And on a more cheerful note, I heard that Jake and Roger gave a really excellent talk about Tor at this year's CCC. And the CCC people have thoughtfully put it online! If you didn't see it, you might want to check it out. The talking begins at around 15:16, and the introduction is well worth watching too.
I'm also going to spend a while looking at the other presentations too. Right now the one at the top of the page is an ECC talk by Daniel Bernstein and Tanja Lange; I'm looking forward to having a little time to watch it, and a bunch of others I see there.
Happy new year, everyone!
update (1/1/15): "State of the Onion" is available for download now. You can find torrent and direct links in various formats on C3TV website.
Hi! Nick here.
I ought to post my own responses to that Andy Greenberg article, too. (Especially since most everybody else around here is at 31c3 right now, or sick with the flu, or both.)
When I saw the coverage of the hidden services study that was presented at CCC today, I was reminded of the media fallout from that old study from the 1990s that "proved" that a ridiculously high fraction of the internet was pornography...by looking at Usenet*, and by counting newsgroups and bytes. (You might remember it; it was the basis of the delightful TIME Magazine "Cyberporn" cover.)
The 1990s researcher wasn't lying outright, but he and the press *were* conflating one question: "What fraction of Usenet groups are 'alt.sex' or 'alt.binaries' (file posting) groups" with two others: "What fraction of internet traffic is porn?" and "What fraction of internet-user hours are spent on porn?"
These are quite different things.
The presentation today focused on data about hidden service types and usage. Predictably, given the results from Biryukov, Pustogarov, Thill, and Weinmann, the researcher found that hidden services related to child abuse are only a small fraction of the total number of hidden service addresses on the network. And because of the way that hidden services work, traffic does not go through hidden service directories, but instead through rendezvous points (randomly chosen Tor nodes): so no relay that knows the hidden service's address will learn the actual amount of traffic transmitted. But, as previously documented, abusive services represent a disproportionate fraction of usage... if you're measuring usage with hidden service directory requests.
Why might that be?
First, some background. Basically, a Tor client makes a hidden service directory request the first time it visits a hidden service that it has not been to in a while. (If you spend hours at one hidden service, you make about 1 hidden service directory request. But if you spend 1 second each at 100 hidden services, you make about 100 requests.) Therefore, obsessive users who visit many sites in a session account for many more of the requests that this study measures than users who visit a smaller number of sites with equal frequency.
There are other confounding factors as well. Due to bugs in older Tor implementations, a hidden service that is unreliable (or completely unavailable) will get many, many more hidden service directory requests than a reliable one. So if any abuse sites are unusually unreliable, we'd expect their users to create a disproportionately large number of hidden service directory requests.
Also, a very large number of hidden service directory requests are probably not made by humans! See bug 13287: We don't know what's up with that. Could this be caused by some kind of anti-abuse organization running an automated scanning tool?
In any case, a methodology that looks primarily at hidden service directory requests will over-rate services that are frequently accessed from a Tor client that hasn't been there recently, and under-rate services that are used via tor2web, and so on. It also depends a lot on how hidden services are configured, how frequently Tor hidden service directories go up and down, and what times of day they change introduction points in comparison to what time of day their users tend to be awake.
The greater the number of distinct hidden services a person visits, and the less reliable those sites are, the more hidden service directory requests they will trigger.
Suppose 10 people use hidden services to look at conspiracy theories, 100 people use hidden services to buy Cuban cigars, and 1000 people use it for online chat.
But suppose that the average cigar purchaser visits only one or two sites to make purchases, and the average chat user joins one or two networks, whereas the average conspiracy theorist needs to visit several dozen forums and wikis.
Suppose also that the average Cuban cigar purchaser makes about two purchases a month, the average chat user logs in once a day, and the average conspiracy theorist spends 3 hours a day crawling the hidden web.
And suppose that conspiracy theory websites come and go frequently, whereas cigar sites and chat networks are more stable.
In this analysis, even though there are far more people buying cigars, users who use it for obsessive behavior that spans multiple unreliable hidden services will be far overrepresented in the count of hidden service directory requests than users who use it for activities done less frequently and across fewer services. So any comparison of hidden service directory request counts will say more about the behavioral differences of different types of users than about their relative numbers, or the amount of traffic they generated.
In conclusion, let's spend a minute talking about freedom and philosophy. Any system that provides security on the Internet will inevitably see some use by bad people that we'd rather not help at all. After all, cars are used for getaways, and window shades conceal all kinds of criminality. The only way to make a privacy tool that nobody abuses is to make it so weak that people aren't willing to touch it, or so unusable that nobody can figure it out.
