The Tor network is documented to be blocked in several countries. Analyzing and circumventing these blocks typically requires detailed packet traces or access to machines inside censoring countries. Both, however, are not always easy to acquire:
- Network traces are problematic for two reasons. First, they are difficult to obtain since they require the cooperation of users within censoring countries. Second, they are hard to anonymize and must not fall into wrong hands. Derived information, such as flow diagrams, is typically safe to publish but frequently lacks important information.
- The alternative to network traces is to gain access to machines inside the censoring regime. This approach turns out to be difficult as well; mostly due to the lack of volunteers who could provide machines or the lack of VPS providers and open SOCKS proxies.
These problems show that there is a strong need for a lightweight tool which can assist in analyzing censorship events. This tool should be run by censored users and perform several tests to gain a rough understanding of how and if Tor could be blocked in the respective network. The results of these tests should make it back to the Tor project and would be used to improve circumvention technology such as obfsproxy and to document censorship.
We created a technical report which discusses the design requirements for such a censorship analysis tool. We list the desired features, discuss how they can be implemented and we give a rough overview of the software design. After all, this technical report should serve as basis for the development and deployment of the censorship analysis tool.
In January I did Tor talks for the Dutch regional police, the Dutch national police, and the Belgian national police. Jake and I also did a brief inspirational talk at Bits of Freedom, as well as the closing keynote for the Dutch National Cyber Security Centre's yearly conference.
You may recall that one of my side hobbies lately has been teaching law enforcement about Tor — see my previous entries about teaching the FBI about Tor in 2012 and visiting the Stuttgart detectives in 2008 back when we were discussing data retention in Germany. Before this blog started I also did several Tor talks for the US DoJ, and even one for the Norwegian Kripos.
Now is a good time to talk to the Dutch police, first because they're still smarting from the DigiNotar disaster in 2011, but second because of their 2012 ambitions to legalize breaking into foreign computers when they aren't sure what country they're in. (I say legalize because they already did it!)
Below are some discussion points that made an impression on me.
- I started the trip with a talk to about 80 people from the Dutch regional police. Apparently each regional police group has basically one cybercrime person, and pretty much all of them came to learn about Tor. These are the people who advise their police groups about how to handle Tor cases, so they're exactly the ones who need to know about services like ExoneraTor. (Afterwards, one of the national police thanked me heartily for teaching the regional police about Tor, since it makes *his* job easier.)
- One issue that came up repeatedly during the talks: what if a bad guy runs a Tor exit relay to provide plausible deniability when somebody shows up as his door? My first thought is that anybody who runs a Tor exit relay in order to attract *less* attention from the police is crazy: if you want to be ignored, you should use a botnet or whatever to do your bad things, nobody will learn that it's you, end of story. Until we educate every law enforcement person on the planet about Tor, there will always be people who raid every IP address on their suspect list without ever knowing what Tor is. The second point they found interesting was that Tor relays never write any traffic to disk; so if your suspect has bad stuff on his hard drive and says it was because of the Tor relay, he's lying. Of course, disk encryption complicates the situation (which is why, counterintuitively, we recommend *not* using disk encryption on your exit).
- Did you know that the Dutch police have their own internal anonymity network? They started out using a secret subnet ("nobody knows that it's the Dutch police, until somebody figures out that it is"). Apparently now they do smarter things like grabbing addresses from Dutch ISPs so they can blend in better. But that's still not perfect: if they borrow an IP address for 36 hours, then that's a 36-hour window where if you can recognize any of the traffic as Dutch police, you can link the rest of the traffic to them too. I hear their new generation of client-side software has an option for using Tor; I wonder if that means the Tor Browser Bundle, or just tunnelling the traffic through Tor naked? More details here and here. (Two points for transparency and open standards!)
- When we met with the US DEA earlier in January, many people there said they use Tor for their job. Most people in the Dutch national police meeting said they used it often. On the other hand, most people in the Dutch regional police meeting said they certainly did not use it, "because that would be inappropriate." We have some more educating left to do.
