The Tor Social Contract

by alison | August 10, 2016

At The Tor Project, we make tools that help promote and protect the essential human rights of people everywhere. We have a set of guiding principles that make that possible, but for a long time, those principles were more or less unspoken. In order to ensure that project members build a Tor that reflects the commitment to our ideals, we've taken a cue from our friends at Debian and written the Tor Social Contract -- the set of principles that show who we are and why we make Tor.

Our social contract is a set of behaviors and goals: not just the promised results we want for our community, but the ways we seek to achieve them. We want to grow Tor by supporting and advancing these guidelines in the time we are working on Tor, while taking care not to undermine them in the rest of our time.

The principles can also be used to help recognize when people's actions or intents are hurting Tor. Some of these principles are established norms; things we've been doing every day for a long time; while others are more aspirational -- but all of them are values we want to live in public, and we hope they will make our future choices easier and more open. This social contract is one of several documents that define our community standards, so if you're looking for things that aren't here (e.g. something that might be in a code of conduct) bear in mind that they might exist, in a different document.

Social goals can be complex. If there is ever tension in the application of the following principles, we will always strive to place highest priority on the safety and freedom of any who would use the fruits of our endeavors. The social contract can also help us work through such tensions -- for example, there are times when we might have a need to use tools that are not completely open (contradicting point 2) but opening them would undermine our users' safety (contradicting point 6). Using such a tool should be weighed against how much it's needed to make our technologies usable (point 1). And if we do use such a tool, we must be honest about its capabilities and limits (point 5).

Tor is not just software, but a labor of love produced by an international community of people devoted to human rights. This social contract is a promise from our internal community to the rest of the world, affirming our commitment to our beliefs. We are excited to present it to you.

1. We advance human rights by creating and deploying usable anonymity and privacy technologies.

We believe that privacy, the free exchange of ideas, and access to information are essential to free societies. Through our community standards and the code we write, we provide tools that help all people protect and advance these rights.

2. Open and transparent research and tools are key to our success.

We are committed to transparency; therefore, everything we release is open and our development happens in the open. Whenever feasible, we will continue to make our source code, binaries, and claims about them open to independent verification. In the extremely rare cases where open development would undermine the security of our users, we will be especially vigilant in our peer review by project members.

3. Our tools are free to access, use, adapt, and distribute.

The more diverse our users, the less is implied about any person by simply being a Tor user. This diversity is a fundamental goal and we aim to create tools and services anyone can access and use. Someone's ability to pay for these tools or services should not be a determining factor in their ability to access and use them. Moreover, we do not restrict access to our tools unless access is superceded by our intent to make users more secure.

We expect the code and research we publish will be reviewed and improved by many different people, and that is only possible if everyone has the ability to use, copy, modify, and redistribute this information. We also design, build, and deploy our tools without collecting identifiable information about our users.

4. We make Tor and related technologies ubiquitous through advocacy and education.

We are not just people who build software, but ambassadors for online freedom. We want everybody in the world to understand that their human rights -- particularly their rights to free speech, freedom to access information, and privacy -- can be preserved when they use the Internet. We teach people how and why to use Tor and we are always working to make our tools both more secure and more usable, which is why we use our own tools and listen to user feedback. Our vision of a more free society will not be accomplished simply behind a computer screen, and so in addition to writing good code, we also prioritize community outreach and advocacy.

5. We are honest about the capabilities and limits of Tor and related technologies.

We never intentionally mislead our users nor misrepresent the capabilities of the tools, nor the potential risks associated with using them. Every user should be free to make an informed decision about whether they should use a particular tool and how they should use it. We are responsible for accurately reporting the state of our software, and we work diligently to keep our community informed through our various communication channels.

6. We will never intentionally harm our users.

We take seriously the trust our users have placed in us. Not only will we always do our best to write good code, but it is imperative that we resist any pressure from adversaries who want to harm our users. We will never implement front doors or back doors into our projects. In our commitment to transparency, we are honest when we make errors, and we communicate with our users about our plans to improve.

Comments

Please note that the comment area below has been archived.

August 10, 2016

Permalink

"We are honest about the capabilities and limits of Tor and related technologies."

A+ it's fantastic to see this in the social contract!!

I look forward to it being implemented.

Your snark isn't very useful. Mostly because it's misplaced.

In actual fact and practice, that contract statement is a reflection of long-standing insistence on accuracy by Tor folks about what Tor can and cannot do.

This fits into the overall umbrella of teaching opsec, and how to use Tor safely. It's always been a big part of the project.

A better way to put your statement, without the snark, but constructively, might be "I want to go beyond that, helping find new ways to educate users about how to safely use Tor and related technologies."

Tor folks rarely say much about Tor exit node risks. Actually, Tor cannot help domestic abuse victims. It's better to use a portable browser on a USB in a "private" or "incognito" window.

We have a warning about exit node risks on the download page (see d.), and we added more explainations in the upcoming Tor Browser user manual.

I would be happy to see more user studies and help from UX experts on how best to explain these risks to users, but I don't think it's accurate to say that we don't talk about them.

I must admit I fail to understand why you think Tor cannot help victims of domestic abuse. Tor Browser is a portable application and can be used from a USB stick.

August 16, 2016

In reply to lunar

Permalink

If I read between the lines on the bottom of the page, I should use HTTPS. What are the consequences of HTTP? Does the average Tor user understand the difference between HTTP and HTTPS? Meaning server side daemons listening in on requests for HTTP?

You imply that you shouldn't use HTTP.

Domestic abuse victim uses Tor thinking it's a panacea.

Is man-in-the-middled.

Maybe have personal details or even dirty pictures stolen?

Seems traumatic to experience.

The price of using people as disposable shields for cover traffic.

- "What are the consequences of HTTP?"

The EFF answers this here: https://www.eff.org/pages/tor-and-https, showing the effect of introducing HTTPS, even before introducing Tor, on what eavesdroppers can see.

- "Does the average Tor user understand the difference between HTTP and HTTPS?"

Sadly, the average internet user still doesn't understand the need for HTTPS. Most just think it's about a padlock symbol for when you log into something like online banking. Many won't know how to check a certificate. Few understand the role of root certificate authorities.

- "Meaning server side daemons listening in on requests for HTTP?"

This shows you aren't on top of what HTTPS does for you yet. Of course server side daemons listen for HTTP and HTTPS requests, otherwise how does the website server know which webpage to serve you? The difference is that only the server side daemons can know the contents of HTTPS traffic addressed to them. That's in the EFF explainer above.

- "Domestic abuse victim uses Tor thinking it's a panacea."

A sad but possible outcome, yes. But would you suppose a domesic abuse victim is then safer from further abuse if they use conventional means, or do nothing?

Good technology comes with manuals. Anyone who uses technology without reading the manuals risks their own ruin. I read recently a comment from a security researcher who wrote that most consumers just want a magical box to plug into their computer and then the computer is perfectly safe to use. What these consumers don't think about is this: if someone offers or sells you some black box and tells you "this will make all your internet browsing safe", how can you tell that's true (because of the sheer technical difficulty)?

It's not just Tor that has this problem of how it can be used safely, requiring actual research by the user. I read that safe houses for abused women in the US have strict rules about 'no cell 'phones!'. Sometimes the abuser has connections to LEAs, and carrying in a cell 'phone switched on can give away the safe house location. I doubt they give up running safe houses because of naive visitors hiding cell 'phones in their pockets, because "surely this can't do any harm?"

Meanwhile, Tor does hide the actual IP of the safe house for IRC and e-mail.

August 19, 2016

In reply to lunar

Permalink

Usage and UX feedback:

1) When not using the tor-browser for a long time, it will display a _Firefox_ warning, asking the user if it should clean all its settings. Responding positively results in an unusable tor-browser.

2) Installation: The tor-browser is very easy to install but verifying its integrity is not documented for non-tech users.

Fixed(?) Issue:
3) I saw a user not understanding that the tor-browser needed to be updated despite having its homepage display a huge arrow asking the user to update it.
Unity(Ubuntu) also had too much pinned application, making the computer look messy. This probably didn't help the user notice the difference.
Nowadays the tor-browser is supposed to auto-update itself, so it's probably considered as fixed.
I wonder if the auto-update also works when the tor-browser is several updates behind.
It probably does work.

4) A user misunderstood the direction of the tor circuit, wondering why the "exit IP" never changed. This could either be due to the fact that "This browser" And "Internet" text weren't present when the user first looked at it, and the user kept remembering the direction wrongly even after having such text, or to the fact that end users don't tend to read such text at all.

"John Doe 2QevpZ4AGQ".

Thanks for this feedback!

Re 1) Does this still happen with an up-to-date Tor Browser? We had this issue (or a strikingly similar one?) in the past (https://bugs.torproject.org/16441) but that got solved a while ago.

Re 2) How do you think we should improve https://www.torproject.org/docs/verifying-signatures.html.en?

Re 3) Yes, the auto-updater works in this case as well. A user won't get an incremental update then but the full one.

Re 4) We had this discussion in the past (see: https://bugs.torproject.org/15979. We still think the design we implemented is better than reversing the order. That said I guess we can do things to make it even more clear to users how to parse the information (Maybe https://bugs.torproject.org/16665 could help here).

"had better know" is not a good answer given that users have to download Tor Browser at least once from somewhere getting it manually installed. Yes, the updater takes care of this once Tor Browser is running.

August 30, 2016

In reply to lunar

Permalink

more user studies and help from UX experts
Yes, because users learn as much about complex technology as their background knowledge allows, but then eventually "just dive into" using complex technology.

August 15th, 2016 lunar said: how best to explain these risks to users
Historically. contextual interactive alerts and help provide better "hand holding", but I'm convinced that coding and maintaining is significant additional workload.

"Tor folks rarely say much about Tor exit node risks. Actually, Tor cannot help domestic abuse victims. It's better to use a portable browser on a USB in a "private" or "incognito" window."

I think this is a good example of having the wrong threat model. You're only thinking of traces left on the used PC itself. Your solution does not stop the local broadband router nor your ISP logging what websites were visited, and if the abuser has access to that, well, Game Over. HTTPS does not stop this logging completely either. Tor does.

We've had a similar argument before here: "Using Tor flags you for monitoring by FVEYs, so I'm just going to stick to using MS Windows with Internet Explorer and blend in with the crowd. It's safer!"

August 10, 2016

Permalink

"We are honest"

No human in the history of human civilization has ever been 100% completely honest.

Please don't lie to us like this. We're only humans after all.

Wait, what? Did you understand what you read? Do you understand what you wrote?

"We are honest ..." is a goal of the social contract, not some claim of fact. Even so, when you ask "please don't lie to us like this", you demand honesty as fact. Yet when someone writes, "we are being honest" (or rather "we strive to be honest" as I think Alison meant in the contract), you object that this must be a lie!

Well, with that kind of tautological skepticism, we might as well all go home!

No, read the numbered items as the social contract goals they are, not claims of fact, then all becomes clear.