Up till now, many of the early adopters for Tor hidden services have been folks for whom the risk/effort calculations have been quite extreme, since--as I'd certainly acknowledge--the system isn't terribly usable for the average person as it stands. Roger noted earlier that hidden services amount to less than 2% of our total traffic today. Given their privacy potential, I think that's not even close to enough. We've got to work over the next year or more to develop hidden services to the point where their positive impact is felt by the average netizen, whether they're publishing a personal blog for their friends, using a novel communications protocol more secure than email, or reading a news article based on information that a journalist received through an anonymous submission system. Otherwise, they'll remain a target for every kind of speculation, and every misunderstanding about them will lead people to conclude the worst about privacy online. Come lend a hand?
(Also, no offense to Andy on this: he is a fine tech reporter and apparently a fine person. And no offense to Dr. Owen, who explained his results a lot more carefully than they have been re-explained elsewhere. Now please forgive me, I'm off to write some more software and get some sleep. Please direct all media inquiries to the email of "press at torproject dot org".)
* Usenet was sort of like Twitter, only you could write paragraphs on it. ;)
Hi, Nick here.
Roger's at 31c3, so I'll post his statement about that article you might have seen:
Tor hidden service traffic, which Dr. Gareth Owen discussed in his talk this afternooon, is only 1.5% of all Tor traffic. Tor gets about 2 million users per day total.
The researcher ran a set of Tor relays for a six month period, and recorded how many times somebody attempted to look up a hidden service (this lookup is one of the steps in visiting a hidden service). Then at the end of that period, he scanned the hidden services he'd learned about, to find out what sort of content was on them.
Dr. Owen's data shows that there's a lot of churn in hidden services, so nearly all of the sites were gone by the time he did these scans. His graphs only show data about the sites that were still up many months later: so his data could either show a lot of people visiting abuse-related hidden services, or it could simply show that abuse-related hidden services are more long-lived than others. We can't tell from the data.
Without knowing how many sites disappeared before he got around to looking at them, it's impossible to know what percentage of fetches went to abuse sites.
There are important uses for hidden services, such as when human rights activists use them to access Facebook or to blog anonymously. These uses for hidden services are new and have great potential.
PS: Law enforcement agencies use Tor to stay anonymous while they catch bad guys. Law enforcement agencies use and run hidden services, too.
More info to follow.
Welcome to the fifty-first issue in 2014 of Tor Weekly News, the weekly newsletter that covers what’s happening in the Tor community.
Stem 1.3 is out
“After months down in the engine room”, Damian Johnson announced version 1.3 of Stem, the Tor controller library written in Python. Among the many improvements in this release, Damian singled out the new set of controller methods for working with hidden services, as well as the 40% increase in descriptor parsing speed.
Please see the changelog for full details of all the new features.
The team of researchers working on the collection of hidden service statistics asked relay operators for help by enabling these statistics on their relays in the coming days and weeks. They included a step-by-step tutorial for enabling this feature, which has recently been merged into Tor’s main branch.
Building on Andrea Shepard’s recently-merged work on global cell scheduling, Nick Mathewson announced that the KIST socket management algorithm proposed earlier this year to reduce congestion in the Tor network is now “somewhat implemented” for Linux. You can follow the testing and reviews on the associated ticket.
Nick also asked for feedback on the proposal to increase the interval at which Tor relays report their bandwidth usage statistics from fifteen minutes to four hours : “Will this break anything you know about?”
Moritz Bartl invited Tor relay operators to a meet-up at the upcoming Chaos Communication Congress in Hamburg: “We will do quick presentations on recent and future activities around Torservers.net, talk about events relevant to the Tor relay community, and what lies ahead.”
Thanks to Thomas White for keeping the community updated following a brief period of suspicious activity around his exit relays and Onionoo application mirrors!
This week in Tor history
A year ago this week, Tor Browser hit version 3.5, bringing with it a pioneering deterministic build system that set a new standard in software distribution security, and has since drawn interest from many other projects, including the Debian operating system. It also laid the long-obsolete Vidalia graphical controller to rest, replacing it with the faster, sleeker Tor Launcher. The privacy-preserving browser is now approaching version 4.5, and users can look forward to a security slider offering finer-grained tuning of security preferences, as well as features that restore some of Vidalia’s circuit-visualization capabilities.
This issue of Tor Weekly News has been assembled by Harmony and Karsten Loesing.
Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!