- One regional Dutch police woman told us that they know how to check if it's a Tor exit IP, but sometimes they do the raid anyway "to discourage people from helping Tor." I later told that statement to one of the national police, and he was shocked, said that was illegal, and said he'd look into it. Alas, I'm not optimistic that anything will come of it: giving investigators discretion about how to act can be both good and bad.
- It took me a few hours to get the regional police comfortable enough to discuss, but by the end they were answering each other's questions — which is one of my main goals, since I won't be there later to answer them. The best example was one detective who stood up and explained that in his opinion they are focusing way too much on Tor ("because we can't break it"), while at the same time there are many other crimes they *can* fight, like criminals using file sharing networks, and they're ignoring those. Certainly Tor gets a lot of publicity (last year a Dutch TV show stirred up a media fear frenzy about Tor that resulted in a Dutch Parliament member calling to ban it), but according to this detective there's a lot more crime elsewhere. My response: "Did everybody hear that?" It works best when police hear statements like this from their peers rather than from me.
- Here's an argument based on discussions with Karen Reilly for responding about child porn and banning Tor. A lot of people think that it's about trading off the good for the bad. On the one hand, you have a girl in Syria who is alive right now because of Tor. On the other hand, you have a girl in America who is harmed by some jerk and the jerk uses Tor. So, how do you balance these two? How do you decide which one is more important, or more 'valuable' to the world? The answer is that it's the wrong question to ask: you aren't actually going to save the girl in America by getting rid of Tor. Whereas getting rid of Tor *would* harm the girl in Syria (along with a wide variety of people and groups around the world).
- The day after I did the talk to the regional police, I did a short talk at Bits of Freedom, an EFF-like digital rights nonprofit in Amsterdam. They held a "Boffel" for many of their supporters to show up and socialize. It was a really great crowd — these are smart people who care. It was like a tiny CCC congress. And now that I've been clearly complimentary to them, you'll be able to properly interpret my next statement: many of the Dutch police would have fit in just fine at the Boffel. People came up to me at the NCSC conference days later and said "I liked your talk!" and I genuinely couldn't tell if they meant my talk at the regional police or my talk at Bits of Freedom. There were some exceptions, sure, but most of the Dutch police I talked to have somehow managed to not get ground down by their job and lose track of the civil liberties angle. I wonder what their trick is.
- Rejo Zenger (from BoF) and two others are working to create a Dutch organization to run fast Tor exit relays, to gather donations and centrally handle abuse complaints — like Zwiebelfreunde in Germany, Nos Oignons in France, DFRI in Sweden, and NoiseTor in the US. That's great! Please help them out however you can.
- At the NCSC conference, Jake and I did an open Q&A session on the first day, and did the closing keynote (slides) on the second day. Both talks went very well (imagine what would happen if Jake and I practiced any of our talks together before giving them! :). We now have invites to come to all sorts of CERTs around the world; the woman managing the conference is moving to Europol shortly and wants us to come talk there; and one of the heads of NCSC wants us to come back and help the Netherlands with their general direction and strategy. We should try to connect them to local Dutch Tor advocates as much as we can, since after all we have software to write.
- I'm afraid I missed most of the other talks at the conference (and I missed the alternate conference entirely), but I did see Peter Zinn's well-choreographed talk about what the Dutch national police should be focusing on. His conclusion was that the Netherlands should focus on being the "safest country in the world wrt cybercrime by 2017". I had to restrain myself from yelling out the word externalities! during his talk: if their plan is to convince cybercriminals to go elsewhere, and then the neighboring countries like Belgium become cyber-hives-of-scum-and-villainy, that's not going to end well for anybody.
- One person in the Belgian FCCU (Federal Computer Crime Unit) suggested during a break in the discussion that maybe Belgium should block all connections from the Tor network *to* any Belgian IP space. By now there's almost no such thing as a new question for me during these talks, but I have to admit that this one took me by surprise. Eventually I produced the right answer: "The Internet community would destroy you. 'Great Firewall of Belgium'? 'Adopt a Belgian dissident'? Nobody would take you seriously again as an alleged democracy." In any case, my friend at RIPE tells me that technically, it's harder than it sounds for Belgium to do this scale of blocking.
