you are the ISP of the target, you can see all traffic into them and out of them. If you are not the ISP, you cannot tell for certain if traffic from them is being forwarded through them or if it originates from them, even if you are all nodes connected to them you cannot really be certain of this without an external position. Tor is actually pretty weak to internal attackers in this regard, due to the fact that clients are not relays.
The problem with tor/i2p is everything is on a command basis, so its trivial to say "well this server received a request for this data and this node sent a request for something within x timeframe therefore there is a high probably they are linked". I suppose this is the problem with low latency systems, it always comes down to resources otherwise the relays could just send junk data all day and it would be impossible for an attacker to tell what is real.
Constant rate cover traffic is a technique that can provide perfect anonymity in low latency. But it requires too much bandwidth to be feasible. It pretty much has the same anonymity as a DC-net.
edit: wait, you are saying that all it would take is for the botnet owner to set all his zombies to run as relays to deanonymize TOR?
Well, if the botnet owner had all his nodes are relays he could easily deanonymize Tor 100% instantly. But he cannot get all of his nodes to be relays because nodes are screened by directory authority servers that have mechanisms in place to protect from botnet flood attacks. Unlike I2P and unlike Freenet.
-
Were still talking about an attacker only having to add an extra 4000-8000 relays to pwn tor....thats easily within reach of a script kiddy much less the nsa, the only question is why havent they already done it?
my faith in tor has just dropped tremendously. we need a secure low latentcy network, whats that mix thing you are working on?
-
^Mixnets are effective against timing correlation attacks because they are nowhere near real time. Problem is, no one wants high latency communication, and that's one of the biggest limiting factors of networks such as Freenet.
I think kmf makes a good point though. Would you rather wait an hour to refresh a page, or have your door busted in by the feds?
-
^Mixnets are effective against timing correlation attacks because they are nowhere near real time. Problem is, no one wants high latency communication, and that's one of the biggest limiting factors of networks such as Freenet.
I think kmf makes a good point though. Would you rather wait an hour to refresh a page, or have your door busted in by the feds?
Neither.
-
They changed the front page:
It's an open question how much protection Tor (or any other existing anonymous communications tool) provides against the NSA's large-scale Internet surveillance. On its own, Tor can't protect against attacks against vulnerabilities on your computer or its software; Tor is not the only tool you need to be secure on the internet.
Anyways, nobody can really know what capabilities the NSA have. We're talking an agency with $50b per year in funding with 30,000 cryptographers and top mathematicians in their employ. Worst yet, they have partnered with the "5 eyes alliance" consisting of every top crypto engineer, mathematician and hacking teams in Canada, UK, Australia, and New Zealand. That's 5 fucking intel agencies all sharing resources and exploit tools/surveillance. Basically, hundreds of thousands of engineers, mathematicians and corrupt hackers all cooperating to try and pwn the entire internet from corner to corner. This is what Snowden was leaking. It's not about USA or NSA. It's about the whole fucking world being spied on by these assholes who successfully rid themselves of any oversight.
Canada:
http://www.windsorstar.com/news/Former+CSIS+watchdog+boss+Porter+arrested+fraud/8442587/story.html
http://thetyee.ca/Blogs/TheHook/Federal-Politics/2012/08/09/Axing-CSIS-Inspector-a-Loss/
Australia:
http://www.abc.net.au/news/2013-04-04/civil-liberties-groups-upset-by-asis-request-for-more-powers/4609968
New Zealand:
http://beforeitsnews.com/spies-and-intelligence/2013/07/nzsis-has-special-protocol-for-spying-on-journalists-2445094.html
http://arstechnica.com/tech-policy/2013/08/new-zealand-appears-to-have-used-nsa-spy-network-to-target-kim-dotcom/
http://rt.com/news/new-zealand-pass-spy-law-777/
http://tvnz.co.nz/national-news/new-zealand-part-nsa-surveillance-report-5524544
Uk:
http://www.independent.co.uk/news/uk/home-news/gchq-spying-programme-spy-watchdog-is-understaffed-and-totally-ineffective-8708231.html
Besides rioting to pressure our states to dismantle this 1984 network, you could in the meantime go on youtube and look for "The Grugq - OPSEC: Because Jail is for wuftpd" and watch it. If you're wondering who he is, he's the guy who brokers exploits on the open market to this same 5 eyes alliance. He recommends:
Don't do this near where you live or work.
