Take Back the Internet with Us

by Sarah | October 28, 2019

You understand the importance of online privacy. You understand that Tor offers holistic, privacy-by-design solutions that allow you to take back the internet from the grip of surveillance, tracking, and censorship.

You may not know that the Tor Project is a nonprofit organization. Being a nonprofit means we're beholden only to our mission—to build and promote privacy technologies—and not to any entity or funder. Like the Tor network, our funding is intentionally distributed. We are supported by multiple sources--groups that believe in our mission, and, most importantly, individuals like you who stand with us in our belief that privacy is essential to exercising our human rights.

We spend the final weeks of each year asking for your help. The support we receive through our year-end campaign is essential to our success in the coming year. As more and more people become aware of the ways the internet has been co-opted into a money-making tool fueled by their personal data—our day-to-day behaviors, our personalities, our relationships, our vulnerabilities, our fears—more people are turning to Tor for solutions. In turn, the Tor team is working hard to ensure everyone can easily access our tools. This means scaling the network to accommodate increased usage, improving speed and usability, and training people who are in most need.

In addition to raising critical funds, we also try to use our campaigns as an opportunity to spread the word about Tor and offer a deeper understanding of the context surrounding our work. This year our theme is Take Back the Internet with Tor. We will focus on what the internet was intended to be—a free and open space to share information, where your personal data was not a commodity—the people fighting for those ideals, and the tools that allow us to take back the internet, one user at a time.

We also want our campaigns to be fun and interesting for everybody who cares about Tor. This year, every week of the campaign, we will offer opportunities to win prizes, like signed copies of books, artifacts from people who are working to take back the internet, and limited-edition Tor swag. Everyone who makes a donation of any size during the campaign’s first week, October 28th to November 4th, will be entered to win prizes in each and every drawing.

tor-project-take-back-the-internet-prizes-EOY-2019

Sample of prizes you’ll be entered to win:

  • Tor Swag Pack: Stickers, 2 T-Shirts, and a Hoodie (valued over $650)
  • We Have Root by Bruce Schneier, Tor Board Member
  • Tor Poster by Molly Crabapple with words by John Leavitt
  • Tor SAO Badge Board & Lanyard
  • Bitcoin Money, A Children’s Book by Michael Caras
  • Tor Picnic Blanket
  • Bitcoin2020 Tickets

We hope you will think critically about how important privacy is to you and consider donating to help us take back the internet. Give today through 31 December, and Mozilla will match your donation. Your gift will go twice as far.

Tor-donate-button

P.S. Don’t forget to make your year-end gift before November 4th so you have a chance to win one of our fantastic prizes.

Comments

Please note that the comment area below has been archived.

October 28, 2019

Permalink

While I agree with the basic idea of the internet as an open space for the exchange of ideas, I find the political position of the Tor organization contradictory to this basic idea. So I would prefer to donate to projects that have a better understanding of the concept of free speech.

What is it exactly that you think the political position of the Tor organization regarding free speech is? Could you please clarify a little bit?

Because as I see it, it's pretty clear: they create tools that help people to communicate without being censored by states or organizations.

While I'm not sure what the opinions of the creators on free speech are, it's pretty obvious that their product is pro free speech.

October 29, 2019

Permalink

Even as existential threats to Tor increase, in some ways things are looking up!

In a remarkable development which I would like to see Tor Project brag about, the BBC has just launched an onion mirror, citing mass protests around the world, in the face of government censorship. Places such as Chile, Brazil, Argentina, Ecuador, Haiti, Lebanon, Russia, Hong Kong, USA, and the UK itself have all seen enormous protests against staggering economic hardships and political oppression.

Our Deep State adversaries and our Drumpist enemies are proceeding to engage in messily public and vicious mutual destruction. Couldn't happen to a nicer bunch! :-)

Former FBI and CIA officials announce they are planning to flee to New Zealand, even as various nations build the case for war crime prosecutions in the Hague, and as DOJ is preparing to forcibly return these persons on the very rendition aircraft formerly sent to collect Snowden, Whitey Bulger, and various "high-level detainees", in order to face political charges in the US.