Isn't that a favorite saying in certain Russian agencies?

The question of whether or not individual humans are invariably truthful is irrelevant to whether or not an NGO is sufficiently transparent.

I am concerned that TP has not given any official statement on the scandal surrounding the hiring and firing of CIA agent Chasteen, and I am concerned by some other curious omissions or consistent careful phrasing which seems to suggest that TP has documentary evidence of being attacked by USG spooks for dragnet or targeted attacks on users. But I don't agree that Tor is useless or that you can't trust anything TP says in this blog, if that's what your brief comment was intended to suggest.

You can search for potential attacks on Tor from the inside by USG spooks: our code is public, you can attest that the software we ship is built from the released source code via reproducible builds, the design is discussed in the open and publicly available

I acknowledge it does require expertise to analyze all these documents and code, but they are available, concrete evidence. That spooks from many different countries are trying to attack Tor without interfering directly with the Tor Project, this should be taken for granted.

Regarding Chasteen, lawyers got involved. I hope the recently appointed board will be able to release more information to the public—now that some is out anyway—but having to deal with a lawsuit would really not be in Tor Project's best interests.

August 17, 2016

In reply to lunar

Permalink

> You can search for potential attacks on Tor from the inside by USG spooks: our code is public, you can attest that the software we ship is built from the released source code via reproducible builds, the design is discussed in the open...

That is all true, and good stuff, but in truth only an expert coder can independently audit code. Very few Tor users qualify, so we must rely on trusted third parties.

> I hope the recently appointed board will be able to release more information to the public—now that some is out anyway—but having to deal with a lawsuit would really not be in Tor Project's best interests.

Agree with all that.

One reason why I am so frustrated by the Chasteen scandal is that some of us explicitly warned TP to be ready for USIC to psychologically profile key employees and try to exploit "soft spots" to insert a mole, which is exactly what seems to have happened in the Chasteen case. Furthermore, we tried to warn TP that the Project needed to become much more politically savvy. I quickly add that Shari appears to have made *enormous* progress in fixing these and other deficiencies , which I applaud.

But everyone should recognize that CIA appears to have artfully exploited US workplace law to ensure that even if their mole were exposed (thank you, Jacob, for raising suspicions!), maximal damage to TP would ensue. Because if TP tells users what it knows, it gets sued. And if you don't, users are upset that you are hiding something.... possibly something more awful than what we suspect so far. Revelations from the HBGary Federal leaks, and some of the Snowden leaks, all showed very clearly that identifying and exploiting psychological and organizational weaknesses plays a big role in FVEY "disruption" campaigns, and there is every reason to believe this is still the case.

So I hope that even if Shari concludes she cannot speak up about what TP knows about how the Chasteen fiasco came about, she will do everything possible (within the bounds of legality and reason) to ensure that TP becomes a much harder target for USIC infiltrators and manipulators. And I hope she will at least assure us that all Chasteen-written code has been rigorously extirpated or audited.

Also, thanks lunar, and please keep up all your good work on Tor!

From the "leaked" IRC logs it seemed fairly clear how Chasteen got hired and that there were failures in timely communication among the core project members and that he never wrote any code.
As far as writing code, the NSA and/or KGB and/or you! can submit patches under pseudonym "cypherpunks" anytime and have them accepted. The questions would be how much review actually goes on and does anyone on the newly hired staff have ability to check in code without review?

August 10, 2016

Permalink

... reading that is nice ... using tor , i met few problems when i post on a blog or mailing-list like the lack of free e-mail adress (of course, i do not write mine) ... so i take one here, one in another place ... could tor propose a list of temporary fake e-mail adress like a "generic adress " ? it could be like a tolerant agreement and provide a level of anonymity with tor posting on a blog e.g.

August 10, 2016

Permalink

Glad to see this information posted. I am curious about Tor developers who speak to law enforcement about Tor. I seem to recall reading, I believe from a blog post here some time ago, that developers inform law enforcement about weaknesses that Tor does not protect well against. I am fine with Tor devs talking to law enforcement about Tor, but why not inform the community at large about the specific weaknesses you point law enforcement to? Why not provide everyone with whatever specifics you tell law enforcement? That would be really beneficial to anyone concerned about the personal security of their own system. I know the Tor project website lists weaknesses of Tor and anonymity issues in general. I just would like to see the same level of details provided to everyone that Tor devs provide to law enforcement in the spirit of being open and in not harming users. Maybe you do, but I have never seen any details provided about talks Tor devs give to law enforcement.

If only you could link to the blog post you meant, and point out the part where the extra specific weaknesses were conveyed, then we could be sure that you aren't just supposing it.

Could that blog post be any of these?:

"Trip report: Tor trainings for the Dutch and Belgian police" of 5 Feb 2013. https://blog.torproject.org/blog/trip-report-tor-trainings-dutch-and-be…

"Meeting With SOCA in London" of 4 Feb 2013.
https://blog.torproject.org/blog/meeting-soca-london

"Trip report, October FBI conference" of 16 Dec 2012.*
https://blog.torproject.org/blog/trip-report-october-fbi-conference

"A visit to NCFTA" of 14 Jul 2009.
https://blog.torproject.org/blog/visit-ncfta

"Talking to German police in Stuttgart" of 26 Mar 2008.
https://blog.torproject.org/blog/talking-german-police-stuttgart

I couldn't find any admission to giving extra or specific information to LE in those. You write:

"I seem to recall reading ... that developers inform law enforcement about weaknesses that Tor does not protect well against."

but then write:

"... why not inform the community at large about the specific weaknesses you point law enforcement to?"

Where does 'specific' come from? Can you list these from that blog post? Or is everything in those blog posts equally available to all Tor users after all?

* I like this bit:
Roger Dingledine: "At the end of the conference, one of the FBI agents took me aside and asked "surely you have *some* sort of way of tracking your users?" When I pointed at various of his FBI colleagues in the room who had told me they use Tor every day for their work, and asked if he'd be comfortable if we had a way of tracing *them*, I think he got it." Sounds like Roger won't give specific helpers to LE after all?

I had the same thoughts--- thanks for saving me the trouble of finding those links!

I am rather upset with Roger over his role (yes?) in hiring D. Chasteen, but to his credit, he has never tried to hide his youthful indiscretion: working one summer for a few months as a summer intern at NSA. Given the extent to which USIC's tentacles have infiltrated every corner of US academia (Roger's natural haunt), I don't consider this awkward line in his resume quite as disturbing as some might. But it does add to my concern about the Chasteen fiasco, and about TP or close associates of Tor people accepting grants from DARPA. It all adds up to multiple ties to the dark side of the USG, and that worries many Tor users.

If I mention names, the censor will never pass this post, but I repeat my appeal to an un-named associate to explain the status and motivations of her DARPA funded research on stylometric deanonymization attacks. It seems to me that it would be very easy to code something which help to obscure personal stylometric features. Not enough to fix the problem, but enough to get a ball rolling in a helpful direction. The hypothetical application I have in mind (the associate probably knows what I am talking about) would unfortunately need to access a lot of memory, but so does selfrando, eh?

I read through the chat log on Pastebin when it came to light: http://pastebin.com/wpamqkw8. (Search that link in Startpage and use its proxy service, because Pastebin blocks Tor.)

At the end, I was satisfied it was just a blunder: RD didn't ask, and DC didn't say - until after the employment contract was offered, at which point the chat log ensued. It was DC who revealed his former employment.*

Note two things in the log:

1. Jacob Appelbaum states he is logging the channel at the end ("00:38 < ioerror> ok, i am logging this channel now"). I haven't seen any claims that these lines have been added to the pastebin version, instead I think there's a general suspicion that as JA logged the channel, he's the one who posted it to pastebin, and that was in response to his dismissal from Tor project and other hacker collectives. I suppose it also served the

2. Meanwhile, mrphs really had a hard time learning what just happened. Now that chat log was from 10 Nov 2014, and it's disclosure was late June this year. I was worried that would cause more distress, but mrphs is still with the Tor Project, having posted on 3 Aug on this blog. If mrphs satified, can we be satisfied too?

Some other things.

I saw Paul Syverson posting to the Tor Project devlist with his e-mail address from the .mil domain. You know who Paul Syverson is, right?

I guess to best defend against something, one has to reseach how one would best attack, otherwise one probably has the wrong defence. Of course someone's going to research stylometric deanonymization attacks. Meanwhile, I think Isis Lovecruft has been looking at the defence side recently.

So long as there's better thinking than "384kB should be enough for anybody."

I think one has to keep a cool head over these things and get to their proper context.

* Yes, I'm aware of the "but you can never really leave" concept, but I think it's more to do with keeping classified classified.

Given the extent to which USIC's tentacles have infiltrated every corner of US academia (Roger's natural haunt),
and Edward Snowden worked for a NSA contractor!!

Ironic: another website which blocks Tor using cloudflare:

https://policy.m4bl.org/platform/

Can TP contact them and let them know why Tor is perfect for BLM supporters?

Not so ironic: fbi.gov blocks Tor using cloudflare, which owns the https cert you see if you try to connect to FBI (because they publish public data which is highly relevant to BLM issues, as not even James Comey can easily deny).

Wonder what would happen if TP suggested that fbi.gov should be more Tor friendly? Would they even bother to reply?

So you can easily see nsi/xxx friends. What's the trouble - don't visit it there is nothing unique on the web just go to another site.
If you must then try to search for addon which scans reply for clown's signature and reconnects. Eventually it will drill the hole and connect.
It will be better for the society to make replica of interesting/unique sites blocking tor access and publish them on the onion web.
Btw does anybody have (official) onion mirror site for tor torproject.org/dist ?

Problem re: would FBI want TP able to trace FBI agents? It isnt a level playing field - TP people are in USA, subject to US law, largely funded by USGov, and the time delay factor.

(Paranoid scenario) FBI could sponsor exploit development under NDA and/or use NSL to prevent revealing of an exploit, or develop it under contract with a private for-profit corporation, not subject to FOIA, but having same staff as TP (similar to Tor Solutions Corp). Then use exploit for a few months before it got "reported" by developers or found by external people.
(Speculation: Carnegie Mellon FBI TBB sting.)

Maybe the Tor Social Contract prevents such scenarios. Anyway my guess is, like the Lavabit guy, TP staff wouldnt stand for it regardless of legal pressure.

The verifiable design and open source coding of Tor is to not allow anyone to trace anyone else. I quoted Roger to show that he was getting the FBI agent to confirm that the FBI would not use Tor for their own investigations if they knew it had a backdoor, so the speculation that Roger was giving LEAs extra help with tracing is somewhat absurd.

Still, James Comey, FBI Director, seems to believe in the possibility of either secret backdoors in open source code or turnkey backdoors that can never be hijacked by someone else. Some people here seem to believe they might already exist.