Don't talk about your security setup, or anything about yourself.
Use a hardware firewall to enforce Tor, prevent unauth outgoing connections
If I were selling I'd be inclined to follow his advice. His hardware firewall is here https://github.com/grugq/portal
Or buy another hardware firewall and configure it yourself to block everything but Tor like pfsense.org or m0n0.ch
That at least will make them expend resources to get you, which probably won't happen but who knows anymore. At least you will be left out of the easy dragnet
-
You guys are talking what is THEORETICALLY possible and I think it is more worthwhile to talk about what is PRACTICAL. Might the NSA be able uncloak a Tor user putting it's entire resources to the task? Well it looks like we are concluding yes, but there are many things to consider. Look at how many Tor users there are. If I need massive amount of resources just to identify one data stream and there are millions well then there are some practical issues there. Much more importantly we aren't shit to the NSA. We may be the devil to the DEA but the NSA is tasked with much much more important priorities. We are talking spys, nuclear proliferation, geopolitics, revolutions and civil wars, going after war criminals, industrial espionage to the tune of billions of dollars, national security, protecting world wide US electronic infrastructure, offensive operations against adversaries, spying on politicians communications, spying on encrypted communications of nations (that takes tremendous resources), and on and on and on. Small time drug sellers are so far down the line that we are almost insignificant. Hell even within the scope of the worldwide drug trade we are as a whole still just one small tiny ant amongst billions of ants. When the NSA does task some of it's resources to drugs it is more likely to focus on massive violent DTOs with a worlwide reach who are undermining governments, not a bunch of old hippy men mailing small quantities of drugs to college kids from some dark corner of the internet. And you haven't even touched on the legal limitations of the NSA. Yes I understand that with the recent revelations talking of limitations may be naively humorous, but technically the NSA by law is not allowed to spy on Americans. We have seen that they do but with all the attention they are getting I'm sure they are reigning things in at least just a little bit. Not too mention even if they continue as usual and their spying led to your arrest you could get your whole case thrown out. And with all lawyers now being aware of the past/current illegal relationship between the NSA and DEA this is something more likely for defense attorneys to explore now.
Anyways this thread has been about what is theoretically possible under ideal conditions assuming that we are the prime target and not all of that may be true or practical.
-
...There was a super strong attacker, it was NSA. And GCHQ. And other SIGINT agencies. And they shared intelligence with police, which was a surprise to many including myself. And they networked together into essentially international massive intelligence cooperatives, Australia + UK + Canada + USA SIGINT = tremendously powerful attacker, the type of attacker that the mix networks hoped to protect from but way way past what Tor was ever meant to protect from, way way past what I2P or proxy or VPN was ever meant to protect from...
kmfkewm, two things immediately spring up: how do the people who implement the anonymity networks for accessing our dear sites, such as SR, set up an (essentially, and correct me if I'm wrong) brand-new network using this mixnet and PIR?
And two, how do the end users such as ourselves, go about using these technologies to access our dear sites (SR, etc.)? Keeping in mind that the vast majority of people, myself included, are not tech-savvy like you and astor. This will be a hell of a challenge.
How long will such a hypothetical changeover take? To say I'm worried is a vast understatement.
goblin
Goblin the only thing you bring to this place is your excellent gobbles. Now get on your knees and gobble my pork sword.
-
Goblin the only thing you bring to this place is your excellent gobbles. Now get on your knees and gobble my pork sword.
What the fuck does that even *mean*?