The further breakups of the UK, the Russian Federation, and the USA, possibilities which not long ago were regarded as outlandish, are increasingly discussed seriously in the political backrooms, and even in public by more and more members of the "Western" pundit class. Even the global Military-Surveillance Industrial Complex, including all the major "Western" "defense corporations" as well as corporation snoops (Microsoft, Google, Amazon, Facebook and all them like that) and CAAS (Cyberwar-as-a-Service) companies such as NSO Group, Gamma, Hacking Team, Cellebrite, etc., are coming under intense criticism, even by mainstream pundits.

At least two authoritarians, in the US and RU, have grossly violated the first Law of Autocratic Survival: keep the generals happy. Drump's war with the American officer class is well known; Putin's problems are evident from the transparently miserable faces of his leading generals in ludicrous state-sponsored propaganda photographs celebrating the Russian military during such events as Navy Day, and such embarrassments as several very revealing strategic technology failures, leaks from Russian spy agencies, etc. Massive protests in Chicago and Moscow have further demonstrated the fundamental weakness of both regimes.

Drump is now threatening to send the army into Chicago, San Francisco, and Baltimore. That kind of action did not work out very well for the USSR. It's one thing to invade Afghanistan (as both the USSR and the USA attempted and ultimately failed at), but quite another to send the army into your own great cities.

In China, Xi's peak of power already seems to lie in the distant past. (In some centuries, 12 months can seem like an eternity.) The Chinese government has tried to avoid following the American and Russian models of self-destruction, but it is becoming more clear every day that Xi has stumbled onto his own path to rack and ruin. Modern China, it must be emphasized, is a highly artificial twentieth century creation, and Xi cannot hide the fact that Tibet and Western China have never historically been Chinese. Far more than the UK and USA, and even more than the Russian Federation, the current boundaries of modern "China" are a hoax, and so long as technical censorship-evasion tools exist, no government can indefinitely perpetrate such dramatically counterfactual hoaxes.

Even the long overdue collapse of the absurdly anachronistic monarchies in the UK, Saudi Arabia and Thailand appears increasingly likely to happen within the next decade.

Global income inequality. Global climate change. A global mass extinction event. The rising threat of multiple regional famines and water shortages. The threat of global pandemics. Of nuclear war and omnicide. Clearly, many things have to change very quickly, if humanity is to extricate itself from a mess very much the making of the global economic and political elite. The key element to making that happen is truth. And Tor by intent and by design can and does bring truth to the People.

Truth to the People!

Let that be our rallying cry.

As a long-time Tor user (not a TP employee), I ask everyone to join me in supporting Tor by using Tor (even if you don't yet believe you "need" Tor) and by contributing some money to Tor Project, Tails Project, Debian Project, and other key NGOs which power the global online resistance.

October 30, 2019

Permalink

Some very bad news for the CAAS (cyberwar-as-a-service) industry is more good news for us!

One of the biggest corporate behemoths on the face of the planet, Facebook, is suing one of the nastiest companies in the CAAS business, NSO Group, over its malware targeting WhatsApp users:

thehill.com
WhatsApp suit says Israeli spyware maker exploited its app to target 1,400 users
Clickless exploit targeted attorneys, journalists, activists, dissidents, and others.
Dan Goodin
29 Oct 2019

Here is an op-ed by chief of Whatsapp explaining the basis for the lawsuit:

washingtonpost.com
Why WhatsApp is pushing back on NSO Group hacking
Will Cathcart
29 Oct 2019

For the technical points, see citizenlab.ca, which has published many detailed studied of how NSO Group's flagship malware, Pegasus, works, and how it is used by NSO clients to attack human rights defenders, political dissidents, environmentalists, opposition parties, lawyers, journalists, and scientists around the world.

The resources of Facebook are so deep that I predict this will force NSO Group to try to settle, rebrand, and re-emerge under a different name, hidden behind new front companies outside Israel.

The CAAS industry is worldwide, but most CAAS companies are headquartered in the US, with a strikingly disproportionate number, relative to population, located in Israel. The others are scattered about in South Africa, France, Germany, Russia, Singapore, etc. Marketing materials suggest that the Israeli companies are there in order to monetize the reputation, in authoritarian circles, of Unit 8200 for cyberwar prowess and of IDF for "tough measures", including assassination. It's absurd, but frightened governments seem to lap this stuff up.