The real risk of tracing comes from exploiting design flaws and coding errors, and for avoiding that we need much review and testing. The Carnegie Mellon affair was such a thing, read: https://blog.torproject.org/blog/did-fbi-pay-university-attack-tor-users.

Two Tor developers have already moved to Europe. One sped up her move to escape the possibility of being served a NSL by the FBI. She has a canary on her website. It's due for renewal in four days time. (Someone remind her, she forget to renew for two months last time!)

> She has a canary on her website. It's due for renewal in four days time. (Someone remind her, she forget to renew for two months last time!)

Canaries are not without weaknesses and are certainly painful to maintain, but TP is one organization which really really really needs to maintain one (and never forget to renew it).

Unless of course the problem is that TP is already being served with a flurry of NSLs accompanied by gag orders.

Someone should be careful they are contacting the real Isis: unknown actors (FBI mebbe?) have targeted her with a cryptophishing attack (create a PGP/GPG key purporting to be hers with same short identifier as her genuine key):

http://www.theregister.co.uk/2016/08/17/pgp_admins_kill_short_keys_now_…
PGP admins: Kill short keys now, or Alice will become Chuck
Someone's impersonating the likes of Linus Torvalds with attacks via keyservers
shutterstock_287971118--snake-hero
Richard Chirgwin
17 Aug 2016

> The issue of short PGP IDs is back on the agenda, with unknown scammers spoofing identities like Linus Torvalds and Tor core developer Isis Agora Lovecruft. Short keys are just what the name describes: instead of someone passing their whole PGP key to someone else to get a message going, people would memorise the last eight hex characters of their full fingerprint. Hence, as explained back in March by Debian dev Gunner Wolf, Alice might give Bob the short key ID (Wolf's is C1DB 921F), and Bob would search a key repository to find Alice's full fingerprint. The problem: we've known for about five years that short keys are prone to collisions; and in 2012, the Evil32 project published a 32-bit colliding key for the whole PGP Web of Trust.

> develop it under contract with a private for-profit corporation, not subject to FOIA, but having same staff as TP (similar to Tor Solutions Corp)

As you probably are aware, TP has a rather murky legal structure and obscured legal status. Tor Project, Tor Foundation, "the company"... If I correctly understood something Roger once wrote in this blog, he cannot figure it out any more than we users can, which is worrisome.

I hope Shari is trying to find ways to restructure TP to avoid murkiness and to transform TP into a user-supported NGO, preferably one incorporated under the laws of a country which is not ruled by some USG puppet government. Moving TP outside the USA would probably mean that many key employees would also have to move, which is, I admit, a lot to ask of hard working TP employees whose family and friends mostly live in the USA.

TP (like a lot of groups) wish to be sponsored by or from a great organization like a foundation, unknown enterprises, private funds, donations etc.Legally, life & taxes are more easily managed. it sounds like they wish today to be in a real universal status and not like a dirty hidden trash tramp lol ... is it a serious world ?

So, the explanation to the claim about TP's "rather murky legal structure and obscured legal status" is "like a dirty hidden trash tramp"? I find myself none the wiser from that. Any better explanations?

"(Paranoid scenario) FBI could sponsor exploit development under NDA and/or use NSL to prevent revealing of an exploit, or develop it under contract with a private for-profit corporation, not subject to FOIA, but having same staff as TP (similar to Tor Solutions Corp). Then use exploit for a few months before it got "reported" by developers or found by external people.
(Speculation: Carnegie Mellon FBI TBB sting.)"

So, how does this work? Thinking this through: the exploit code can't be inside the Tor software itself, because:
- if it was published inside the open source code, that might give the game away and/or breach the NDA, right?
- if it was hidden inside the binaries, they would mismatch with the source code via reproducible builds.

So, the exploit would have to be in a separate project (like the CMU FBI TTB sting, as you cite).

What's then to stop another TP coder (or even the same one!) modifying the Tor source code to counter the exploit right away, just saying openly "but this exploit could hypothetically exist, and this is good design!"

Would this strategy of feet dragging be enough to render the NDA impotent?

August 10, 2016

Permalink

Very good. I am a online security expert that uses and recommends TOR all the time. I for one appreciate your candor and genuine interest in the security of the Internet.

August 11, 2016

Permalink

HI, since few hours I become a Message when I started Tor, that FF are outdated.
Why?
There is the newest Tor in use...
Greetings from Germany

me too,try Help>Troubleshooting Information>Give Tor Browser a tune up> Refresh Tor Browser and re-install,useful.

Same here. Message "Your Firefox is out of date. Please download a fresh copy." On Tor Browser 6.0.3. But it is the latest version, so I assume it is a bug.

August 11, 2016

Permalink

I believe point 2 could, and should, be worded more strongly towards software freedom.

First it states:

"[...] everything we release is open [...]"

next:

"Whenever feasible, we will continue to make our source code [...] open to independent verification."

Saying "Whenever feasible" with regards to open independent verification implies that it might not always be possible to do so. If an independent entity cannot verify the source code, it is not open. Thus contradicting the first statement.

Tor and group of volunteers run software that actively monitor the network to find malicious nodes (e.g. exit nodes mangling traffic or harvesting onion services). Releasing their source code would offer an easy way for attackers to avoid detection. This would most likely harm our users (contradicting point 6).

We added the “whenever feasible” so no one would accuse us of keeping these monitoring software to ourselves when it's currently the most sensible thing to do. Hope that explains.

August 13, 2016

In reply to lunar

Permalink

But isn't this called "security by obscurity" and isn't it one of those concepts in Engineering/Science and IT that's mostly frowned upon?

It's indeed suboptimal. In the meantime, making such a tradeoff allows to catch malicious relays which tries to spy on Tor users.

If you take the example of relays harvesting onion services, this is a problem that will be solved for good after the implementation and deployment of the new design (prop224). In some cases, these are also tradeoffs that helps to make the situation slightly better while more general solutions are in the making.

August 14, 2016

In reply to lunar

Permalink

"Catch malicious relays which tries to spy on Tor users":

In the weeks before the latest batch of suspicious relays was removed, while using Tails on a laptop, I noticed anomalies which seemed to be related to what turned out to be a vulnerability which could affect onion services.

More recently when using Tails to connect to a bridge (my ISP seems to block Tor using some kind of crude censorship) I have repeatedly noticed in Onion Circuits a specific line which appears to correspond to an entry node (with a nickname consisting of many zeros but with no IP address or other information), but which never completes any circuits. Any idea what that might be? According to blutmagie, there is a node with a nickname consisting of all zeros but that seems to be different from what I am seeing.

Tails, not regular Tor Browser, but Tails is an allied project, so TP should probably help Tails users understand worrisome observations, yes?

August 14, 2016

In reply to lunar

Permalink

Has anyone else connecting to slate.com and salon.com while using Tor Browser (or the TB version in current Tails) noticed a change in behavior in recent weeks? One seems to have downgraded its https which results in TB failing to establish an encrypted connection from the exit node.

August 16, 2016

In reply to lunar

Permalink

This is the definition of security through obscurity. It would not be difficult for someone to obtain the source of that software. I would not be surprised if it is already in the hands of our adversaries. Meanwhile, they and only they have it and can abuse it, while the greater Tor community cannot read it to improve upon it due to the secretive nature.

I've contributed to the Tor community and am a regular on the IRC channels. I don't believe it would be particularly hard for me to get my hands on that software, as a volunteer. If I were malicious, I could very easily provide that source to someone who would use it for evil. I have been thinking of working to that position, although I have no plans to do something evil of course! But the fact that it's possible only because of the closed-source nature is not good.

If you can come up with methods that can be 100% public on how bad exits or onion harvesting nodes can be deteted in a way that can't be defected by our adversaries, that would be plain awesome. So far, I don't think anyone has invented one.

Again, the undisclosed TP authored source code we are talking about appears to refer to something like scripts running on special purpose nonpublic servers which attempt to catch out malicious relays, which will obviously help improve the security of the Tor network and thus of endangered Tor users.

I think the key point has already been mentioned: the TP response to the problem is less than ideal, but it appears that no one can suggest anything which is truly better.

> This is the definition of security through obscurity. It would not be difficult for someone to obtain the source of that software. I would not be surprised if it is already in the hands of our adversaries.

You raise a very topical point. No less a figure than Edward Snowden believes that the likely source of the leaked Equation Group (NSA) source code, which contains hundreds of zero-days used to attack Cisco and other brand name top of the line routers, is a cyberespionage C&C server or data-exfiltration node (see tweets below).

Some Tor users have suggested that TP set up carefully constructed honeypot onion services on geographically distributed servers, and share with CitizenLabs, to try to get a sense of who is attacking onion services and more importantly, how they are doing that. We pointed out that this is not without risk because such servers are likely not under 24/7 TP physical control, which poses a risk. We pointed out that NSA faces the same problem with its geographically distributed data-exfiltration cyberespionage servers, which are often not under 24/7 USG physical control.

And some Tor users have urged TP to ally with EFF, ACLU, etc., and to reach out to US politicians and the better-informed tech reporters to counter the many false claims from bad actors such as FBI about the dangers of mandatory backdoors. USIC allies always claim NOBUS (nobody but US) knows about the zero-day exploits which NSA intends to never divulge, but this claim has been *decisively* debunked by the leak of Equation Group source code, which shows that non-NSA actors have have Equation Group source code since Jun 2013, if not before:

https://www.washingtonpost.com
Powerful NSA hacking tools have been revealed online
Ellen Nakashima
16 Aug 2016

> Some of the most powerful espionage tools created by the National Security Agency’s elite group of hackers have been revealed in recent days, a development that could pose severe consequences for the spy agency’s operations and the security of government and corporate computers. A cache of hacking tools with code names such as Epicbanana, Buzzdirection and Egregiousblunder appeared mysteriously online over the weekend, setting the security world abuzz with speculation over whether the material was legitimate.
>
> The file appeared to be real, according to former NSA personnel who worked in the agency’s hacking division, known as Tailored Access Operations (TAO). “Without a doubt, they’re the keys to the kingdom,” said one former TAO employee, who spoke on the condition of anonymity to discuss sensitive internal operations. “The stuff you’re talking about would undermine the security of a lot of major government and corporate networks both here and abroad.” Said a second former TAO hacker who saw the file: “From what I saw, there was no doubt in my mind that it was legitimate.”
>
> The file contained 300 megabytes of information, including several “exploits,” or tools for taking control of firewalls in order to control a network, and a number of implants that might, for instance, exfiltrate or modify information.
> ...
> Several of the exploits were pieces of computer code that took advantage of “zero-day” or previously unknown flaws or vulnerabilities in firewalls, which appear to be unfixed to this day, said one of the former hackers. The disclosure of the file means that at least one other party — possibly another country’s spy agency — has had access to the same hacking tools used by the NSA and could deploy them against organizations that are using vulnerable routers and firewalls. It might also see what the NSA is targeting and spying on. And now that the tools are public, as long as the flaws remain unpatched, other hackers can take advantage of them, too.
> ...
> Critics of the NSA have suspected that the agency, when it discovers a software vulnerability, frequently does not disclose it, thereby putting at risk the cybersecurity of anyone using that product. The file disclosure shows why it’s important to tell software-makers when flaws are detected, rather than keeping them secret, one of the former agency employees said, because now the information is public, available for anyone to employ to hack widely used Internet infrastructure.