-
subbing
-
You guys are talking what is THEORETICALLY possible and I think it is more worthwhile to talk about what is PRACTICAL. Might the NSA be able uncloak a Tor user putting it's entire resources to the task? Well it looks like we are concluding yes, but there are many things to consider. Look at how many Tor users there are. If I need massive amount of resources just to identify one data stream and there are millions well then there are some practical issues there. Much more importantly we aren't shit to the NSA. We may be the devil to the DEA but the NSA is tasked with much much more important priorities. We are talking spys, nuclear proliferation, geopolitics, revolutions and civil wars, going after war criminals, industrial espionage to the tune of billions of dollars, national security, protecting world wide US electronic infrastructure, offensive operations against adversaries, spying on politicians communications, spying on encrypted communications of nations (that takes tremendous resources), and on and on and on. Small time drug sellers are so far down the line that we are almost insignificant. Hell even within the scope of the worldwide drug trade we are as a whole still just one small tiny ant amongst billions of ants. When the NSA does task some of it's resources to drugs it is more likely to focus on massive violent DTOs with a worlwide reach who are undermining governments, not a bunch of old hippy men mailing small quantities of drugs to college kids from some dark corner of the internet. And you haven't even touched on the legal limitations of the NSA. Yes I understand that with the recent revelations talking of limitations may be naively humorous, but technically the NSA by law is not allowed to spy on Americans. We have seen that they do but with all the attention they are getting I'm sure they are reigning things in at least just a little bit. Not too mention even if they continue as usual and their spying led to your arrest you could get your whole case thrown out. And with all lawyers now being aware of the past/current illegal relationship between the NSA and DEA this is something more likely for defense attorneys to explore now.
Anyways this thread has been about what is theoretically possible under ideal conditions assuming that we are the prime target and not all of that may be true or practical.
Excellent points. It should be no surprise that Tor is fallible. There is no fully anonymous digital technology. Rather, the entire point is risk reduction and making yourself more difficult to track and catch than the majority of people. I also wonder who would the feds go after first if they busted the SR? The maintainers, the vendors, or the buyers with addresses sent in the clear?
The best part about the above post and previous posts from this author is the example of defense in depth, i.e., a layering of security precautions. Please take your security seriously and do NOT get complacent. We are all at risk and using an imperfect technology. Computers are the most insecure devices ever created. The goal is to fly under the radar and not be an easier target.
Of course, this could all be naive palavering that underestimates the digital trail we all leave behind, whether we're aware of it or not.
-
I also wonder who would the feds go after first if they busted the SR? The maintainers, the vendors, or the buyers with addresses sent in the clear?
They would go for as many people as possible at the same time (sr team, big sellers first). And then keep busting a lot of big buyers and smaller vendors the coming weeks. Happened quite often in the past in other black markets.
Small buyers should be safe.
-
Goblin the only thing you bring to this place is your excellent gobbles. Now get on your knees and gobble my pork sword.
What the fuck does that even *mean*?
Basically the only good thing she is used for is sucking penis, there I've spelled it out for your dumb trailor trash arse.
-
They want the admins first and foremost. Then they want any vendors they can get, most especially the big ones. The only buyers they would give a fuck about are the big buyers who are obviously sellers in their own right (just maybe not on SR). Everyone else is fine in my opinion. They won't take down SR though until they have multiple cases against many vendors. The only exception is if an informant is about to get his head cut off like when they prematurely took out Chao and his DarkMarket when he took and posted pictures of a journalist/informant he tied up and said he was going to torture. Then the FBI and Turkish military pulled the trigger early and took the site down. They probably do have some cases against vendors here (at least they should after 2 years) but they will wait until they hit everyone at once. It will be funny watching them try to throw RICO and conspiracy charges against any vendors they round up as if SR is a DTO and vendors are part of that DTO. It's my opinion such charges would not stick. Just like when you sell something on Ebay that doesn't make you an Ebay employee. The courts have also ruled there is no conspiracy between a buyer and a seller since they are independent of one another. But I'm sure they will try every BS charge they can.
-
^Yup, there's a reason the feds have a near perfect conviction rate. They always wait until they enough evidence to force nearly anyone to plead guilty rather than go to trial and face a near certain conviction.
That's why you see so many vendors (and staff) switching accounts every so often: to make it harder to pin down a specific individual or group to target.
-
This may be a stupid question, but if I pay for a laptop with cash and only use it at public wifi locations than would I be good to go?
-
^Change the MAC address of the wireless adapter and you're reasonably safe. If you want to be super ultra mega paranoid, add a directional antenna and drive around the nearest big city while hopping from hotspot to hotspot. They can still triangulate your position (the FCC is very good at this) if they manage to compromise your tor session, but it will be hard as fuck.
