Tor’s Bug Smash Fund: $86K Raised!

by al | September 13, 2019

To the Tor community: we owe you a thank you!

At the beginning of August, we asked you to help us build our very first Bug Smash Fund. This fund will ensure that the Tor Project has a healthy reserve earmarked for maintenance work and smashing the bugs necessary to keep Tor Browser, the Tor network, and the many tools that rely on Tor strong, safe, and running smoothly.

Together we raised $86,081.

You made the Bug Smash Fund campaign more successful than we could have predicted. These contributions come from all over the world, from all different forms: online, through the mail, at DEF CON and CCCamp, and in a multitude of currencies (cryptocurrencies and otherwise).

What’s next: as bugs come in, we will tag their trac tickets with BugSmashFund so you can follow along and watch exactly what you’ve made possible. We will also make periodic updates here on the blog and through the newsletter about our progress with these BugSmashFund tickets.

Thank you to everybody who made a contribution to the Bug Smash Fund. This work is critical in helping us to provide safer tools for millions of people around the world exercising their human rights to privacy and freedom online.

If you missed the deadline to contribute to the Bug Smash Fund, you can still make a gift at donate.torproject.org: just add “Bug Smash Fund” into the comment field, and we’ll make sure it’s directed to the right place.

Comments

Please note that the comment area below has been archived.

September 13, 2019

Permalink

Hey. You guys should make like an music video. On why everyone should use Tor. A rap of some sorts. It can go like.

(Facebook's tracking your location google's tracking your transportation., Use Tor and you'll get higher expectations)

Or something like that. And put it on the Tor YT channel. If it goes viral. Hey more users for you. Or might i say we

September 13, 2019

Permalink

I've never been happier to have contributed less than 1% of the funds raised for a cause I believe in!

Snowden's interview with The Guardian is worth reading.

September 16, 2019

Permalink

> @Snowden is right.

Yes, indeed.

Snowden's memoir Permanent Record will be published later this month, and I urge all Tor users to read it. (I have no financial interest in the book.)

Some of us have attempted to argue for years that the mainstream media has completely ignored the question which is begged by the "collect it all" and "store it all" strategy which is detailed in the Snowden leaks: what does USG intend to *do* with all the "data exhaust", phone logs, emails, text messages, geolocations, financial/medical/educational/genetic records, etc., that it vacuums up from everyone on earth?

Let's ease our way into an answer by starting with a simple example. The Snowden leaks show that NSA is stored *all* encrypted comms indefinitely, including all TSL bitstreams (so all Tor traffic since the beginning of time). The leaks also show that as of late 2012, NSA could not in fact break all forms of strong encryption in common use, and even hint that TLS with perfect forward secrecy was not being routinely read. So what does NSA plan to do with copies of all that unreadable traffic?

If you know about project VENONA you have no doubt already guessed the answer: NSA expects that decades in the future, advances in quantum computing and mathematics may enable it to break currently hard or impossible to brute force encryption. And in that case it plans to systematically decrypt all the stored traffic, searching for clues to... it doesn't know what, but it plans to apply machine learning to uncover hints which it assumes lurk in this so far unexploited data.

But that's still besides the point: the real question is, what does USG plan to do against US persons with the dragnet data? That is, with all the data it is vacuuming up and storing indefinitely on *every resident of the US*? The answer is population control, with pretty much the same horrific intent as what China is doing in Xinjiang Province.

With one key difference: China prefers to tell citizens exactly why they are being sanctioned in some algorithmic judgment, on the theory that like Pavlov's dogs, Chinese people will learn not to do *that* again. What is "that"? We cannot say, because the Chinese government redefines "that" in real time.

In contrast, the US system operates in deepest secrecy, and is preparing to sanction citizens in real time without any behavioral modification hints to the individual victims why they are suffering mysterious reverses, such as being denied employment, housing, travel, education, or other benefits of living in supposedly free and civilized modern nation. This illogic is one of the strongest signs that, unlike the carefully thought out Chinese system of population control, the US system appears to be created by some strange process of governmental sleepwalking.