https://www.techdirt.com
Ed Snowden Explains Why Hackers Published NSA's Hacking Tools
Mike Masnick
16 Aug 2016

> Yesterday, the news broke that a "mysterious" hacking group had gotten its hands on some NSA hacking tools and was releasing some of the tools as proof (it was also demanding lots of Bitcoin to reveal more). The leak came with a neat little message that feels like it was written by a Hollywood script writer trying to sound Russian.... The files that were leaked [so far] were mostly installation scripts, but also exploits designed for specific routers and firewalls. And, it's noted, that some of the tools named line up with previously leaked NSA codenames.

http://arstechnica.com/security/2016/08/code-dumped-online-came-from-om… hacking tool leak came from “omnipotent” NSA-tied group
Rare crypto implementation in ShadowBrokers dump connects it to Equation Group.
Dan Goodin
16 Aug 2016

> The connection linking more than 300 computer files in the ShadowBrokers archive to Equation Group is found in a common implementation of the RC5 and RC6 encryption algorithms. Among other things, the leaked ShadowBroker files use the negative constant -0x61C88647 instead of the more standard 0x61C88647 to speed up subtraction operations. Kaspersky researchers scoured 20 different compiled versions of RC5/6 code in Equation Group malware and found functionally identical code, leaving little doubt that there was a clear connection between the two.

http://thehill.com/policy/cybersecurity/291470-hackers-claim-auction-of…
Hackers claim to auction NSA source code
Joe Uchill
15 Aug 2016

> Hackers calling themselves Shadow Brokers are auctioning off what they claim is the source code to a vaunted, likely state-sponsored hacking group many believe is affiliated with the National Security Agency. There is no definitive proof the auction is genuine, but files released to prove authenticity appear valid enough to have piqued the interest of many in the security community.
>
> The cybersecurity firm Kaspersky Labs raised eyebrows last year with a report on a hacking operation it was calling the Equation Group, which had managed to operate without being noticed for 14 years. That is an uncommonly long time for a state group to stay under the radar given the resources they are normally up against. Kaspersky noted similarities from Equation to attack methods discussed in leaked NSA documents and other suspected U.S. intelligence malware. The computer code used jargon common to the NSA and time codes in the Equation Group’s wares appeared to match a North or South American workday.
> ...
> “The code in the dump seems legitimate, especially the Cisco exploits (Most of the dump contains Firewall exploits), and those exploits were not public before,” said Matt Suiche, via electronic chat. Suiche is the founder of United Arab Emirates-based cybersecurity start-up Comae Technologies and has been actively analyzing the source code portions released as proof. Particularly interesting, said Suiche, are references to code names listed in the NSA Advanced Network Technology Catalogue, a listing of the agencies cyber warfare capabilities.

http://thehill.com/policy/cybersecurity/291565-wikileaks-too-claims-to-…
WikiLeaks, too, claims to have NSA code
Joe Uchill
16 Aug 2016

> After a day of speculation over whether the previously unknown “Shadow Brokers” could really be auctioning off an authentic stolen copy of the vaunted espionage group’s source code, WikiLeaks announced it would be releasing a free, “pristine” copy.

http://thehill.com/policy/cybersecurity/291588-snowden-suggests-russia-…
Snowden suggests Russia behind NSA code hack
Joe Uchill
16 Aug 2016

> National Security Agency (NSA) leaker Edward Snowden is backing a theory that Russia — not money-seeking hackers — is behind the release of possible NSA source code.

Snowden tweeted the following in a multi-tweet statement:

> The hack of an NSA malware staging server is not unprecedented, but the publication of the take is. Here's what you need to know:
> 1) NSA traces and targets malware C2 servers in a practice called Counter Computer Network Exploitation, or CCNE. So do our rivals.
> 2) NSA is often lurking undetected for years on the C2 and ORBs (proxy hops) of state hackers. This is how we follow their operations.
> 3) This is how we steal their rivals' hacking tools and reverse-engineer them to create "fingerprints" to help us detect them in the future.
> 4) Here's where it gets interesting: the NSA is not made of magic. Our rivals do the same thing to us -- and occasionally succeed.
> 5) Knowing this, NSA's hackers (TAO) are told not to leave their hack tools ("binaries") on the server after an op. But people get lazy.
> 6) What's new? NSA malware staging servers getting hacked by a rival is not new. A rival publicly demonstrating they have done so is.
> 7) Why did they do it? No one knows, but I suspect this is more diplomacy than intelligence, related to the escalation around the DNC hack.
> 8) Circumstantial evidence and conventional wisdom indicates Russian responsibility. Here's why that is significant:
> 9) This leak is likely a warning that someone can prove US responsibility for any attacks that originated from this malware server.
> 10) That could have significant foreign policy consequences. Particularly if any of those operations targeted US allies.
> 11) Particularly if any of those operations targeted elections.
> 12) Accordingly, this may be an effort to influence the calculus of decision-makers wondering how sharply to respond to the DNC hacks.
> 13) TL;DR: This leak looks like a somebody sending a message that an escalation in the attribution game could get messy fast.
> Bonus: When I came forward, NSA would have migrated offensive operations to new servers as a precaution - it's cheap and easy. So? So...
> The undetected hacker squatting on this NSA server lost access in June 2013. Rare public data point on the positive results of the leak.

(I think his point is that after Snowden's first leaks in Jun 2013, NSA did a huge internal audit which may have caught the intrusion, or scared off the intruders.)

I don't think anyone here ever doubted that NSA is the author of most of the Equation Group exploits, which were previously linked to the ANT catalog, but immediately after the source code was leaked, nsa.gov went offline for about 18 hours, suggesting the agency is conducting an emergency audit similar to what happened just after the first Snowden leaks.

There is really no doubt that the leaks include many zero-day exploits which NSA long claimed nobody but them would ever know about. We said that was absurd, and these leaks prove that we are right.

I urge Shari give top priority in next few months to the political fight to persuade US Congress to act in time to block the change to Rule 41 which will authorize FBI to "legally" (under US law) attack any computer anywhere in the world, anytime, for any reason, under a PRISM style blanket warrant (or maybe, none at all, because no-one will be checking to see that FBI agents follow the broadly written but unenforced rules).

"Again, the undisclosed TP authored source code we are talking about appears to refer to something like scripts running on special purpose nonpublic servers which attempt to catch out malicious relays, which will obviously help improve the security of the Tor network and thus of endangered Tor users."

Oh wait, maybe not, no... Lunar wrote:

"Tor and group of volunteers run software that actively monitor the network to find malicious nodes (e.g. exit nodes mangling traffic or harvesting onion services)." (Bold emphasis mine.)

I can't quickly find something exactly on that topic, but I can point out a recent paper at PETS 2016 where, as Ross Anderson reports, "Amirali Sanatinia has been working on hidden service directories, and the problem that some can be malicious." (https://www.lightbluetouchpaper.org/2016/07/19/pets-2016/).

Now, what's going on here is that PET and security researchers are say writing their own tools or even putting together particular hardware/software test harnesses to analyse what they see on the Tor network. These, software included, are nothing to do with the Tor software itself, and so aren't and don't need to be covered by the Tor Social Contract.

How can I put this? Google searches the internet. One might use it to locate sites with, say, Tor source code or binaries to download. Google might list several sites - some real, some fake. That's an interesting discovery by using Google. What if Tor Project wrote a script to use Google to regularly search for fake downloads of Tor?

Obviously, you can't demand Google release its search engine source code just because the Tor Social Contract says it's open about Tor source code, and Google might not want to reveal exactly how it ranks websites in case someone uses that knowledge to manipulate search result rankings.

Now, that script isn't part of the actual Tor software, so do you think the Social Contract demands the Tor Project must publish the script? I would say "no."

Does this clarify things?

If Tor Project is automating a Google search, they are not running closed source software unless the automation software is closed source. You would not say that they are running closed source software anymore than you would say I am running closed source software right now, just because this comment is likely going to be routed through some closed-source Cisco router running IOS or some Juniper.

"(I think his point is that after Snowden's first leaks in Jun 2013, NSA did a huge internal audit which may have caught the intrusion, or scared off the intruders.)"

"... immediately after the source code was leaked, nsa.gov went offline for about 18 hours, suggesting the agency is conducting an emergency audit similar to what happened just after the first Snowden leaks."

I think what Edward Snowden meant was that the NSA 'burned' any systems he had worked on after he whistleblew in 2013, and they probably 'burned' whatever they had recently too. Yet, not literally burned, just as in "Burn Notice" - you get dropped. I imagine there are huge stashes of hardware in 'quarantine' now, any audit unlikely to happen due to the sheer scale if it. I doubt there'll be a yard sale either, so no cheap exit node hardware for us!

I expect this scenario will get worked into a future episode of NCIS, where Abby Sciuto and Timothy McGee have to locate some piece of code on some server in a storage basement like out of "Raiders of the Lost Ark", and they'll do it in a ridiculously short time. Because cyber.

> I think what Edward Snowden meant was that the NSA 'burned' any systems he had worked on after he whistleblew in 2013

No, they continued using most of the secret deals, secret arrangements (e.g. with Verizon), secret dragnet espionage systems, NOBUS [sic] zero day exploits, etc, but changed some codenames.

Snowden tweeted

> "The undetected hacker squatting on this NSA server lost access in June 2013. Rare public data point on the positive results of the leak."
> ...
> "The NSA is not made of magic. [Other actors attack NSA with the same methods used by NSA] -- and occasionally succeed."

I think what he meant was that after the first leaks in Jun 2013, NSA performed a huge audit (this much is a known fact, not speculation) which may have uncovered (here begins informed speculation):

(i) an intrusion into a rented covert server "hiding in plain sight" in some commercial data center or IX, secretly operated by NSA, which had been used by NSA to serve malware to "downstream", to the other data center customers, to ISPs, etc.,

(ii) the fact that an NSA/TAO operative had mistakenly uploaded a huge amount of Equation Group code to this compromised covert server.

I can't see NSA shutting down *all* its covert servers in Jun 2013, if that is what you meant to suggest, because that would have left the agency unable to continue to try to "Collect it All". NSA has consistently preferred to continue collections even in cases where it knows other actors are watching them spy.

I guess we'll have to see whether Snowden explains further.

Researchers have only just begun to analyze the vast trove of NSA Equation Group malware published by Wikileaks, even as USIC frantically tries to "spin" this story to make them look less awful.