-
subbing
-
Goblin the only thing you bring to this place is your excellent gobbles. Now get on your knees and gobble my pork sword.
What the fuck does that even *mean*?
I think I could guess. I mean I tend to suffer from regular penis breath.
-
^Mixnets are effective against timing correlation attacks because they are nowhere near real time. Problem is, no one wants high latency communication, and that's one of the biggest limiting factors of networks such as Freenet.
I think kmf makes a good point though. Would you rather wait an hour to refresh a page, or have your door busted in by the feds?
The problem is partially that you are thinking in a browser oriented way. Nobody says it needs to take an hour to refresh a page. You can refresh the page in real time if you want. But what you are refreshing is what the page would have looked like exactly an hour ago if it was low latency. When you think of it in that way, and design systems in that way, it becomes less painful. Nobody is saying you need to click on a thread and then wait an hour for your browser to load it. You can click a thread and have it loaded immediately still. But the result that you see will be an hour behind the posts that people have made to it in the mean time. If someone made a post 59 minutes ago, and you click the thread, the thread loads right away still. But it doesn't have that post. When you hit refresh a minute later, it loads instantly again, and now you see the post. Doesn't seem quite as bad when you think of it that way does it?
-
I mean, is it really so critical that the above post is viewable within seconds after I make it? Would it really make for much worse of a system if it wasn't viewable for an hour? Because that is a more fair evaluation of what would happen in a mix network. It isn't so much that you clicked the link to this thread and an hour later it loaded, and then you hit refresh and wait an hour for the thread to reload. It is more like you click the link to the thread and it loads right away still, but you don't see the post I just made for an hour or so after I made it. If you really actually had to wait an hour to load the thread after clicking it, or after refreshing the page, that would be super painful and nobody would want to use the system at all. But we don't need it to be like that.
In other words, the hour delay isn't for you to view a thread, it is for the messages you make to be viewable after someone loads the thread. PIR allows for near real time *loading* of information, with very strong anonymity, but the best way to anonymize the *publishing* of information requires time delays.
To reiterate again, viewing available data can be done extremely anonymously in essentially real time, publishing data extremely anonymously requires (in practice if not theory) significant time delays ~30 minutes - 1 hour , or more. Generally speaking it is safe to assume that the longer you delay the publishing of a message, the more anonymous you can be, but this isn't strictly speaking true, because the real issue is how many other people have sent a message prior to your sent message being made available. The time delay typically will correlate with the number of other people who have sent a message prior to your time delay expiring and your sent message being made available.
I mean realistically, chances are most of the people reading this post are reading it more than an hour after I made it. If it took an hour for it to be published, you wouldn't be any the wiser. But I would have exponentially better anonymity.
-
So how is this going to become a realty then kmf?
-
I mean realistically, chances are most of the people reading this post are reading it more than an hour after I made it. If it took an hour for it to be published, you wouldn't be any the wiser. But I would have exponentially better anonymity.
We're not talking about a forum here. Obviously things like email, bbs, forums can wait. But if im selling something on a website and i have n number of items left and my customers are seeing the inventory i had an hour ago and suddenly i get a bunch of orders i cant fill? Ill have a bunch of pissed customers. Solve that one.
edit: what if i want to edit a forum post after i made it? I have to wait an hour for the changes to post? That could cause alot of confusion. Lets not forget what shakespeare taught us about the problems communication delays can cause.
-
I mean realistically, chances are most of the people reading this post are reading it more than an hour after I made it. If it took an hour for it to be published, you wouldn't be any the wiser. But I would have exponentially better anonymity.
We're not talking about a forum here. Obviously things like email, bbs, forums can wait. But if im selling something on a website and i have n number of items left and my customers are seeing the inventory i had an hour ago and suddenly i get a bunch of orders i cant fill? Ill have a bunch of pissed customers. Solve that one.
edit: what if i want to edit a forum post after i made it? I have to wait an hour for the changes to post? That could cause alot of confusion. Lets not forget what shakespeare taught us about the problems communication delays can cause.
Let's also not forget what the anonymity researchers taught us about the problems lack of communication delays can cause.
-
We're not talking about a forum here. Obviously things like email, bbs, forums can wait. But if im selling something on a website and i have n number of items left and my customers are seeing the inventory i had an hour ago and suddenly i get a bunch of orders i cant fill? Ill have a bunch of pissed customers. Solve that one.