- I got into a discussion with the Belgian police about how they don't regard their Internet filtering as "censorship". In my experience, the way it starts is some legislators decide there's something so horrible on the Internet that it justifies filtering. From there, they delegate to some quasi-governmental organization which comes up with a list (in some totally non-transparent fashion) of verboten URLs. Inevitably, the list contains more types of content than the original reason for setting up the filtering; and inevitably, there's no redress mechanism to get off the list if you shouldn't be on it. The Belgian police assured me that they only filter a small set of URLs, and that each of them is discussed and transparently decided about in a democratic fashion. And then they wouldn't tell me what's on their list.
- I met a US FBI agent and a US Secret Service agent who are "permanently" stationed with the Dutch national police. They acted just like normal Dutch police, except I guess they're paid by the United States to be Dutch police. Weird world we live in.
- In each of the three police meetings, somebody suggested an alternate model for Tor where a judge should get to decide whether a given Tor user should be deanonymized. (While in America we don't trust our judges, in Europe they really do.) Putting aside for a moment the technical fact that building in a backdoor would mean that criminals can exploit it too (this argument doesn't work on them), I tried to press on the multi-jurisdictional aspect: we have governments, militaries, and law enforcement from around the world relying on Tor. When I asked the embedded Secret Service guy if he would be ok with the Dutch police having a backdoor to Tor, he said "We like our Dutch colleagues." When I rephrased it to whether he would be ok with the Dutch police knowing what the US police are using Tor for, he paused, smiled, and tactfully said "No comment."
- Several people at the Dutch cybercrime unit quietly told me they regretted their "break into a Tor hidden service and zero it out" action: it got people upset at them, but more importantly, it *didn't work*. That is, it didn't stop any bad people from doing bad things. Apparently playing whack-a-mole like this doesn't make the criminals go away. And worse, it disrupts the police's other monitoring and infiltration operations.
- If I wanted to run a hidden service website that had a nation-state adversary, I would a) run a good solid webserver like nginx; b) run it in a VM, in a way that the VM couldn't learn its location — "no looking up its IP", but also more subtle things like "no looking up nameservers", "no looking up reachable wireless access points", etc; and then c) put that VM in a VPS running in a country that hates my adversary. That way even if somebody breaks into the webserver and breaks out of the VM, they're still faced with a frustratingly long bureaucratic step.
- I took Aaron Gibson and Pepijn Le Heux with me to the Brussels meeting, and took Pepijn again to the Dutch national police meeting. Pepijn is a great guy; I'm hoping to turn him into a Roger replica so he can act as a Dutch Tor resource and so he can help organizations like Bits of Freedom save their country.
After meeting with SOCA in London, I traveled to Istanbul to teach local and foreign journalists how to use Tor and Tails to keep themselves, their colleagues, and their sources safe online. I also met with the team behind Zero Day, a documentary about all things Internet security, to talk about Tor and the work that I do.
I met with foreign journalists on the first day and local journalists the day after. Around 30 people attended in total, and each training session lasted just over two hours. My presentation covered threats, how you can protect your communication, local data, and external data, as well as how to use the Tor Browser Bundle and Tails. I gave out USB sticks with the Tor Browser Bundle, the short user manual, and the CPJ Journalist Security Guide. PC users were also given USB sticks with Tails.
The feedback has been really positive from everyone who attended, and I have been told that those who were unable to attend have been given the material I handed out. There are some things that can be improved, however:
- Tor does not prevent somebody watching your Internet traffic from learning that you’re using Tor. In some cases, the fact that you are using Tor and encrypting emails/chat/drives can be a red flag. I am not sure how to best address this in a presentation, other than just say that yes, it can be a red flag.
- We talked about a few different risks, such as having your phone tapped, your email hacked, and your home or hotel room broken into. Having solid examples and stories helps a lot.