USIC sources were quick to assure "friendly" US reporters that the leaked exploits are old (2013 or earlier) and no longer work, and required unlikely sounding prerequisites, such as attacking from inside the LAN (i.e. not attacking a firewall's outward facing interface). But evidence is already emerging which casts doubt on these self-serving reassurrances:

https://motherboard.vice.com/read/researcher-grabs-cisco-vpn-password-w…
Researcher Grabs VPN Password With Tool From NSA Dump
Joseph Cox
19 Aug 2016

> Security researcher Mustafa Al-Bassam first documented the hacking tool, which uses the codename BENIGNCERTAIN, in a blog post published Thursday. He coined the attack “PixPocket” after the hardware the tool targets: Cisco PIX, a popular, albeit now outdated, firewall and VPN appliance. Corporations or government departments might use these devices to allow only authorised users onto their network. Based on his analysis of the code, Al-Bassam writes that the tool works by sending a packet to the target machine that makes it dump some of its memory. Included in that dump is the VPN’s authentication password, which is used to log into the device.

Snowden was quick to point out that the Equation Group malware scripts were probably obtained when someone in NSA/TAO goofed and uploaded a large number of NSA malwares to a "staging server" not under NSA's physical control.

Let me try to explain: USIC operatives use fake identities to hire server space in commercial data centers all over the world, where NSA can more easily attack other entities who use the same data centers, but where they can more easily be attacked themselves. Similarly, NSA sneaks covert malware servers into IXs worldwide. Further, various documents in the Snowden leaks published so far show that TAO operatives have not infrequently made the kind of mistake Snowden was talking.

But an anonymous NSA person suggested that the source might be a new inside leaker:

https://motherboard.vice.com/read/former-nsa-staffers-rogue-insider-sha…
Former NSA Staffers: Rogue Insider Could Be Behind NSA Data Dump
Lorenzo Franceschi-Bicchierai and Joseph Cox
17 Aug 2016

> There are a lot of unanswered questions surrounding the shocking dump of a slew of hacking tools used by an NSA-linked group earlier this week. But perhaps the biggest one is: who’s behind the leak? Who is behind the mysterious moniker “The Shadow Brokers”?
> ...
> An insider could have stolen them directly from the NSA, in a similar fashion to how former NSA contractor Edward Snowden stole an untold number of the spy agency’s top secret documents. And this theory is being pushed by someone who claims to be, himself, a former NSA insider. “My colleagues and I are fairly certain that this was no hack, or group for that matter,” the former NSA employee told Motherboard. “This ‘Shadow Brokers’ character is one guy, an insider employee.”

We do know that there are persons working inside NSA who are deeply worried about what NSA is doing, as Snowden was, but I think Snowden's guess about how the Equation Group source code was leaked will prove correct.

> Snowden was quick to point out that the Equation Group malware scripts were probably obtained when someone in NSA/TAO goofed and uploaded a large number of NSA malwares to a "staging server" not under NSA's physical control.
> ...
> I think Snowden's guess about how the Equation Group source code was leaked will prove correct.

Reuters is now reporting that Snowden was indeed correct:

http://www.theregister.co.uk/2016/09/23/report_nsa_covered_up_zeroday_l…
Report: NSA hushed up zero-day spyware tool losses for three years
Investigation shows staffer screw-up over leak
Iain Thomson
23 Sep 2016

> Sources close to the investigation into how NSA surveillance tools and zero-day exploits ended up in the hands of hackers has found that the agency knew about the loss for three years but didn’t want anyone to know. Multiple sources told Reuters last night that the investigation into the data dump released by a group calling itself the Shadow Brokers had determined that the NSA itself wasn't directly hacked and the software didn't come from exiled whistleblower Edward Snowden. Instead it appears one of the NSA staffers got sloppy.
>
> It appears at this stage that the staffer, who has since left the NSA for other reasons, stashed the sensitive tools on an outside server – likely a bounce box – after an operation. Miscreants then found that machine, raided it and hit the jackpot. The staffer informed his bosses after the incident, but rather than warning companies like Cisco that their customers were at risk, the NSA kept quiet. The reasoning for this secrecy seems to have been that the NSA wanted to see who was going to use them. It monitored the world's internet traffic to try and catch sight of the tools or someone using the software or the holes it exploited. Since no signs appeared the agency didn’t tell anyone of the loss.

The staffer may be the former NSA/TAO employee who now is a network security analyst for Comcast. Just the sort of person who should be trusted with the personal information of tens of millions of Americans.

https://theintercept.com/2016/08/19/the-nsa-was-hacked-snowden-document…
The NSA Leak Is Real, Snowden Documents Confirm
Sam Biddle
19 Aug 2016

> On Monday, a hacking group calling itself the “ShadowBrokers” announced an auction for what it claimed were “cyber weapons” made by the NSA. Based on never-before-published documents provided by the whistleblower Edward Snowden, The Intercept can confirm that the arsenal contains authentic NSA software, part of a powerful constellation of tools used to covertly infect computers worldwide.
>
> The provenance of the code has been a matter of heated debate this week among cybersecurity experts, and while it remains unclear how the software leaked, one thing is now beyond speculation: The malware is covered with the NSA’s virtual fingerprints and clearly originates from the agency.
>
> The evidence that ties the ShadowBrokers dump to the NSA comes in an agency manual for implanting malware, classified top secret, provided by Snowden, and not previously available to the public. The draft manual instructs NSA operators to track their use of one malware program using a specific 16-character string, “ace02468bdf13579.” That exact same string appears throughout the ShadowBrokers leak in code associated with the same program, SECONDDATE.
> ....

Hmm, no I think the poster referring to "Security thru obscurity" above knew what he/she meant. It refers to the idea of keeping the design, apparatus and/or methods as well as the keys to a security system secret to avoid compromise. The drawback in doing so means restricting the number of people who can review whether such is actually secure, whereas open review maximises finding flaws. This is "Kerckhoffs's principle" (see https://en.wikipedia.org/wiki/Kerckhoffs's_principle).

By the way, it is not true that "security thru obscurity" is deliberately being done by those monitoring the Tor network for e.g. bad exit nodes.

For "Security thru unpopularity/rarity", I think that's what is better known as "safety in numbers", and is widely practiced by hunted species in evolution. Otherwise, the idea of being arcane conflicts with the desire to make strong security systems common.

Finally, "security thru secrecy" does work, but only for keys!

August 19, 2016

In reply to lunar

Permalink

I believe you do not mean some 'selected' onion nodes can purposely trace/correlate client traffic over the onion network? If so then nsa has it for sure...
Otherwise if you mean modified ip clients and special ip servers then i see no point in mentioning that in the first place.
As about "harvesting onion services" it IS your fault - no one should have access to private information about client-server meeting points. Even directory servers. The only problem - you want to have control over content published by hs! Just see - nsa troublemakers have the same access as ds operators for sure.

Solving the harvesting problem is one of the reasons people are busy working on prop224. Meanwhile, onion service operators can mitigate the problem by using authenticated onion services.

August 19, 2016

In reply to lunar

Permalink

This is like Reddit. So TP has Reddit-level transparency and friendliness to free software.

This is the case. “Whenever feasible” is meant to cover software that will run on Tor own infrastructure that would be detrimental to our users in case they got released in the open (this actually covers the binary as well, now that I think abou it). See reply above.

August 16, 2016

In reply to lunar

Permalink

So Tor Project has servers which are protected by closed source software? That's even scarier than the bad exit software. I hope that nothing of this sort runs on the servers which sign or distribute the Tor binaries.

Can you explain exactly how releasing them would be detrimental to the users? If the answer is "analyzing the source code or binary would make us less secure because our adversaries could find holes in it", I will be very, very upset. I hope I am just misunderstanding this quite badly.

Sorry if I was not clear enough. We are discussing what you call “the bad exit software”. To the best of my knowledge, Tor infrastructure is made of free software. (Yes, I'm leaving out the complicated question of firmware here.)

We are discussing internal, peer reviewed software within Tor, that is trying to detect adversarial nodes in the network. Something that is very hard to do if your adversaries know exactly how you are trying to detect them.

August 18, 2016

In reply to lunar

Permalink

Then the code should be re-written such that it takes secret information as parameters or in a configuration file. The code could be released as open source software and could be audited and improved upon by the community, and the configuration file containing information which would enable attackers to evade it could still remain secret. For example, if the secret information includes things such as specific timing patterns to look for, that could be kept in the configuration file. If it contains specific websites or fingerprints to monitor, that could also be kept in the configuration file. It is much less harmful to withhold a configuration file than it is to withhold software. Is there some fundamental reason why this is not possible, or has no one simply done it yet?

The issue of firmware isn't one which I'm concerned about, or at least I don't place blame on Tor Project, because there's not much they can do to run high-end servers without running on hardware that requires firmware blobs (though it would be nice to see some servers run the open source UltraSPARC T2 CPU...).

Mike Perry had designed its initial exit scanner that way. I think for some cases, this configuration file would be almost all the code. We could also consider using git-crypt to restrict access to the relevant part of the sources while keeping others open. But I'm really not sure it's worth the hassle in the end. Little gain, lots of risks to leak important information.

As always, if we had several people solely dedicated, I believe we could come up with interesting ways to solve this problem. We're just super-badly understaffed.

August 25, 2016

In reply to lunar

Permalink

And if we had the open source community, we could easily solve the problem. Sadly the open source community is does not get to work on closed source code. Can you elaborate on why the configuration file would be almost all the code? Perhaps I don't understand how the exit scanner works very well. Certainly explaining the concept behind the scanner itself isn't going to undermine users' security, no? With that information, perhaps I could think of a way to solve the problem and allow the exit scanner to be made more modular, such that it could be improved by the open source community without having its "trade secrets" made public.

August 19, 2016

In reply to lunar

Permalink

"To the best of my knowledge"
Of course tor router modified and closed software still can be free! (: aka nsa does not sell it :) Btw any virus is free. So you are right indeed.
Anyone can modify downloaded source. I wonder why there are so many legacy tor versions on routers. Seems like some work was done to adapt it. I do not say it is bad or good anyway.
But the problem as i see it remains - so cool down fighting little neibours 'adversary' and try pushing nsa to work harder. Any homo sapiens does not use unencrypted connections over naives-net anyway so how much harm can be done by such a little 'adversary'.

"Whenever feasible, ..." surely means publishing source code as resources allow, not policy, right? Whereas it's when "open development would undermine the security of our users ..." that it is policy to be not so open. I don't think this later point in the social contract was actually about source code.

For example, Pluggable Transports and Bridges. Until we have PTs that are too difficult to distinguish from other internet traffic, and bridges that are too important to block when their IPs are known to censors, I suppose that is another area that the Tor Project can't be too open about yet.

Also: Hey, who wants a completely open name and address list of all Tor relay runners!?