In contrast, Singapore has in recent years tried to portray its dragnet as the "benign" version of Asian authoritarianism. Governments worried about their international reputation for brutality may be susceptible to the appeal of "dirty tricks with a human face" [sic].

It never ceases to amaze how easy it is for shysters to bamboozle frightened elites. All these CAAS companies like to brag to potential clients that they can do terrible things without detection or attribution, but in recent years they have been getting caught looking like rank amateurs, as happened last year when a news organization teamed up with Citizen Lab to catch more Israeli operatives trying to co-opt Citizen Lab itself. And yet the governments keep knocking on NSO Group's door. Amazing.

We should not forget that the notorious Italian company, Hacking Team, has apparently partnered with NSO Group. And Gamma is still around: after abuses by that company were exposed in a landmark series of stories published in Bloomberg News, Gamma was reorganized and moved from Munich to London. CAAS is so desired by so many governments that it will be difficult to truly destroy these companies. But if Facebook is serious, they do have the resources to permanently rub out NSO Group.

Facebook's real goal is no doubt to split the rapid rise of political opposition to Zuck's goal of world domination, and I doubt that Zuck actually wants to destroy the CAAS industry. More likely he wants to dominate it. Nonetheless I believe the CEOs of these companies are feeling genuine fear right now, because the suit sets an enormously significant precedent: when state-sponsored malware is discovered and traced back the contractor who provided it, the contractor just might face utter ruin if a sufficiently wealthy corporation feels it is in their own interest to take them out.

Put in other words, the threat to the CAAS industry is very real, but this presumably entails a hostile takeover by Facebook, not destruction by Facebook.

We shall see.

October 30, 2019

Permalink

[OT but important]

Among the fairly inexpensive items of computer accessories which Tor users will want to buy, if entrepreneurs dare to make them readily available, are over-the-air time signal receivers, which can be invaluable because onion services require an accurate clock, but NTP is not well secured.

The DAs, NTP, and hardware PRNGs may be the most vulnerable portions of current Tor infrastructure, and vulnerabilities in these components would not appear to be easily discovered simply by auditing source code. I believe this will be a major challenge going forward, and I hope other Tor users will join me in helping to fund more fundamental research by Tor Project in order to help us better understand the risks and to begin developing effective countermeasures.

October 30, 2019

Permalink

Remember how over the years commentators in this blog have repeatedly warned that our enemies will attack us by messing with the PRNGs (pseudorandom number generators) we use?

The following illustration would be funny if it were not so outrageous:

arstechnica.com
How a months-old AMD microcode bug destroyed my weekend [UPDATED]
AMD shipped Ryzen 3000 with a serious microcode bug in its random number generator.
0xFFFFFFFF every time is 0xDEADBEEF
Jim Salter
29 Oct 2019

While there is nothing we can do about AMD's enormously huge big fail, note that Salter details some ways we can at least try to check up on our hardware and software PRNGs.

Debian and Raspbian users can also try dieharder, among other options:

https://packages.debian.org/buster/dieharder

I hope other Tor users will join me in contributing to Debian in hope of supporting even more sophisticated test suites.

October 30, 2019

Permalink

Here is the BBC News onion for those who want to give it a try:

https://www.bbcnewsv2vjtpsuy.onion/

See also

bbc.com
BBC News launches 'dark web' Tor mirror
23 Oct 2019

> The BBC has made its international news website available via the Tor network, in a bid to thwart censorship attempts. The Tor browser is privacy-focused software used to access the dark web. The browser can obscure who is using it and what data is being accessed, which can help people avoid government surveillance and censorship.
>
> Countries including China, Iran and Vietnam are among those who have tried to block access to the BBC News website or programmes.
>
> Instead of visiting bbc.co.uk/news or bbc.com/news, users of the Tor browser can visit the new bbcnewsv2vjtpsuy.onion web address. Clicking this web address will not work in a regular web browser. The dark web copy of the BBC News website will be the international edition, as seen from outside the UK. It will include foreign language services such as BBC Arabic, BBC Persian and BBC Russian. But UK-only content and services such as BBC iPlayer will not be accessible, due to broadcast rights.

Is such a quotation and link protected by Fair Use even under the horrible CASE Act? Who knows?

