News Orgs & Activists: Onionize Your Sites Against Censorship

Remember: only HTTPS provides end-to-end encryption in web browser context.
Tor provides tor-to-tor encryption. Ask researchers to explain you the difference.

Hurrah! Hurrah! Hurrah!

Three thousand thanks to everyone involved in this drive! It is something I have hoped to see for some time and I hope it will be great success.

One (nonpartisan) news site which is often read by US Congress staffers (and lobbyists!) is thehill.com, which currently does not even have https but which really needs to offer an onion. I suspect The Hill would be happy to trial an onion if you approach them, and it will certainly be interesting to see how the surveillance hawks react.

I have also, at some risk to myself from unhappy Feds, urged activists groups for years to strengthen their cybersecurity. Until a year or so ago, too many did not want to believe that companies exist which target activists for large corporations, but as major news organizations become more willing to publicize such incidents as Big Soda hiring malware-as-a-service companies to target soda tax activists in MX (and very possibly also in USA), I hope and believe that a sea change is occurring in terms of how activists judge the likelihood that they will be subjected to targeted malware attacks, illegal searches, various kinds of federal harassment, etc.

Also, a shout-out to ProPublica for awesome journalism (their incisive statistical critique of COMPAS is just now getting more attention!) and for being an early adopter of the onion! More stories on the dangers of algorithmic governance, abuses of Big Data, and psuedoscientifically
"validated" [sic] "objective" judgements by neural network or whatever. Please keep trying to explain over and over why no defense lawyer can cross examine the typical machine learning algorithm, and why that's a huge problem for future victims of the US "Justice" [sic] system.

This is a very important and welcome campaign and I wish it every success. I urge other Tor users to take any opportunity to try to urge reporters they encounter to ask their editors to consider implementing an onion.

One other urgently needed area where I think onions can play an invaluable role is in open-source software repositories. As you know, Tor Project and Debian Project began offering onion mirrors for the Debian repositories back in 2016 (and have also collaborated on reproducible builds and other critically important security-enhancing initiatives), and as you know, there have been some problems reported with the onion mirrors for Debian, but I urge Tor and Debian to work to fix those not to axe the collaboration! We know from several NSA documents leaked by Snowden that NSA (and other such) routinely target software downloads of legitimate software security patches by specific users, inserting malware "on the fly", sometimes even going so far as to "sign" the modified software with stolen credentials. Onions can make it much harder for such agencies to target individuals, and if they try to bork the computers of all Debian users (for example) they are much more likely to get caught, even to find that their malware has been capture, reverse engineered, and published, possibly with credible attribution to themselves. Therefore, onions not only increase the security of fetching security patches but can potentially cause the bad guys to reconsider the wisdom (from their point of view) of relying so heavily on state-sponsored malware to spy or worse.

You probably do not need me to suggest specific open source software repositories; the ones with the most software and the ones which are most used are obvious candidates. Don't neglect sites which specialize in STEM (Science Tech Engineering Math) software because we know from reputable security firms and other credible sources (e.g other Snowden leaked documents) that scientists are routinely targeted, and their dangers they face from state-sponsored attackers is clearly rapidly increasing in an age when fundamental science (climate science to name just one) is under intense political/legal attack by powerful enemies.

Also update https://trac.torproject.org/projects/tor/wiki/org/projects/WeSupportTor

you are laughing at us : posts are heavily censored on your own blog , this one (TorBlog https://blog.torproject.org ... onion address ???)
> We want a free and open internet for all, so let’s onionize and build it.
< ' We ' without yourself & the tor team/support_ers ???
the comments are not published : it is censored at 90 % !

I'd like to make a suggestion for a possible future brainstorming session at an NYC Tor meetup:

It is not inappropriate for brainstorming sessions to be more ambitious than codefests, and in that spirit:

When we think about how USG or another government might try to coerce a backdoor into Tor and other software which uses strong cryptography, we usually think of USG serving an NSL letter with an eternal gag order and a threat of indefinite imprisonment in a coffin-sized "black site" prison cell. But USG or another government could also try to coerce hardware providers into putting a backdoor into hardware, which could be difficult to defend against by technical means available to Tor Project devs, since "bare hardware" trumps even a "hardened" OS such as Tails. Is there anything we can do, technically and/or socially, to make it harder for a government to get away with coercing a chip maker in this way?