August 11, 2016

Permalink

In the words of Steve Gibson who has been doing a weekly podcast called Security Now! for over ten years, "There is no such thing as security!" and secondly, whatever you do, "Trust no one!"

the chain of trust is beginning with you and even if someone is doing the best ; no one can be responsible for :
- a hidden service in the chip (except intel or amd maybe) or
- a backdoor in the o.s (except 'ubuntucastleworst'' maybe) or
- bad coder refusing an audit of the code (except opensource project maybe) or
- insane dev promoting an official spirit of freedom and proposing insecure advices/tools (except the confidence that you offer to an unknown site:contact maybe) or
- corrupted people working in a professional and ethical area but for their own or govt interest (except the recruitment policy maybe) or
- the incredible obscurantism mind which opens the right to read & write with only their permission with exclusively your money and your freedom (except black operations involved in an obscure war for/against terrorism, hackers, harassment maybe) or
- these strange mentalities ... very far that you could name respectful for the privacy/security ... (except the choice of your threat model maybe) or
- an indiscretion (except the lack of culture or education or serious maybe) or
- an outdated , unstable, harmful soft (except a nasty will coming from unsecure place maybe)
" Trust no one " means there are still and always things that you ignore and you must be vigilant and stay well informed and prudent.

I think that's supposed to be "There is no such thing as perfect security!" (otherwise you're saying security is entirely fictional, and that ain't right, right)? Also, are you trusting Steve Gibson when he says "Trust no one!"? Trust has to start somewhere if you're not going to be an island.

Steve Gibson's a smart guy. I believe he isn't against Tor either. I think he wants you to think about the caveats or Tor (and much else), but so do the Tor Project.

August 12, 2016

Permalink

I was willing to help.
I thought about running a tor node... something i did a few years ago with bad results (isp problems, hacker problems, wikipedia problems....)

So I desisted. In your "main volunteer page", under "running a relay" https://www.torproject.org/docs/tor-doc-relay.html.en
Many infos are missing or unclear
For example, I have a slow connection, and I cannot be an exit relay -> I thought I could not help...But then hided in other pages I found this nice and clear explanation.

"So should you run a normal relay or bridge relay? If you have lots of bandwidth, you should definitely run a normal relay. If you're willing to be an exit, you should definitely run a normal relay, since we need more exits. If you can't be an exit and only have a little bit of bandwidth, be a bridge. Thanks for volunteering!"

BTW

I do not have twitter, FB, Google, Yahoo, and my riseup in "on hold". No jabber, no irc. May be I do not like to send paper mail to US too.
Don't U have a Berlin PO Box?
or a bulletin board to post ideas and general questions and suggestions?
How Do I configure IRC to run under tor? in teh website I havent found it already...

You can find

However I find that putting Tor to good use with IRC is almost goddamn impossible, unless you just want to connect to some specific, privacy-oriented servers (like http://y5fmhyqdr6r7ddws.onion/agorairc/ for example), i.e. not servers where all the people are.
More popular IRC servers either block Tor completely, or allow it only if you first register trough clearnet (which kind of defeats the point of using Tor in the first place).
I mean, last I checked, you couldn't even join Tor's official IRC channel using Tor.

I do understand why these restrictions are imposed. I'm merely pointing out that in most cases connecting through Tor just isn't worth the hassle.

August 12, 2016

Permalink

I would like to see something like the following at the top of their goal list:

1. We will never do anything that compromises, or assists in the compromise of, any of our users

2a. We will never not do something that can prevent and/or minimize a compromise of any of our users

2b. We will never not do something that can prevent and/or minimize the assist of a compromise of any of our users

These goals should trump any other goals. I believe the user should always be first and foremost if one chooses to work as a member of the Tor project.

By adding more words, potential issues can arise. The wording can be seen as ambiguous, which presents potential for many loopholes, misinterpretation and misconstruing.

Adding more goals increases the complexity for sorting out the prioritization and weight of each goal. This can impact decision-making.

I think the authors of the statement faced the same conundrum faced by hypothetical honest people who might hypothetically attempt to draft a proposed US federal law relating to technology, while sincerely attempting to frame the language to prevent hypothetical evasion by hypothetical non-USG evildoers while also thwarting the all too plausible (inevitable?) attempts by USG evildoers (whose existence is by now well-established) to misuse the law to pursue their own twisted agenda to the profound detriment of all the peoples of the world.

On the one hand, you should frame the language broadly in order to allow the statement to remain valid in the face of future developments you cannot presently anticipate. On the other hand, if you attempt to make numerous very specific statements, you can never hope to keep the statement up to date, and it will become very complicated and confusing to read.

I also am worried about a few carefully phrased passages which raise some awful suspicions in my mind (so has TP received an NSL or not, and if so, what precisely was FBI demanding?), but on the whole I think TP made the right choice by attempting to state broad principles rather than addressing narrow technical points.

August 13, 2016

Permalink

A social contract is a political statement that clarifies whose side are we on.
Whose side are you on boys?
I stand with torproject and debian, anyday. They are part of the solution, not the problem. They are how networks and the internet should be. Now how do we go about making this a global reality? Obviously if one wants to use tor to make a statement with her/his name they can.

Clearly there are some here who were really "ticked" off by this statement.
Again, whose side are you on boys and girls?

August 13, 2016

Permalink

"Saying "Whenever feasible" with regards to open independent verification implies that it might not always be possible to do so. If an independent entity cannot verify the source code, it is not open. Thus contradicting the first statement."

August 14, 2016

Permalink

Speaking as user who depends upon Tor for almost all on-line transactions:

Overall: very happy to see it is thoughtfully written and anticipates many possible future problems. Thank you!

Some point by point comments:

1. Love the lede: framing the TP mission in terms of HR is exactly right and what I hoped to see when I first suggested a statement of core values.

2. Very wise to anticipate that there might be emergency circumstances where you need to hold something back. Also you need keep bridge IP's nonpublic until a better censorship-evasion strategy is available.

But here is one embarrassing thing you should *not* hold back: "We messed up big time when we hired someone who turned out to be a CIA agent to write code; we should have realized who he worked for an not hired him in the first place, but when we learned who he was, we fired him".

Since that embarrassing thing has already occurred, please make that post telling the official TP story of what happened.

Here is another thing (which I hope has not yet occurred) which you should *not* hold back: if you receive an NSL.

Someone needs to simply break that gag order by screaming to the world. In my judgment, FBI would not dare to actually imprison you all. But I admit that I would not be the one risking the DOJ's frightening wrath. (Eric Holder wanted to put Snowden on the death list, and there are probably other US citizens on the list, maybe even citizens living inside the USA.) But speaking of Snowden, someone who had the NSA documents proving the extent of NSA's "Collect it All" programs needed to leak them, and someone very courageously did just that. (Thank you, Edward!) In the same way, some NGO (Debian?) or company which has received an NSL needs to very courageously leak it, putting the well being of their fellow humans ahead of their own well-being.

3. "The more diverse our users, the less is implied about any person by simply being a Tor user." Hear! Hear!

4. "We are not just people who build software, but ambassadors for on-line freedom." Yes!

5. "We never intentionally mislead our users nor misrepresent the capabilities of the tools, nor the potential risks associated with using them. Every user should be free to make an informed decision about whether they should use a particular tool and how they should use it." Excellent, thank you!

It would be very helpful if Tor developers somehow found time to post explainers in this blog, addressing such points as pros and cons of disabling Javascript entirely, pros and cons of using i2p (in Tails), overview of how Tor uses different kinds of crypto and what might be future and current dangers to Tor users, overview of the coming quantum crypto threat, overview of the situation with helping users find bridges anonymously...

6. "We take seriously the trust our users have placed in us. Not only will we always do our best to write good code, but it is imperative that we resist any pressure from adversaries who want to harm our users. We will never implement front doors or back doors into our projects." Hmm...

You chose your words carefully and it worries me that once again by omission you seem to imply that TP *has* been served with an NSL. Once again you missed an opportunity to flatly state that you have never received an NSL, implying that you have. Which leaves Tor users wondering: what are the implications for our safety?

August 14, 2016

Permalink

> I stand with torproject and debian, anyday. They are part of the solution, not the problem.

I am worried about a few phrases which raise serious doubts in my mind (about the Chasteen affair, whether or not TP has received an NSL with an eternal gag order), but on the whole I think this statement is much needed, long overdue, and came out pretty well.

I am also *very* encouraged by the fact that Tor Project is working much more closely with Debian Project. In fact for years I tried to urge both projects to collaborate more closely, something which now seems to be happening.

I am also very encouraged to see TP adopt promoting HR (human rights) as their central goal, and paying much more attention to the political side of the struggle against FBI's demand for backdoors, etc., also things I advocated for years.

I would like to urge TP to start thinking about as a grand vision for the future.

Some things I'd like to see TP, EFF, Amnesty, MSF, RSF, FOTPF, ACLU take a hand in promoting:

o a privacy industry (the drone industry has been grown with USG help, so why not privacy?, TP should say; USIC and FBI be damned, TP should tell congresspeople, the electorate wants jobs jobs jobs!); maybe FEC, FCC, the privacy caucus in the US House of Reps can help?; maybe Democratic congresspeople will be more friendly to privacy issues, to encrypted citizen/politician comms, to cybersecurity for HMOs, HIEs, small-government-agencies, small-NGOs, small-ISPs, small businesses following the DNC hack?

o a citizen owned and volunteer operated wireless mesh network, to help evade evil telecoms which want to force people to pay premium for even modest privacy protections, and to help them evade "smart city" dragnet microsurveillance; such meshes can leverage SDR (software defined radio) technology; maybe NIST can help?

o a trustworthy company which makes and sells to consumers inexpensive readily available RF (radio frequency) spectrum scanners (using SDR); I like TP as a non-profit NGO but perhaps if funding diversity is falling short we should think about spinning off a company which makes and sells things, but which might be somewhat trustworthy via its connection with TP; my idea is that the best way to check your WiFI capable devices are not making mysterious connections is to look at RF signals originating very near your own location; notice that this will be useless unless accompanied with lots of (currently very arcane) reliable information about what "normal" RF signals look like and how they probably originate, or the users will overwhelmed by false positives; compare Edward Snowden's recent venture,

o trustworthy companies which sell various other privacy enhancing devices, such as Faraday screens, laptops/phones/routers made with more secure chips, more secure removable storage devices, audio bug transmission detectors, radar retroreflector detectors, surveillance drone detectors, facial-identification countermeasures (assume the face of a different popular culture celebrity every day?; maybe Revlon can help?), gait-changing footwear, humanoid robots for identity exchange, drone-shoot-down technology...,

o taking a leaf from Collect-it-All, why not Audit-it-All?; maybe NIST and the privacy caucus can help try to secure funding? (I have no connection whatever with an NSA-founded company which says it is already trying to Audit-it-All, and I urge skepticism concerning their motives, but I recognize that in principle some NSA spin-offs might inadvertently do some good despite being basically evil),

o inexpensive microscopes and micro-dissection kits (is that an Argentine ant or a Chinese cicada?).