Greetings wonderful people of the world! After months down in the engine room I'm delighted to announce the 1.3.0 release of Stem.
For those who aren't familiar with it, Stem is a Python library for interacting with Tor. With it you can script against your relay, descriptor data, or even write applications similar to arm and Vidalia.
So what's new in this release?
Better Hidden Service Support
Now it's easier than ever to spin up hidden services!
Thanks to contributions from Federico Ceratto and Patrick O'Doherty we now have a set of methods specifically for working with hidden services. Check it out in our new tutorial...
Faster Descriptor Parsing
This release dramatically improves the speed at which Stem can parse decriptors. Thanks to optimizations from Nick Mathewson and Ossi Herrala we can now read descriptors 40% faster!
This is just the tip of the iceberg. For a full rundown on the myriad of improvements and fixes in this release see...
The Tor Project has learned that there may be an attempt to incapacitate our network in the next few days through the seizure of specialized servers in the network called directory authorities. (Directory authorities help Tor clients learn the list of relays that make up the Tor network.) We are taking steps now to ensure the safety of our users, and our system is already built to be redundant so that users maintain anonymity even if the network is attacked. Tor remains safe to use.
We hope that this attack doesn't occur; Tor is used by many good people. If the network is affected, we will immediately inform users via this blog and our Twitter feed @TorProject, along with more information if we become aware of any related risks to Tor users.
The Tor network provides a safe haven from surveillance, censorship, and computer network exploitation for millions of people who live in repressive regimes, including human rights activists in countries such as Iran, Syria, and Russia. People use the Tor network every day to conduct their daily business without fear that their online activities and speech (Facebook posts, email, Twitter feeds) will be tracked and used against them later. Millions more also use the Tor network at their local internet cafe to stay safe for ordinary web browsing.
Tor is also used by banks, diplomatic officials, members of law enforcement, bloggers, and many others. Attempts to disable the Tor network would interfere with all of these users, not just ones disliked by the attacker.
Every person has the right to privacy. This right is a foundation of a democratic society. For example, if Members of the British Parliament or US Congress cannot share ideas and opinions free of government spying, then they cannot remain independent from other branches of government. If journalists are unable to keep their sources confidential, then the ability of the press to check the power of the government is compromised. If human rights workers can't report evidence of possible crimes against humanity, it is impossible for other bodies to examine this evidence and to react. In the service of justice, we believe that the answer is to open up communication lines for everyone, securely and anonymously.
The Tor network provides online anonymity and privacy that allow freedom for everyone. Like freedom of speech, online privacy is a right for all.
[Update Monday Dec 22: So far all is quiet on the directory authority front, and no news is good news.]
[Update Sunday Dec 28: Still quiet. This is good.]
Welcome to the fiftieth issue in 2014 of Tor Weekly News, the weekly newsletter that covers what’s happening in the Tor community.
Solidarity against online harassment
Following “a sustained campaign of harassment” directed at a core Tor developer over the past few months, the Tor Project published a statement in which it declared “support for her, for every member of our organization, and for every member of our community who experiences this harassment”: “In categorically condemning the urge to harass, we mean categorically: we will neither tolerate it in others, nor will we accept it among ourselves. We are dedicated to both protecting our employees and colleagues from violence, and trying to foster more positive and mindful behavior online ourselves… We are working within our community to devise ways to concretely support people who suffer from online harassment; this statement is part of that discussion. We hope it will contribute to the larger public conversation about online harassment and we encourage other organizations to sign on to it or write one of their own.”
As of this writing, there are 448 signatories to the statement, including Tor developers and community members, academics, journalists, lawyers, and many others who are lending their support to this movement in its early stages. If you want to add your name to the list, please send an email to firstname.lastname@example.org.
Tails 1.2.2 is out
The Tails team announced a pointfix release of the amnesic live operating system. The only difference between this version and the recent 1.2.1 release is that the automatic Tails Updater now expects a different certificate authority when checking for a new Tails version. As the team explained, “On January 3rd, the SSL certificate of our website hosting provider, boum.org, will expire. The new certificate will be issued by a different certificate authority […] As a consequence, versions previous to 1.2.2 won’t be able to do the next automatic upgrade to version 1.2.3 and will receive an error message from Tails Upgrader when starting Tails after January 3rd”.
This, along with a bug that prevents automatic updates from 1.2.1 to 1.2.2, means that all Tails users will need to upgrade manually: either to version 1.2.2 before January 3rd or (if for some reason that is not possible) to version 1.2.3 following its release on January 14th. Please see the team’s post for more details and download instructions.
