five minutes to speak

by phobos | February 13, 2011

I was asked to give a five minute speech to open a panel in front of a number of policy makers and advisors in Washington, DC in the past few weeks. The discussion was under Chatham House Rule. A number of people have encouraged me to publish the speech notes as a blog post, it is as follows.

Here I am, a technologist in a room full of policy people. I'll stick
to what I know and try not to put anyone to sleep in the next five
minutes.

Technology is agnostic, who uses and how they use it matters. Roads,
cars, phones, email, websites are all technologies used for good and bad.
In the 1930s, the feds and police warned of mass chaos if the interstate
highway system was built in the US. The ability for criminals to quickly
transit between cities was of grave concern. Crime would spread faster,
further, and this would hasten the breakdown of the very fabric of the
American society, community. Time has shown the benefits vastly outweighed
the costs. This same principle has shown to be true of the internet
and computer technology. Sure, we may have new kinds of crime with botnets,
zombies, phishing, but do we really? Lying, impersonation, and tricking
someone into doing your work are the same crimes they have been for the
past few millenia. It's just that the substrate that is used, has changed.
What are some of the largest companies in the world? GE, IBM, Apple,
Microsoft, Google. What one should or should not do is policy and law,
what one can actually do or not do is technology.

Circumvention, anonymity, and privacy tools used in a free world can be
a minor annoyance, i.e. wikileaks used wikis, ssl, email, and yes, tor,
but in the end, it's an annoyance. We don't have people in the streets
rioting trying to overthrow our govt. Wikipedia uses the same technology
in wikis, ssl, and email. Everyone loves Wikipedia and considers it a net positive.

The same circumvention, anonymity, and privacy tools are deadly to
repressive regimes. The free flow of information and education are of
great concern to a regime trying to control the horizontal and vertical
of every day life. The tactics a regime can use are legal, technical,
and physical. The regime can switch between tactics, generally
depending upon what's economical and most effective.

Roughly 1 billion people are online in some way. Berkman did a study
that found roughly 2% of that billion know what a proxy is, or even that
technology exists to circumvent internet censorship. 98% of the world
accepts that facebook, google, cnn, and the bbc, are blocked and doesn't
try to find ways around it. This doesn't even broach the topic of online
privacy relating to commercial entities nor law enforcement and
intelligence agencies trying to learn the who, what, where, and how of your Internet activities.

Arguing about which proxy technology should get all of the funding and
attention is silly. The budgets and adversaries vastly outweigh the
funding and research into proxies. It's not a zero-sum game, and
the different technologies take very different approaches to success;
freegate/ultrasurf, vpns, psiphon, and web proxies play a game of cat
and mouse with ip addresses and sometimes encryption; tor uses the
strategy of R&D and protecting ones anonymity and privacy first, the
secondary effects of this are well-suited to circumvention too. Tor,
freegate, psiphon, and vpns sum up to roughly $50m in funding from the US govt
of the past few years. Only a very small fraction of that total has made it to actual technology. Compare that to the billions spent on snakeoil
black box technology by the DoD and intelligence agencies preparing for
a cyberwar arms race, much like the nuclear arms race, to deter other
nations from attacking us.

I talked to a member of a terrorist organization in Vietnam. He's been
stalked, harassed, and had everything confiscated multiple times by his
government. You know his organization as Deutsche Welle. He's a
reporter. He had no idea how his plans, documents, and contacts were
being discovered and used against him. His ability to understand the
differences between Tor, JAP, and Freegate was like asking which tires
are best for gravel, snow, or tarmac. The question he didn't even know
to ask is, "What are safe and secure computing and online practices?"
to use my analogy, "what car do I want for those tires? the answer is
a rally car." I spent 4 hours going over how the internet works,
how to think about adversaries online, what is ssl, what it means, what
are phishing, viruses, botnets, and state-sponsored malware. By the
end of the 4th hour, he understood how tor is different than a simple
vpn or proxy server, and when to use tor and when it isn't needed. 3.5h
of that discussion was basic operational, computer, and online security
and safe practices.

So where does this leave us? It leaves us with a mix of education,
technology, and many, many unanswered questions. This is a young field
overall. As the censorship providers and technologies get better, so
will those circumvention technologies. Educating users about internet
safety, risks, and making the tools vastly easier and safer to use
should be a goal.

Tor published a "10 things to think about circumvention tools" paper to
try to distill what we've learned over the past 10 years of doing this.
In a few of these areas, tor is not the best choice, for now.

What about technology? Isn't it going to save us all? Currently,
freegate/ultrasurf, vpns, and web proxies are looking for money to fund
their growing infrastructure costs. The more users you have, the more
servers, more bandwidth, and more costs you incur. Its a quick way to
spend lots of money and get lots of users. However becoming the ISP for
the world gets very expensive, very quickly as you scale up to hundreds
of millions of users. Look at the infrastructures of google, facebook,
yahoo, and microsoft to see the challenges that lie ahead for these tools.