Countries including China, Iran and Vietnam are among those who have tried to block access to the BBC News website or programmes.

Good job BBC, now instead of looking like someone who appreciates the concept of democracy, you'll instead look like a scheming insurgent. Because in China, Iran, Vietnam the only ones who get to use Tor are the military state, and for state purposes. Everyone else gets labelled for surveillance.

If well equipped LE all but admits it takes 4 months of surveillance to break Tor anonymity then what in the hell good is a dark web version of BBC.

> If well equipped LE

LEA (law enforcement agency)?

> all but admits it takes 4 months of surveillance to break Tor anonymity

Actually, I believe that figure came from academic researchers in a paper which was discussed in comments in this blog a few years ago.

> then what in the hell good is a dark web version of BBC.

Unfortunately trying to evade a censorship regime in many countries can carry significant risks, just as contacting a reporter carries significant risks (even in the USA).

However, in the case of China specifically, my sense is that activists inside China say that the government often "cracks down" at specific times (e.g. the yearly anniversary of Tiananmen Square massacre) but also often overlooks suspected censorship evasion. One has the impression the government is in a kind of macabre dance with Chinese citizens, in which officials sometimes attempt to appear ferocious and sometimes attempt to appear like a disapproving but indulgent uncle. This elasticity gives potentially gives citizens some room to try to learn what they can, even to express a few views outside China, without risking too much (we hope).

One worrisome feature common to the Chinese, Russian, and US domestic dragnets (to mention three of the most sophisticated and dangerous dragnets) is that these systems appear to be designed to never forget anything about what a particular citizen did. This raises the concern that something which might be legal today, or at least not regarded as highly criminal today, might be declared extremely criminal later.

However, I feel we cannot let that concern deter us from speaking out--- although we would be wise to try to use the best available anonymity tools to reduce the immediate personal risk of doing so--- because the more ordinary people dare to resist the authoritarians, the less likely it is that in a dozen years everyone everywhere will be enduring a post-Orwellian techno-authoritarian nightmare worse than anything we can even imagine today.

Not a v3 onion. Fail. Large news company deploys brand new long-term onion address out-of-date since 2017.

"The browser can obscure who is using it and what data is being accessed" Unless the onion site inside the Tor network is loading 3rd party trackers on "standard" and "safer" which are seen in NoScript's menu.

At the end of the BBC's article, they bait and switch their anti-surveillance Tor service for their voice app on pro-surveillance home-listening speakers.

Positively, their onion site doesn't appear to break under "safest".

October 30, 2019

Permalink

> several very revealing strategic technology failures

Russia's flagship SSBN, Borei, was for many years literally unarmed because Russia could not afford the missile system. But this ship finally succeeded in successfully launching an ICBM the other day. Score one for Putin, I suppose. But make no mistake, both the US and RU military are losing strength, not gaining it. The 21st century, which may well be last recorded in human history, will be China's century. And Xi is already messing it up.

October 31, 2019

Permalink

[Moderator: please allow urgent request for information]

Did Tor Project reconfigure the Tor network recently?

In particular, does Tor still attempt to send OCSP lookups through a different circuit than the connection to the destination website?

Since the introduction TB 9.00 I have noticed that my circuits almost entirely seem to combine OCSP lookups (port 80) with connections to a destination website (port 443). This cannot be good for anonymity.

Also, cloudflare seems more aggresive/hostile than normal.

Does exonerator.torproject.org handle IPv6 addresses?

November 01, 2019

Permalink

Tor is old, long in the tooth and the most powerful censorship resistance tool we have.

We need to support this initiative, 200%.

We need to work hard to 'Get Tor Known'.
We need to work hard to 'Get Tor Deployed'.

Can we call i2p a Tor cousin of sorts ?
They're born from the same privacy respecting philosophy ?

Maybe the time has come for invisible networks to take the center stage.

> Tor is old, long in the tooth and the most powerful censorship resistance tool we have.
> We need to support this initiative, 200%.
> We need to work hard to 'Get Tor Known'.
> We need to work hard to 'Get Tor Deployed'.

Totally agree! :-)

> Can we call i2p a Tor cousin of sorts ?
> They're born from the same privacy respecting philosophy ?