Yep, it's a big problem, and it requires a low-latency, active connection to the sales site to do inventory management. And I'm skeptical that that's solvable long-term against an adversary with capabilities like NSA's.
Otherwise, you end up in a "first-come, first-served" model, where you accept the first n (where n = available inventory) orders that include payment and reject/refund the rest. Escrow is key here, since malicious vendors can just oversell and not refund. Things take a lot longer. You have to wait a while to see if your order was accepted. It's a definite downgrade over Amazon.
edit: what if i want to edit a forum post after i made it? I have to wait an hour for the changes to post? That could cause alot of confusion. Lets not forget what shakespeare taught us about the problems communication delays can cause.
You use versioning. I have version 1.0 of railroadbill's post, then my client sees version 1.1 available, which fixes a few typos. It could take an hour to see your edit. That does suck compared to people seeing it instantly.
It's not that anybody's arguing that low-latency isn't more user friendly and useful. It completely is. You get to take every built-for-the-clearnet technology you want and just drop it on a darknet. I think the core question is, "If mid/high latency is the only option that can preserve a suitable level of anonymity, what does that world look like?"
Personally, I wish and hope that something like Tor can evolve to the point to where it's wrapped in a magic cape of invisibility that a $30 billion dollar/yr budget can't crack. But if it can't, where does that leave folks wanting anonymous communications?
-
The news by me said that the SR website was shutdown by the FBI. Idk how close to the truth that is but clearly our way of doing things in the past is pretty fucked reguardless. I just hope this process doesn't get so complicated that I am unable to use it. It's already a chore just to learn how to use this shitty system safely as it is.
-
This was kind of what I was thinking but now that it's confirmed by the tor team it's pretty upsetting.
I really hope some miracle happens and anonymity/security is heightened back. But like someone mentioned it will probably take a long time. I'm sure the amount of people who are working with the NSA are more than 10fold of the ones who are working for the regular people.
-
Can't compete with the fact they're getting paid. $ is king
-
Can't compete with the fact they're getting paid. $ is king
We need to pay too.
e.g. Edward Snowden's lawyer came out today and said they were out of money.
http://www.youtube.com/watch?v=ExUNjX3wlCk&feature=youtu.be&t=8m15s
-
Can't compete with the fact they're getting paid. $ is king
We need to pay too.
e.g. Edward Snowden's lawyer came out today and said they were out of money.
http://www.youtube.com/watch?v=ExUNjX3wlCk&feature=youtu.be&t=8m15s
I was describing a solution to TORs problems on the "DISSENT" thread that follows this line of thought. Its just a rough idea at the moment, but if tor adopted a subscription model kind of in the way a service provider allows smaller independent shops to lease its network, then not only would TOR be funded by its users instead of its opponents it would be substantially stronger and more anonymous.
For instance a number of companies would sign on with torproject llc to sell subscriptions to the TOR network. Each person would pay $100/yr and get a pair of login credentials and a private entry guard known only to them and the provider. This would prevent end to end correlation attacks as the IP of the entry guard would not be known to the NSA. Part of this $100 would also go to creating more middle and exit nodes. Like i said this is a rough idea and it would require the community to rally around paying to use tor but this would eliminate alot of the problems we are seeing today with spammers/botnets/nsa.
-
NSA doesn't need to own any nodes to attack Tor they already pwn the links of the internet.
-
NSA doesn't need to own any nodes to attack Tor they already pwn the links of the internet.
kmf, so how close to the "red zone" are we here? I mean, how will we know when it is time to abandon ship before it is too late.
I agree with you about the NSA, So what the hell do we do though? I read your posts earlier on in this thread, but as far as SR goes, what should we do here? Surely it is better to be preventative now than sr gets fucked and everyone having to deal with it then?
-
NSA doesn't need to own any nodes to attack Tor they already pwn the links of the internet.
All 'dem line taps.
-
I don't care if this is all theoretical right now, starting development shouldn't be as big of a problem as we can make it so I'm going to go ahead and start looking for possible exploits to a PIR mixnet design
5 star post kmf, ty
also subbed for now, I'll be back to lurk this thread