August 15, 2016

Permalink

TOR as it is now is so unstable in the LINUX environment, that for lack of a nicer way to put it, you guys are getting as bad as MicroSnarf with releasing bad code that just doesn't cut it.

in the near term I am contemplating just ditching TOR because it sucks so bad and makes my LINUX system very unstable in the graphics environment. It's just a sure bet that your half baked coding is just not ready for prime time live.

"we are honest when we make errors" really should be; "we recklessly release bad code and hope you won't notice how unstable your platform is when you run it.."

guys, get a clue. you really are falling on your swords.

> TOR as it is now is so unstable in the LINUX environment, that for lack of a nicer way to put it, you guys are getting as bad as MicroSnarf with releasing bad code that just doesn't cut it.

I think your ire is misplaced. It appears to be true that as the Linux kernel gained popularity over the past decade, and as huge tech companies started to help to rewrite it, the kernel has become less stable and more vulnerable (certainly it has gotten much much larger). But even if you accept this statement, you should not blame TP, which is not responsible for the care and feeding of the kernel.

I use Debian and while I have noticed an increase in instability (in applications, not the kernel!), I certainly would not advocate avoiding Debian. Quite the contrary, both Debian Project and Tor Project deserve much credit for their increasingly close coooperation, a development which is surely unwelcome among the criminal element (state-sponsored or not).

August 15, 2016

Permalink

One way to defend against NSLs might be to have some of the development and project people working in a partnered non-subsidiary organization residing outside USA jurisdiction, and mirroring all internal docs automatically. Non-USA staff would have an ongoing awareness and automatic copies of docs received, and could post (or at least leak) stuff without legal consequence.

August 16, 2016

Permalink

Some interesting comments and some absolute rubbish; but the main point of concern for me is why I've visited this site in the first place.

A user in my company has come to me with their c drive encrypted - having further inspected the read me .txt file, it explains that in order to de-crypt the files we need to visit and download Tor Projects Browser - to which we are directed to the website via the txt doc!?!

I've had to deal with a crypto locker outbreak twice this year, so we have backups and its no big deal. Having messaged Tor on Twitter, they responded by private messaging me - I responded back with a non PM and now you're no longer answering me .... its not my fault if you don't like the association of Ramsome ware!

The final and worse part is you telling me its "criminals" that have encrypted the drive and not Tor - which is correct I'm sure its not Tor, but when I need your software to de-crypt the users data?!?! That association comes back into play as above!

The only logical thought is the so-called "Criminals" feel Tor needs a boost in downloads - how nice of them criminals!!

I am sorry that you are forced to deal with malicious and destructive software.

Criminals use roads, post offices, telephones, Internet and also Tor. Again, we still are sorry about it.

The creator of the ransomware you are facing is the one who decided that you would need to communicate to them using Tor. We have never asked to be in the documentation you've been reading. The social contract above explains why we are making Tor. Most users of Tor need to protect their freedoms online, and they surely do without harming others.

Tor is a non-profit. All software currently released by Tor is available free of charge. We have no financial interests in having more downloads. We would prefer a world without ransomware, and we wish their creators would never have discovered Tor. Meanwhile, we can't modify Tor to prevent them to use Tor without endangering everyone else. It doesn't mean they can't be stopped: this is what criminal investigators do.

Hmm, so a criminal is exploiting Tor so that you are made to pay a ransom in a way that can't be traced back to that criminal? I've heard of this...

Someone recently told me they had been a victim of ransomware: some message popping up saying install Tor, visit such and such hidden .onion website, pay $amount BItcoins and only then get back an unlock code to decrypt the locked files.

As it turned out, the writer of the ransomware was so inept that the victim couldn't even enter the PIN to unlock the screen to his Android tablet to do so. Later, the victim told me he had found a way on the internet to 'reset' that whole thing.

I read a blog a few weeks ago that a lot of ransomware encryption is actually very weak, so why not research this instead of raging at Tor? Of course, this weakness won't last.

Still ...

1. "... but when I need your software to de-crypt the users data?!?!" Um, no? You're being made to use Tor to make an 'untraceable' payment. It may well stipulate Bitcoin, though actually Bitcoin transactions are always traceable (the criminal's probably misunderstood this).

2. If so, why not rage at Bitcoin as well as Tor as the criminal used that as well?

3. "A user in my company has come to me with their c drive encrypted ..." Sigh. The source of the problem, really? I've read that 'reputable' companies are stocking up with Bitcoins ready to pay those ransomware purveyors quickly lest files critical to business operations suddenly become locked. One has to wonder what the OpSec policy is here, maybe: "let's just stockpile Bitcoins to pay off the crims, so that we don't have too think too hard about our employees browsing rando sites with unbridled Javascript running cross-site scripts sourcing rando adverts (the commonest source of malware) on office PCs running unsecured out-of-the-box MS Windows."

> I've had to deal with a crypto locker outbreak twice this year, so we have backups and its no big deal.

It is unfortunate that cybersecurity is so hard, because smaller companies and NGOs cannot realistically hope to hire the very expensive individual help from a genuine expert which they would need to protect their networks.

The situation is frustrating and seemingly intractable, but my sympathy with beleaguered semi-pro sysadmins ends when they issue horribly ill-informed attacks on Tor Project. As lunar said, everyone benefits from postal services (despite the fact that some people misuse the mail), transit systems (despite the fact that some people drive drunk), and the internet (despite the fact that some people misuse it).

August 17, 2016

Permalink

One issue I have with my tor browser is that it travels overseas and back to the us. It seems like it would be better to have a tor center in St Louis that scrambles everything. Also, a lot of websites work poorly with Tor. Blogger from Google is such a set. A list of news sites and community sites that are Tor friendly would be great. Maybe a Tor badge to id them up front.

Why is it an issue that your internet traffic traveels overseas and back? (The Tor Browser doesn't 'travel' obviously ;).)

Also, have you read any of the Tor info about why Tor uses no less than three relays, and why these should be beyond central control in their selection and their management?

I agree it would be great if popular sites would care about being more Tor friendly. Facebook have already made that move by using an Onion site. Sadly, most big sites have business models firmly aimed at the naive, who run standard configurations that give everything up about themselves to these business models to exploit and never realise it.

Yes, exactly, but this is what I meant. Facebook using an onion service shows a proof of concept that it can be done (I think it was Alec Muffett (@AlecMuffett) who arranged this). Javascript is the other major problem of big sites being Tor unfriendly, and it's a major part of their enforcing a 'standard' configuration ("Please enable Javascript!") that Google et al. get to exploit.

They are easy enough to find, and reasonably priced, depending
on brand name. For avoiding this, a wise business owner can take several
effective stop in order to reduce more his promotional expenditures.

what is mean tbh can does ../ mean

Microsoft, Mozilla and other browser vendors have installed root security certificates that have passed their
requirements. It is because I am living true to creating the
future, healthier me, and this requires the discipline to delay.

August 17, 2016

Permalink

Please use WARRANT CANARY for your website. Very easy to do. This will help us.

I am VERY worried that Tor was corrupted if they received a NSL. The governments are getting too strong now and this is a scary time!!

Help your users. Warrant canary will do much to help!!

Please..

So I was mentioning that one of the Tor developers (Isis Lovecruft) has a warrant canary on her personal website, and she recently removed herself away from the USA to avoid a possible NSL from the FBI. Her canary last six months a time.

I was wondering if that means we have to wait up to six months bar one day to learn that a NSL was delivered if it was done so on day 1 of the canary's life.

Should Tor Project choose a canary with shorter lifecycle (monthly, weekly, ...)? Should there be one for the whole project, or one per employee?

Tor is developed by multiple people all over the world, not one set of individuals. Because it is open source software, it is not very easy to get a backdoor inserted into well-reviewed open source software without anyone noticing. For example, there was an attempt at a backdoor in Linux years ago, but it was noticed before it was ever released, and Linux is far more bloated and harder to audit than Tor.

Also, there are a lot of misunderstandings going around about how NSLs work. NSLs don't give the government the power to force someone to add code to a project. NSLs are not magic. And think about it... If they were powerful enough to force someone to add malicious code to their project, they could also force someone to continue to update a warrant canary.

August 23, 2016

Permalink

A clearer explanation of Snowden's theory of how the Equation Group malware was grabbed by an unknown actor in 2013:

http://www.theregister.co.uk
#Shadowbrokers hack could be Russia's DNC counter-threat to NSA
Claimed NSA hacker outfit Equation group confirmed to be breach victim.
17 Aug 2016
Darren Pauli

> One of the most interesting hacks in recent memory is almost certain to be a compromise of infrastructure operated by an ultra-elite hacking group thought to be the United States' National Security Agency.
> ...
Initial analysis by the likes of Kaspersky Labs, NSA whistleblower Edward Snowden, and a host of independent security researchers shore up claims by a hacking group calling itself Shadow Brokers that the exploits and toolsets it hopes to auction for millions of dollars in Bitcoins are legitimate Equation group weaponry. Kaspersky Labs last year revealed the Equation group to be what strongly appears to be a state-sponsored actor. Many in the security industry agree, based on deep analysis of this group's activities, that it is highly likely to be a wing of the National Security Agency given a series of very striking operational and technical similarities.
> ...
> "This code similarity makes us believe with a high degree of confidence that the tools from the ShadowBrokers leak are related to the malware from the Equation group," researchers from Kaspersky Labs' GReAT research team say. The team's confirmation is based on "highly specific crypto implementations" which link the files in the online dump to those found as part of the February Equation Group research.
>
> The breach, if Kaspersky's analysis is correct, does not mean the NSA has been hacked or compromised in a traditional sense. Rather it appears likely the hack is a 2013 compromise of a command and control server which harboured the dumped tools and exploits, a feat which intelligence boffins say is not uncommon. Analysis of time stamps shore up the argument. The last known file access date of around June to October 2013 coincides with the time Snowden fled the US to reveal the extent of the NSA's global spying apparatus. The former NSA analyst explains that the agency may have cycled servers used in offensive operations after he fled out of caution, an act that would have cut off any attacker with a foothold in command and control boxes.
> ...
> Snowden suggests the auction is a ruse, and attackers are using the dump as a warning shot to the NSA.

August 23, 2016

Permalink

So long as the Torproject's web presence isn't covered by a credible kinda "canari", oft enough updated and that could be validated using some kind of easily verifiable cryptographic hash or signature, it is impossible to trust anything Tor does, say or offer. Of course, the absence to this day of such a system COULD signify that the TP is already pwned. I'm ot saying it is but by all means, DO NOT TRUST Tor for anything serious UNTIL such a mechanism exist and be fully explained, maintained and independently reviewed & validated.

On the warrant canary, plus one.

> DO NOT TRUST Tor for anything serious UNTIL such a mechanism exist and be fully explained, maintained and independently reviewed & validated.

This advice is useless unless you can suggest a superior alternative. An open source tool which is well maintained by an expert trusted team and has recently been independently audited by a highly regarded team of security experts.