I believe i2p has a significantly different privacy goal from Tor. AFAIK, i2p offers a kind of anonymous file sharing network, which does not try to hide the fact that you are using i2p, but tries hard to hide who is sharing what. Tor can disguise the fact that you are using Tor to casual observers (but possibly not to deep packet inspection by ISPs and certainly not to NSA--- we know from the Snowden leaks that NSA tracks in near real time connections to the directory authorities, which are needed to join the Tor network).

Further, Tor users can anonymously (we hope) browse the "clearnet" as well as onion sites. I am not sure it would be possible or wise to try to use i2p to browse the clearnet.

Someone please correct me if I misunderstood anything!

Come to think of it, because NSA is sharing dragnet information so widely, it is likely that all well-funded intelligence agencies have access to NSA dragnet, so the first distinction mentioned above may now be somewhat moot.

Years ago, not only Tor Browser but also i2p was included in Tails, but it was dropped after some technical flaws were discovered. (These have since been fixed, I think.)

It would be useful for an expert to post here a nontechnical comparision of i2p vs. Onionshare.

November 01, 2019

Permalink

"Sovereign Internet" is now the law in Russia, but not the reality:

themoscowtimes.com
Russia’s Sovereign Internet Law Comes Into Force
The sovereign internet law allows Russia to cut itself off from the rest of the World Wide Web.
Experts say the country lacks the technology to implement the controversial legislation.
Jan Lindenau
1 Nov 2019

All the tech experts and most ordinary Russians opposed this law, but it happened anyway.

This should sound familiar to Americans.

All the tech experts and most ordinary Americans opposed the destruction of Net Neutrality, but it happened anyway. They want viable alternatives to Big Cable, but have no hope of getting them.

All the cybersecurity experts, financial services industry executives, and most ordinary Americans also oppose making strong personal encryption illegal, but that too may happen anyway.

Such flagrant flouting of the will of the People call into question the extent to which it is accurate to describe Russia or the USA as "democracies".

November 03, 2019

Permalink

> Everyone who makes a donation of any size during the campaign’s first week, October 28th to November 4th, will be entered to win prizes in each and every drawing.

Please do not forget to check your snailmail box! :-)

November 03, 2019

Permalink

Dear Sarah:

I'd like to see Tor Project write blogs posts modeled on this Tails Project post:

https://tails.boum.org/news/achievements_in_2019/index.en.html

Please note the pie graph which is a useful way to visualize how close Tor Project is to becoming primarily grassroots user funded. I fear TP is farther from this goal than Tails but I repeat we all need to know how far.

Some other posts to this blog I'd like to see:

o full explanation of how to use Electrum (cryptocurrency software included in Tails) to donate (including how to put money in your blockchain*, because no one ever explains the very first step!!!), plus the risks (Electrum recently stopped working in Tails, owing to a cyberattack I think, but now is working again, after a devastating flaw was fixed I think),

* Note that this step might require very different instructions for people who live in or outside the EU or some other legal jurisdiction,

o full explanation of how to use Tor Project help desk (including advice for those who lack email or chat accounts and cannot use telephone because of the dragnet),

o full explanation of how to make bug reports (including advice for those who lack...),

o nontechnical but reasonably thorough explanation of how to take advantage of Tor Browser sandboxing--- e.g. if we download a file while browsing, where do we put it and why does that help keep us safer?--- because even experienced Tor users such as myself don't feel confident we know how to do this correctly, because no-one ever bothered to explain, TP just assumed we all know which is not the case,

o nontechnical but reasonably thorough explanation of what kinds of "encryption backdoors" might be mandated by USG; in particular, explanation that the most likely backdoors might not be things which show up in the Tor source code itself, but rather weaken pseudorandom number generators, cripple accurate system clock (needed to use onion sites), rate limiting of the fastest exit nodes, attacks on the directory authorities, or simply designating Tor Project a "terrorist organization",

o nontechnical but reasonably thorough explanation of everywhere Tor uses strong encryption and how various kinds of "backdoors" which may be mandated by USG could affect these.

These are all posts which TP should be making (repeatedly, with the latest information) in order to help grow the user base, and to help experienced users use Tor more intelligently/safely. They are particularly appropriate at a time of year when TP is seeking grassroots user donations.