Another nightmare scenario, all too plausible in some parts of the world, involves "security authorities" with coercive access to the "command center" ("Head End System") of an "urban smart grid" to send commands to a specific smart meter which degrades or even shuts off the power to a particular household which the authorities wish to target. For example, power variations could perhaps be used to confirm that someone whom a sophisticated intelligence agency already knows is currently using Tor (because they saw recent connections to a Directory Authority) is the particular Tor user who is viewing particular content at the other end of a particular Tor circuit the spooks are watching. Or the cyberwarriors might wish to damage or destroy a targeted PC while it is in use. It is clear that many, even most, governments are eager to do such things, differing only in how they define "objectionable" on-line activity.

In some countries, a single command center controls the power grid of numerous cities, possibly even cities in different countries. It is widely agreed that the Russian government has cyberattacked the Ukraine power grid, shutting much of it down on at least two occasions. It may alarm US citizens to learn that Mosenergo, the Moscow power utility, uses a grid build by Landis+Gyr, as do numerous US cities. So the Russian government hardly need exert itself to obtain manuals and the actual gear which should be useful for developing cyberattacks on the US grid. Apparently in recognition of the increasing danger of such cyberstrikes, the Pentagon just announced it will retaliate with nuclear weapons against any attack on "critical infrastructure", which the DHS says includes power grids.

Snowden leaks suggest that GCHQ is very proud of a "computer network action" (cyberwar action) which appears to involve PLC (power line carrier) communications, in which commands are sent over a power line to suitable gear, which apparently can be used to obtain cryptographic keys. Because some smart grids apparently use PLC communications to send data from individual meters up to command center and to send commands down to the meters, this scheme may involve obtaining keys needed for GCHQ to take control of a power grid.

But could US or RU coerce makers of laptop and smart phone batteries to quietly introduce PLC (power line carrier) communication modules which could potentially enable "security authorities" with coercive access to "smart grid" "command centers" (such as the Landis+Gyr command center in Kansas City, MO) to take control of batteries as they are being charged in a "targeted" household? Or to coerce makers of UPS (uninterruptible power supply) gear to include modules which can act on PLC commands to behave abnormally, damaging phones and other electronic equipment in a targeted household?

In the US, "red" elements of the US federal government have recently been caught demanding lists of all households in certain "blue" cities which happen to be occupied by families with Hispanic surnames. Using their coercive access to utility records, it would then be very easy for them to add to these lists the unique machine ID of the smart meter which the utility has installed in each targeted household. (Malicious shutoff commands would be addressed by this unique machine ID.) This suggests that the future of genocide might begin with a government forcing "smart utilities" to selectively shut off power, water, and POTS/mobile phone service to a targeted ethnic group, or members of an oppositional political party.

IMO we should be thinking about how we can possibly try to prevent such horrid scenarios from ever being realized. It seems pretty clear that some governments have the intent, so we must try to ensure that they lack the capacity.

Is it possible that in future, OONI volunteers might be provided with suitable software which could possibly detect that suspicious PLC commands are being sent over a household power line? This might provide early warnings that some government is preparing for an attack on targeted individuals, or even a genocide against some targeted group of citizens.

These should be of interest to anyone concerned about USG dragnet surveillance:

https://www.washingtonpost.com/news/posteverything/wp/2018/01/25/how-to…
How to fight mass surveillance even though Congress just reauthorized it
What the battle looks like after Section 702's reauthorization
Bruce Schneier
25 Jan 2018

http://thehill.com/policy/cybersecurity/370709-wyden-blasts-fbi-chief-o…
Wyden blasts FBI chief over encryption remarks
Morgan Chalfant
25 Jan 2018

could someone answer at these noob questions ?
- is 501(3) a public or a private organization ?
- are the users under the u.s jurisdiction when they run/surf on Tor/onions ?
- are we a 'virtual' justification for your exemption ?
- if we are virtual american citizen ; what is the reason why we are not protected by the same laws than yourself ?
- if we are anonymous citizens which do not need to be 'registered' but do profit of your labor, time, money why are you working for us ?
- does the 501 status allow you to be outside of the trouble of a normal life, to not be concerned ?
thx.