The answer is not to stop using Tor. The answer is to try to help make TP better, which will help ensure that TP is able to continue to improve its products, such as Tor Browser, Tor Messenger, Selfrando, etc (many of which can be reused in other open source projects once a privacy industry is established).

canari warrant is finished : it was a test.
tor can be trust for serious taff but i agree with you about an independent audit even if the real problem is more about global survey or fake node/relay than the tor project ...

August 24, 2016

Permalink

@Shari:

I see a growing consensus joining me in calling for TP to use warrant canaries.

If the problem is that TP has long been laboring under a secret NSL with gag order, TP needs to call a press conference in Berlin or Stockholm and *reveal it*.

Normally I would urge you to listen to lawyers, who will of course feel obligated to advise against such a risky step, but in this case I make an exception. I feel that the NSL eternal gag order is politically speaking the weakest point of the Patriot Act statues, the one most likely to fail if challenged. So weak that the first NGO which violates the gag order will, I believe, find that DOJ will discover some face saving reason why it doesn't after all care that the NSL was revealed. We users also need to know the scope of what information the USG has been demanding.

August 24, 2016

Permalink

I have a question: It is disabled by default webrtk support in tor?
If it enabled in Tor Project, then better use a clean firefox with your real ip, same shit.
I use some extra addons. from my experience they are safe and open source, you can find them in firefox addons page, where you can read more about they do.
I think this addons must come by default in Tor Browser.
1. No Script
2. BetterPrivacy
3. Disable HTTP Referer at Startup
4. Disable WebRTK
5. Disconnect
6. Disconnect Search
7. HTTPS Everywhere
8. Privacy Badger
9. Random Agent Spoofer
10. Refferer Control
11. Self-Destructing Cookies
I tested my browser for leaks, i have no leaks. What you belive about this addons.
WebRTK leak your DNS and IP if it is enabled even if you use Tor Project or any VPN, and webRTK are enabled by default in most browsers like firefox, chrome, opera, safari etc.
WebRTK test --> https://diafygi.github.io/webrtc-ips/
Stay Safe bro, the StuxNet are free and he learn, develop himself day by day.

August 25, 2016

Permalink

Why is this more "sticky" than the information that the master Tor bridge authority has been changed, a change that needs to go into effect for bridges by the end of this month?

These are nice sentiments, but getting the code to continue to work and to keep updating it for emerging threat profiles is much more important, and it's that stuff that deserves to be "sticky" instead.

I get bridges from bridges.torproject.org. Most of them seem to be down out of the box but a few seem to work for weeks. But in past month, whenever I connect (using current Tails), I often see a mysterious all zeros line in Onion Circuits which never completes any circuits. Any idea what is going on with that?

August 31, 2016

Permalink

Someone has proposed a "strike" by relay operators to protest the firing of (someone who can perhaps not be named in this blog?).

See tor-relays thread:

https://lists.torproject.org/pipermail/tor-relays/2016-August/009998.ht…

Comments:

1. This situation happened only because TP had no real leadership or employee policies until Shari took over. That would be water under the bridge except that she has not clarified whether the people who hired DC are still involved with TP HR issues. Those people need to be closely supervised by Shari because they have made serious errors which have almost crippled TP.

2. Thanks to DC's legal threats (apparently), the whole JA/DC situation became so f'd up that no justice will ever be possible for anyone. Very possibly, TP's hands have been tied by a forever mysterious/secret out of court settlement with DC. Who was outed as a CIA agent by... JA. Makes you wonder what is really going on....

3. Shari and other TP leaders need to be vigilant going forward against the next attempt by an intelligence agency (could be US, RU, CN, FR, PL, SY, DE, DK, etc) to plant a mole inside TP, or to disrupt TP.

4. It is critically important that TP find a jurisdiction where employee law allows TP to state that anyone applying to work at TP who fails to disclose "under cover" jobs or lies on resume for any reason, even if a former employer requires them to lie, will be fired immediately when the deception is uncovered. (C.f. "the DC loophole": aka "I wanted to tell you the truth about my real work in Iraq, but CIA told me couldn't".) Claims of good intentions are no excuse. Unless you are Snowden or Kiriakou, you can't quit CIA on Monday and start working at Tor Project on Tuesday without telling TP you are a USIC agent. That is not and never could be acceptable to at-risk Tor users around the world.

5. I too am worried by all the signs suggesting that USIC finally got its way by "neutralizing" JA. I too am worried that the people who spoke up most forcefully for firing him may have ties to USIC (CMU, Cymru, although clarifications would always be welcome, hint, hint). At the same time, a "strike" would give FBI what it wants, by neutralizing Tor, so that's obviously out of the question. As several people said, the situation stinks of USIC manipulation, but at risk users (an exponentially growing group!) need Tor so badly that their needs must come first.

6. The Social Contract is excellent first step towards preventing existential problems in future.

7. Someone complained about all new board but I think new board has very impressive credentials, modulo some reservations about USG ties one or two members.

8. If TP is under NSL, someone brave who we all know works for TP (RD maybe?) needs to call a press conference in Germany or China and reveal all. Your lawyers will give you different advice, but I believe DOJ would find face saving way to avoid trying to charge you with a felony. ("Oh, we thought that NSL expired long ago".)

August 31, 2016

Permalink

Excellent, well-balanced article profiles Herd, Pond, Riposte, Vuvuzela/Alpenhorn, Dissent:

http://arstechnica.com/security/2016/08/building-a-new-tor-that-withsta…
Building a new Tor that can resist next-generation state surveillance
Tor is an imperfect privacy platform. Ars meets the researchers trying to replace it.
J.M. Porup (UK)
31 Aug 2016

> ...
> After interviewing numerous leading anonymity researchers for this article, one thing becomes clear: Tor is not going away any time soon. The most probable future we face is a world in which Tor continues to offer a good-but-not-perfect, general-purpose anonymity system, while new anonymity networks arrive offering stronger anonymity optimised for particular use-cases, like anonymous messaging, anonymous filesharing, anonymous microblogging, and anonymous voice-over-IP.
>
> Nor is the Tor Project standing still. Tor today is very different from the first public release more than a decade ago, Mathewson is quick to point out. That evolution will continue.
> ...

August 31, 2016

Permalink

OT in this thread, but topical in this blog:

James Comey is warning that:

1. he plans to spend the next few months "collecting evidence" that the world is:"Going Dark" (apparently he means he will be collecting anecdotes from US police departments about all the phones they seized but cannot unlock),

2. next year, he intends to push harder than ever for mandatory backdoors.

Weary reporters were mostly unable to crack a smile at Comey's latest tag line:

https://www.theguardian.com/technology/2016/aug/31/encryption-fbi-build…
Encryption: FBI building fresh case for access to electronic devices
James Comey, the agency’s director, says it is gathering information in preparation for ‘adult conversation’ on balancing privacy with need to fight crime
31 Aug 2016

> “The conversation we’ve been trying to have about this has dipped below public consciousness now, and that’s fine,” Comey said at a symposium organised by Symantec, a technology company. “Because what we want to do is collect information this year so that next year we can have an adult conversation in this country.”

techdirt.com facepalmed:

> Oh, James Comey. The FBI Director seems to have staked out his reputation on being the guy who will go to his grave refusing to understand what basically every technology expert has been telling him for the past couple of years: his desire to backdoor encryption will make everyone less safe. But Comey is pot committed on his belief that encryption is bad and that Silicon Valley just needs to nerd harder and it'll somehow come up with encryption that has a magic golden key for him. His latest is saying that it's time for an "adult conversation" on encryption:

And our favorite vulture is certainly growing exasperated with idgits!

http://www.theregister.co.uk/2016/08/31/fbi_wants_adult_conversation_ab…
FBI Director wants 'adult conversation' about backdooring encryption
How about f**k off – is that adult enough?
Iain Thomson
31 Aug 2016

Yes, it's getting harder than ever to take James Comey seriously. It is all too easy to conclude that he has set himself such a sissyphean task that we can safely dismiss him as a harmless idiot.

After all, given all the recent hacking of alleged politician-owned devices, potential altering of US election outcomes, etc, which Comey's own agents claim they are "taking sreiously", it seems that people like Nancy Pelosi might finally be starting to understand that the world needs more encryption and more importantly much better device security, not more zero-day hoarding or NSA/TAO attacking, still less mandatory encryption backdoors.

But we should not be lulled by Comey's (calculated?) foolery into dismissing his attempts to induce the US Congress to mandate encryption backdoors or device insecurities, since Congress might well be persuaded by cynical party leaders to pass a very broadly written law which exempts Congress from FBI hacking or snooping, but otherwise authorizes FBI to order companies to do whatever FBI wishes to whomever they name (dozens or billions of people), all in utter Patriot Act type secrecy--- that way, when the financial system collapses, the legislators can claim they realized they wouldn't understand what they were voting for if they voted for a law which defines terms and spells out procedures, so they voted for a vague law in hope federal agencies would "figure it all out".

But of course it is the responsibility of Congress to figure out policy issues, even when these issues involve technology. And some members (e.g Ted Lieu) do have tech credentials. So we mustn't let Congress get away with simply ducking debate or pleading ignorance. If they are ignorant, they are not doing their job right and they should be fired.

August 31, 2016

Permalink

Some of us keep trying to warn that the most important question begged by the Snowden leaks is the question of what USG plans to *do* with all that data it is collecting about al of us. And the answer is: predictive behavioral analysis, personalized algorithmically decided sanctions for individual citizens who stray from the Party line, even preventative detention for persons suspected of potential future misdeeds, or even potential future thoughtcrime. And the first victims will be the Usual Suspects, prosecuted under a sheen of Scientific Authority and alleged impartiality which only slightly disguises the customary racist and economic disparities which are endemic in the US "justice" system:

https://www.aclu.org/blog/speak-freely/predictive-policing-software-mor…
Predictive Policing Software Is More Accurate at Predicting Policing Than Predicting Crime
Ezekiel Edwards, Director, ACLU Criminal Law Reform Project
31 Aug 2016

https://www.teamupturn.com/reports/2016/stuck-in-a-pattern
Stuck in a Pattern
Early evidence on "predictive policing" and civil rights
August 2016
A report from Upturn
David Robinson & Logan Koepke

The new Jim Crow indeed.

Tor can help prevent it from happening, or at least to slow it down.

September 06, 2016

Permalink

Sorry for the somewhat off-topic yet important request :
can you please urgently change whoever (google?) is providing the 'antirobot" challenge at bridges.torproject.org. I for one can't for my salvation solve the challenge even once, so the page is totally useless ! All the more so ludicrous that I suspect actual robots would be better able to solve the challenges.

If you can't change providers, at least try to change the actual parameters, if possible. The present thing is unreadable to a normal human, IMO.

September 06, 2016

Permalink

1. Tor has a diverse funding.
2. USA funding doesn't contradict Tor goals.
3. For the US Tor permits to overthrow anti-US regimes.

Do we know more about (3)?
What happen when such regimes are overthrown?
What is the US Agenda?