November 03, 2019

Permalink

Dear Sarah:

For months I have been trying to suggest to anyone who will listen--- i.e. no-one at all--- that OnionShare is ideal for sharing sensitive medical information safely and responsibly, and that onion sites are ideal for sensitive help lines such as sexual assault survivor lines.

There has been virtually no attention paid to medical privacy in the US media other than a terrific but brief and limited series of articles published several years ago in Pro Publica, and I think that needs to change, and I hope Tor Project will be in the forefront of the badly needed media blitz.

From time to time mainstream news media do publish articles like this

nbcnews.com
Missouri health director tracked menstrual periods of Planned Parenthood patients
The spreadsheet containing the menstrual period information was found during the course of legal discovery and was scrutinized by Planned Parenthood attorneys.
Safia Samee Ali
29 Oct 2019

but the rep29 Oct 2019orters (or their editors) never mention the fact that there is actually quite a lot Congress can do about the issue if they can muster the political will to act.

Note that poor people and military service members are the people most endangered by misuse of their medical information, and also the people whose medical information is most freely shared, often for purposes having nothing to do with providing medical care, as illustrated in the cited article.

I suggest that Tor Project liase with Planned Parenthood and other organizations to provide onion mirrors for sexual assault survivor help sites. And then, no kidding, write a very polite letter to this person

COMMANDING OFFICER
CRYPTOWARACT SIXTY SIX
FT MEADE, MD 20755-6585

citing the page

https://www.public.navy.mil/fltfor/cwg6/cwa66/Pages/default.aspx

which consists of the mission statement

> To provide trained and ready Sailors to support the collection and exploitation of targets in support of national and strategic level signals intelligence and cyberspace operational priorities.

(the unnamed partner agency who receives the SIGINT is of course NSA) followed by

> The DoD Safe Helpline number is the 24/7 Sexual Assault Crisis Intervention Response Line. If you need immediate support services, you should call the DoD Safe Helpline. If local sexual assault victim assistance is requested, please call the following numbers, in order. If none of these three are immediately available, please leave a message or contact the DoD Safe Helpline for immediate assistance.
>
> 1. CWG-6 Ft Meade Duty SAPR VA Phone: 301-602-1613
> 2. CWG-6 Ft Meade SARC: 410-227-6235
> 3. Annapolis SARC: 443-871-3679
>
> Safe Helpline 24/7: (877) 995-5247, https://www.safehelpline.org/

Note that

> This US Government system is subject to monitoring

may not be appropriate for a "Sexual Assault Crisis Intervention Response Line". An onion site would be much safer, I think. I suggest that your letter to CWA66 make this point and tell them where to find the onion(s).

November 04, 2019

Permalink

@ Tor Blog post authors:

Please read this EFF blog post about a fake Tor Browser currently targeting Russian speaking users:

https://www.eff.org/deeplinks/2019/10/phony-https-everywhere-extension-…

Please note how well the author clearly and concisely presents the most important things possibly confused/scared users need to know

(i) about the security issue

(ii) about how to obtain and verify genuine Tor Browser 9.0

I propose that all official posts in this blog should be rigorously rewritten to

(i) concisely and unambiguously present the most important information first, in terms which new Tor users who are not experienced software engineers and whose native language is possibly not English can readily understand

(ii) continue with further details of technically tricky points as appropriate

In particular, IMO the "traditional" format of the announcements of the latest TB version (the release versions, not the testing versions) appears to be written to please the USG "letter sponsors", not to inform ordinary Tor users, especially the new users we need to help get up to speed quickly in order to grow our community. That needs to change.

In general, Tails Project documentation is much better organized, and Tails Project announcements are much more useful to ordinary users than are Tor Project's pages and Tor Browser announcements. This may partially explain why Tails Project appears to be doing much better than Tor Project in transitioning to a grassroots user funded model similar to EFF and ACLU funding.

I would also like to remind Tor Project that a key goal for Tor Project should be getting a good rating from Charity Navigator, which currently cannot even attempt to rate Tor Project because of that absurd "Sponsor F" nonsense--- a holdover from the Eisenhower administration! Compare ACLU's model Charity Navigator rating and note the role played by ACLU's transparency about where funds come from and how they are used, plus ACLU's efficiency (low overhead costs).