George Kadianakis, Karsten Loesing, Aaron Johnson, and David Goulet requested feedback on the design and code they have developed for the Tor branch that will enable the collection of statistics on Tor hidden services, hoping to answer the questions “Approximately how many hidden services are there?” and “Approximately how much traffic in the Tor network is going to hidden services?”: “Our plan is that in approximately a week we will ask volunteers to run the branch. Then in a month from now we will use those stats to write a blog post about the approximate size of Tor hidden services network and the approximate traffic it’s pushing.” Please join in with your comments on the relevant ticket!
Philipp Winter announced an early version of “zoossh”, which as the name implies is a speedy parser written in Go that will help to “detect sybils and other anomalies in the Tor network” by examining Tor’s archive of network data. While it is not quite ready for use, “I wanted folks to know that I’m working on that and I’m always happy to get feedback and patches.”
Yawning Angel announced the existence of “basket”, a “stab at designing something that significantly increases Tor’s resistance to upcoming/future attacks”, combining post-quantum cryptographic primitives with “defenses against website fingerprinting (and possibly end-to-end correlation) attacks”. You can read full details of the cryptographic and other features of “basket” in Yawning’s post, which is replete with warnings against using the software at this stage: “It’s almost at the point where brave members of the general public should be aware that it exists as a potential option in the privacy toolbox… [but] seriously, unless you are a developer or researcher, you REALLY SHOULD NOT use ‘basket’.” If you are gifted or foolhardy enough to ignore Yawning’s advice and test “basket” for yourself, please let the tor-dev mailing list know what you find.
Sukhbir Singh and Arlo Breault requested feedback on an alpha version of Tor Messenger. It is an instant messaging client currently under development that intends to send all traffic over Tor, use Off-the-Record (OTR) encryption of conversations by default, work with a wide variety of chat networks, and have an easy-to-use graphical user interface localized into multiple languages.
TheCthulhu announced that his mirrors of two Tor network tools are now available over Tor hidden services. Globe can be accessed via http://globe223ezvh6bps.onion and Atlas via http://atlas777hhh7mcs7.onion. The mirrors provided by the Cthulhu run on their own instance of Onionoo, so in the event that the primary sites hosted by Tor Project are offline, both of these new mirrors should still be available for use either through the new hidden services or through regular clearnet access.
The Tails team published a signed list of SHA256 hashes for every version of Tails (and its predecessor, amnesia) that it had either built or verified at the time of release.
Vlad Tsyrklevich raised the issue of the discoverability risk posed to Tor bridges by the default setting of their ORPorts to 443 or 9001. Using data from Onionoo and internet-wide scans, Vlad found that “there are 4267 bridges, of which 1819 serve their ORPort on port 443 and 383 serve on port 9001. That’s 52% of tor bridges. There are 1926 pluggable-transports enabled bridges, 316 with ORPort 443 and 33 with ORPort 9001. That’s 18% of Tor bridges… I realized I was also discovering a fair amount of private bridges not included in the Onionoo data set.” Vlad recommended that operators be warned to change their ORPorts away from the default; Aaron Johnson suggested possible alternative solutions, and Philipp Winter remarked that while bridges on port 443 “would easily fall prey to Internet-wide scanning”, “they would still be useful for users behind captive portals” and other adversaries that restrict connections to a limited range of ports.
Alden Page announced that development will soon begin on a free-software tool to counteract “stylometry” attacks, which attempt to deanonymize the author of a piece of text based on their writing style alone. “I hope you will all agree that this poses a significant threat to the preservation of the anonymity of Tor users”, wrote Alden. “In the spirit of meeting the needs of the privacy community, I am interested in hearing what potential users might have to say about the design of such a tool.” Please see Alden’s post for further discussion of stylometry attacks and the proposed countermeasures, and feel free to respond with your comments or questions.
Tor help desk roundup
Because Tor Browser prevents users from running it as root, Kali Linux users starting Tor Browser will see an error message saying Tor should not be run as root.
In Kali, all userspace software runs as root by default. To run Tor Browser in Kali Linux, create a new user account just for using Tor Browser. Unpack Tor Browser and chown -R your whole Tor Browser directory. Run Tor Browser as your created Tor Browser user account.
This issue of Tor Weekly News has been assembled by Harmony, TheCthulhu, Matt Pagan, Arlo Breault, and Karsten Loesing.
Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!
One of our colleagues has been the target of a sustained campaign of harassment for the past several months. We have decided to publish this statement to publicly declare our support for her, for every member of our organization, and for every member of our community who experiences this harassment. She is not alone and her experience has catalyzed us to action. This statement is a start.