- I introduced a lot of new technology in a short amount of time. Those who are not familiar with technology such as full disk encryption, GPG, and OTR, would benefit from a longer and more hands-on session.
- The presentation included screenshots of encrypted email, encrypted chat, and the Tor Browser Bundle. Having a few videos that illustrate how it works, what the user sees, and what the new workflow is will make it easier to understand.
- The presentation mentioned Bitlocker, FileVault, and TrueCrypt for full disk encryption, but did not go into details. I told everyone how to enable FileVault in OS X, and I should add these step-by-step instructions to the presentation.
- Tor was originally designed, implemented, and deployed as a project of the U.S. Naval Research Laboratory. We also receive funding via U.S. government organizations. I covered this briefly in my presentation, but could have spent a bit more time talking about the Tor Project, Inc and why we are qualified to talk about Internet security and online anonymity.
I asked a few people to try out Tails and let me know if something was confusing, did not work, or could be improved:
- Tails has very limited support for Apple hardware. 23 out of 30 attendees were Mac users. I tried booting Tails on my MacBook Air, but OS X was unable to find the USB stick.
- I am used to the Tor Browser and was surprised to see that check.torproject.org was not the default home page.
- Firefox will start automatically once you are connected to the Internet. Most users did not wait for the Tails website to load before entering another URL in the address bar. Users did not question if they were actually using Tor.
- One user waited for the Tails website to load, saw the green download button and then asked if he needed to upgrade to a newer version. I wonder if there is a way to let users know which version they are currently using.
- A few users seemed confused when Pidgin automatically connected to IRC. I wonder if it would be better to have that disabled by default, and instead take users through the process of setting up their own accounts.
- One user tried the email client, skipped the part where you set up the mail servers, and tried to write an email. I wonder if there is a way to improve this, as most users expect the mail client to work just like the one they are used to in their normal operating system.
- Tails uses a US keyboard layout by default. This can be confusing for anyone with a different keyboard layout. A few users mentioned that the tap-touchpad-to-click functionality did not work.
- One user pointed out that there is no logout or shutdown option available when using Tails in Windows XP mode.
- The shutdown process can look a bit scary for anyone who is not used to Linux, especially the part where it wipes the memory. A friendly splash-screen of some sort would be good.
Thanks to my wonderful hosts for providing me with a place to stay, great food, suggestions on what to see in Istanbul, and for organizing and hosting the training sessions.
In January I met with the Serious Organised Crime Agency (SOCA) in London, UK. One of the challenges when dealing with online threats (cybercrime/e-crime) is understanding which leads not to follow. My goal was to help them understand what Tor is, how it works (both from a user and a relay operator point of view), and what it can and cannot do.
I talked about the Tor software ecosystem, including ExoneraTor (the website that tells you whether a given IP address was a Tor relay), and mentioned that we list all official projects on our website. I also mentioned Roger’s trip to the FBI conference in October 2012, and talked about some of the experiences we have had teaching US-based law enforcement about Tor.
Overall, I would say the meeting went well. They learned more about Tor and the projects we are working on, and they are aware that the protections that prevent us from figuring out what Tor users are doing - and who they are - is what’s keeping all Tor users safe.
Over the weekend, I attended the Hacking against Domestic Violence event in Washington DC, sponsored by the World Bank and Second Muse. I was there to help define problem statements, think about security and privacy risks of the solutions, and to help judge the solutions crafted by the attendees. A total of 10 teams congealed over the weekend. Everyone had creative solutions to the problem statements. Generally the sheer quality of output and enthusiasm was the first thing I noticed about all of the teams and their apps. Everyone in DC focused on mobile phone compatibility, even if their solution worked on the general web itself. There are plenty of photos available from the 7 involved countries.
I ended up spending most of my time with the team working to develop protocols to protect survivors from surveillance. We called ourselves Team Fuerza. The full presentation is available. A volunteer recorded a video of the presentation as well. Related images and videos are uploaded to my Tor people site.
Because I was involved with a team, I volunteered to give up my voting rights on the judges panel to avoid any issues. I then ended up presenting for the team for the status update and final presentation.