Tor and "distributed tools" look to improve the research and development
and rely on the scaling of users to both provide the circumvention and
grow to become a self-sustaining ISP to the world. We have only begun
to see the power and effects of these technologies with bittorrent, jap,
skype, freenet, i2p, and tor.

Comments

Please note that the comment area below has been archived.

February 13, 2011

Permalink

"""98% of the world
accepts that facebook, google, cnn, and the bbc, are blocked and doesn't
try to find ways around it."""

I don't blame them !!!

:-)

February 15, 2011

Permalink

Why didn't you talk about how the vast majority of Tor users outside of.China only use it.to.distribute videos of little children being raped and other child porn materials?

Please provide data to back up this statement. The vast majority of Tor users outside China, and inside China, use Tor to do boring, normal stuff online. From speaking to law enforcement officers around the world, crimes through Tor pale in comparison to the general population and to botnets.

February 15, 2011

Permalink

The free flow of information and education are of
great concern to a regime trying to control the horizontal and vertical
of every day life.

Meanwhile, the EU is trying again to implement mandatory internet censorship. For the children, of course. At least for now :-/

February 15, 2011

Permalink

Have you seen this report? http://lugar.senate.gov/record.cfm?id=331192&

They want to support freegate and ultrasurf only.

Also, tor got 1.6million over three years, while psiphon got 2.9 million. even freegate/ultrasurf got 1.2million in a year. you need to sell more snakeoil to the govt.

also, hire some lobbyists to fight for tor, you are losing the battle in the US government to idiots with more money less morals.

Yes, at least I've read that report. I learned World Expo's are still popular in many places and that they make the assumption that becoming the ISP for the world is a worthwhile goal. The last two paragraphs of my speech attempted to address this as an incomplete solution. It's a short term solution to give money to places like AT&T, Level 3, and Verizon, you're just doing it through the circumvention provider. As soon as the money stop flowing, people cannot use the tool anymore.

Distributed, or peer to peer-like tools, need funding for research and development to make their tools better. This is a longer return on investment, but it has a huge potential to be self-sustaining and vastly larger than any one infrastructure and ISP. Look at the economics of Skype and Bittorrent networks as compared to centralized models. Vastly cheaper overall, and the capacity for a more distributed and diverse userbase globally.

February 19, 2011

Permalink

Can you email a copy of Tor software? Hotmail is now allowing a maximum attachment size of 25MB, and my Tor bundle is less than that, I think.

February 21, 2011

Permalink

Thank you very much for posting this. Out of curiosity, could you provide some citations to support this:

"Tor, freegate, psiphon, and vpns sum up to roughly $50m in funding from the US govt
of the past few years."

I'm researching anonymity tools and I see that Tor's most recent funding report is from 2008.

You need to finish that sentence for it to make sense. The USG has provided up to $50m for censorship circumvention technology via grants and contracts. However, roughly 2% of that has gone to actual technology over the years.

All of Tor's financial reports are at https://www.torproject.org/about/financials. We publish them as filed with the IRS and Dept of Commerce.

phobos

February 24, 2011

In reply to phobos

Permalink

to answer the direct question, the $50m total comes from the State Dept's own RFPs:

in 2008, $15m for circumvention technology, training, education, distribution

in 2010, $5m for mobile circumvention tech, training, education, distribution

in 2011, $30m for circumvention tech, training, education, distribution and evaluations. See http://www.state.gov/g/drl/p/127829.htm

And from http://www.newsweek.com/2010/01/25/up-against-tehran-s-firewall.html, see
Tehran's worries don't get much sympathy in Washington. In the past three years, Congress has budgeted no less than $50 million for the State Department to sponsor programs that provide unmonitored and uncensored access to the Internet for users living in closed societies.

And you can dig through grants.gov to find the State DRL programs around Internet Freedom to find the individual grants. I can't find the older State grants on their website.

March 05, 2011

Permalink

i try to play a video but it's say

'You need the latest version of Adobe Flash Player to view this video. Click here to download.
You see this message either because your Flash Player is outdated or because you disabled JavaScript in your browser'

I do have the latest version of Adobe Flash Player and java script is enable

and when I turn Tor off, all the videos is working

March 17, 2011

Permalink

hello, its AKASH MAHAJAN from India. whenever there is any problem in displaying the web page the browser reads standard india time by... sir i cant understand that how it can be detected that i am from India.

Hey Akash,

Tor utilizes in my experience, tor checks the system time, see the message log if you have maintain a Indian time zone and manipulated the clock it wouldn't connect.

Change your time zone from control panel