The Tor Project works to create ways to bypass censorship and ensure anonymity on the Internet. Our software is used by journalists, human rights defenders, members of law enforcement, diplomatic officials, and many others. We do high-profile work, and over the past years, many of us have been the targets of online harassment. The current incidents come at a time when suspicion, slander, and threats are endemic to the online world. They create an environment where the malicious feel safe and the misguided feel justified in striking out online with a thousand blows. Under such attacks, many people have suffered — especially women who speak up online. Women who work on Tor are targeted, degraded, minimized and endure serious, frightening threats.
This is the status quo for a large part of the internet. We will not accept it.
We work on anonymity technology because we believe in empowering people. This empowerment is the beginning and a means, not the end of the discussion. Each person who has power to speak freely on the net also has the power to hurt and harm. Merely because one is free to say a thing does not mean that it should be tolerated or considered reasonable. Our commitment to building and promoting strong anonymity technology is absolute. We have decided that it is not enough for us to work to protect the world from snoops and censors; we must also stand up to protect one another from harassment.
It's true that we ourselves are far from perfect. Some of us have written thoughtless things about members of our own community, have judged prematurely, or conflated an idea we hated with the person holding it. Therefore, in categorically condemning the urge to harass, we mean categorically: we will neither tolerate it in others, nor will we accept it among ourselves. We are dedicated to both protecting our employees and colleagues from violence, and trying to foster more positive and mindful behavior online ourselves.
Further, we will no longer hold back out of fear or uncertainty from an opportunity to defend a member of our community online. We write tools to provide online freedom but we don't endorse online or offline abuse. Similarly, in the offline world, we support freedom of speech but we oppose the abuse and harassment of women and others. We know that online harassment is one small piece of the larger struggle that women, people of color, and others face against sexism, racism, homophobia and other bigotry.
This declaration is not the last word, but a beginning: We will not tolerate harassment of our people. We are working within our community to devise ways to concretely support people who suffer from online harassment; this statement is part of that discussion. We hope it will contribute to the larger public conversation about online harassment and we encourage other organizations to sign on to it or write one of their own.
For questions about Tor, its work, its staff, its funding, or its world view, we encourage people to directly contact us (Media contact: Kate Krauss, press @ torproject.org). We also encourage people join our community and to be a part of our discussions:
In solidarity against online harassment,
Rabbi Rob Thomas
Meredith Hoban Dunn
Isis Agora Lovecruft
Pepijn Le Heux
Tom van der Woerdt
Joseph Lorenzo Hall
Henry de Valence
Jeremy M. Harmer
Taylor R Campbell
M. C. McGrath
Esra'a Al Shafei
Camilo Galdos AkA Dedalo
Donald A. Byrd
Sonia Ballesteros Rey
Dana Lane Taylor
Jesús Cea Avión
Ken Arroyo Ohori
Jonah Silas Sheridan
Andre N Batista
Benjamin Mako Hill
Adrienne Porter Felt
Eric S Johnson
Tyler H. Meers
Niels ten Oever
David W. Deitch
Aleecia M. McDonald
David Van Horn
Sacha van Geffen
Fredrik Julie Andersson
Josh L Glenn
Christoph Maria Sommer
Michael Kennedy Brodhead
Brenno de Winter
Ricard S. Colorado
Sebastian "bastik" G.
Te Rangikaiwhiria Kemara
Koen Van Impe
Sven "DrMcCoy" Hesse
Phillip M. Pether
Joe P. Lee
Amadou Lamine Badji
Daniel C Howe
Valeria de Paiva
Alan L. Stewart
Vladimir G. Ivanovic
Ahmet A. Sabancı
José Manuel Cerqueira Esteves
Dafne Sabanes Plou
Daniel Kahn Gillmor
Jurre van Bergen
Laura S Potter-Brown
Meredith L. Patterson
Lisa D Lowe
Matthew Miller (Fedora Project)
Gabriella Biella Coleman
William J. Coldwell
George W. Maschke
Aaron Michael Johnson
Sabine "Atari-Frosch" Engelhardt
Ly Ngoc Quan Ly
Chris "The Paucie" Pauciello
Massachusetts Pirate Party
Marcel de Groot
Tansingh S. Partiman
Bryce Alexander Lynch
Lorrie Faith Cranor
Jamie D. Thomas
If you would like to be on this list of signers (please do — you don't have to be a part of Tor to sign on!), please reach us at tor-assistants @ torproject.org.