Overall, it was a great two days and the team made a lot of progress in a short amount of time. A big thanks to the team (Sarah, Az, Cid, Adriana, Andrew, and Justin), SecondMuse, the World Bank, and all of the attendees for their efforts in holding a hackathon in 7 countries simultaneously.
The World Bank and Second Muse should have their final press release and announcement of the results soon.
UPDATE 2013-02-08: World Bank accounces their press release about the hackathon. Team Fuerza, won the USA hackathon!
We have some test Tor Browser Bundles available for testing! They contain Firefox 17.0.2esr which we're planning to switch to in February. Just as a reminder: these are alpha bundles. We're still testing them ourselves but we want to get them out for wider circulation so we can find out about any dealbreaker bugs before moving Firefox 17 into the stable bundles. For the more sophisticated users out there, we'd love it if you could run Wireshark with the bundles and let us know if you see anything untoward.
Alpha Tor Browser Bundles can be downloaded here:
All of the Tor packages have been updated with Tor 0.2.4.9-alpha as well.
Tor Browser Bundle (2.4.9-alpha-1)
- Update Firefox to 17.0.2esr
- Update Tor to 0.2.4.9-alpha
- Update Torbutton to 1.5.0pre-alpha
- Update NoScript to 22.214.171.124
- Update HTTPS-Everywhere to 4.0development.5
- Add Mozilla's PDF.js extension to give people the ability to read PDFs in
- Prevent TBB from trying to access the X session manager (closes: #5261)
- Firefox patch changes:
- Isolate image cache to url bar domain (closes: #5742 and #6539)
- Enable DOM storage and isolate it to url bar domain (closes: #6564)
- Include nsIHttpChannel.redirectTo API for HTTPS-Everywhere (closes: #5477)
- Misc preference changes:
- Disable DOM performance timers (dom.enable_performance) (closes: #6204)
- Disable HTTP connection retry timeout (network.http.connection-retry-timeout) (closes: #7656)
- Disable full path information for plugins (plugin.expose_full_path) (closes: #6210)
- Disable NoScript's block of remote WebFonts (noscript.forbidFonts) (closes: #7937)
If you were to give a non-technical person a brief overview of the Tor network, how would you begin? And if you had a picture or diagram to assist you, how would that look like?
We're looking for better visualizations of the Tor network as introductory material. Most people already know EFF's visualizations from Tor's Overview page. Recently, an Italian hack meeting came up with a fun picture of how to imagine a Tor circuit. A discussion among Tor developers brought up an ugly, but potentially useful analogy with road traffic.
Want to help make these visualizations better or suggest your own? Prettier drawings that we can actually show to the world are as useful as content-wise improvements what to add or leave out from these visualizations. Simply leave your ideas or links in the comments. Thanks!
Please help us test new experimental bundles that have flash proxy and pyobfsproxy enabled by default.
Flash proxy is a transport that uses proxies running in web browsers as access points into Tor. pyobfsproxy is a Python implementation of the obfsproxy modular transport that makes network traffic look unlike normal Tor traffic. Both of these technologies make it harder to block access to Tor. If you previously used the obfsproxy bundle, please upgrade to this bundle, which in addition to flash proxy has new obfsproxy bridges.
Flash proxy works differently than other pluggable transports, and you need to take extra steps to make it work. In particular, you will probably need to configure port forwarding in order to receive connections from browser proxies. There are instructions and hints on how to do that at this page: flash proxy howto.
These bundles contain fresh obfs2 bridge addresses, which may work for you if the bridges in the obfsproxy bundle are blocked. The bundles also includes an experimental obfs3 bridge—obfs3 is a new protocol designed to be harder to identify than the previous obfs2. If even these new bridges become blocked, you can find your own obfs2 bridges.
There are other ways you can help beyond testing the bundles. One is to run a bridge with pyobfsproxy. Another is to put the flash proxy badge on your web site or blog, or add it to your Wikipedia profile. If you want your browser to continue to be a proxy after a switch to an opt-in model, click the “Yes” button on the options page.