But this too is potentially misleading, because there is a very important commonality between the US and CN systems of population control: both rely heavily upon coopting commercial personal data acquisition and brokerage "solutions" punted by the biggest and baddest multinational techcos, such as Amazon, Google, Microsoft, IBM, plus old school "defense corporations" such as Boeing, BAE, plus a whole host of smaller companies with ambitions of becoming giant companies, such as Nextdoor. China awards contracts to Chinese companies, but these are buying (not just stealing!) code and expertise from the same companies which are selling surveillance-as-a-service to the US and other governments worldwide. Note that in practice there is little difference between companies such as Google collecting, storing, processing, and selling the "data exhaust" of every human living or dead for the purpose of selling to emarketeers, and for the purpose of selling to "security authorities". ("Living or dead": Google also sells the data exhaust of long dead writers, through its vast program of digitizing pre-computer books and newspapers.)

Which brings us to the purpose of the dragnet. Tom Ridge actually mentions it in his op-end in the Hill warning that the sky is falling [sic] because USIC traffic collection is "Going Dark":

> We simply cannot ignore these crucial technologies [apparently referring to backdoors in encryption backends such as gmail servers] because of privacy fears. There’s too much at stake. Governments can balance respect for privacy and human rights, while also cracking encryption in order to prevent terrorism and crime before it happens.

The purpose of the dragnet is to enable population control--- control of the thoughts, opinions, life goals, and actions of every citizen--- by enabling the government to build supercomputer models in every citizen, together with each individual's interactions with employers, educators, landlords, friends, neighbors, is represented. These models are built by "ingesting" from hundreds of public and private Big Data repositories geolocation records, financial records, employment and family histories, social media postings, "survey" responses, WAMI and other surveillance imagery, in fact from every source the government can think of (which is almost certainly more than any of us can think of). The level of detail is astonishing: the government tracks the route you take to drop your kids off to school, and where and when you walk the dog.

What does the government do with these models? They intend to attempt to analyze it all in real time, of course. One thing they plan to do is to look for signs that an individual has suffered one or more serious "life reversals", such as loss of job or home, a bad breakup, rejection from the college of one's choice, etc., on the theory that future domestic terrorists and mass shooters decide to act following such reversals. But fishing for the "pattern of life" of every citizen is just the tip of the iceberg.

The real purpose of the models is to trial alternatives available to the government, everything from PSAs (public service announcements) to individual sanctions (such as an IRS audit), in order to discover which set of actions best serves "state interests" at any given moment.

The fact which always astonishes me is that this kind of modeling is nothing new. It has literally been an ongoing effort for at least two decades--- predating 9/11, and gradually becoming more sophisticated with the rise of machine learning and commercial Big Data collections easily re-purposed by USG agencies such as DEA, DHS/ICE, and USMS. The models originate in the nuclear weapons industry, especially LANL, and for two decades were one of the USG's most jealously guarded secrets. But recently some former LANL scientists have been cautiously boasting about some of their modeling. Please read the following carefully and think about what I said above as you read:

https://www.wired.com/story/scientists-know-how-youll-respond-to-nuclea…

Now, one of Snowden's points in Permanent Record is that under the population control regime, citizens can be and are sanctioned for things they did years ago which were not only perfectly legal, but which in many cases no-one would have considered strange or objectionable when the citizen did them, but which years later the government (or rather, a government operated algorithmic judgment) has "decided" constitutes a "red flag" warranting a closer look, which might come in the form of a mysterious inspection of your home by a construction inspector, or repeated IRS audits, or mysterious trouble opening a new banking account or internet subscription, or even FBI agents visiting your workplace to inquire about your "terrorist ties" (good luck keeping your job after that).

This undermines one of the key principles of American jurisprudence, the principle that one cannot be put on trial ten years from now for something you just did which was legal when you did it. But the new system of algorithmic judgment undermines the Rule of Law (and indeed all theories of government itself) as we have known it in even more destructive ways than that.

Another key point about machine learning, especially using neural nets, is that most algorithmic decisions cannot be explained to any human, are not even comprehensible to the person who wrote the code. Worse, they are not susceptible to quality control or even reproducible--- one "run" of the software may come to one conclusion about what USG should do to you and your family, but the very next run (if the government chose to run the program twice) could come to a very different conclusion. See

wired.com
Artificial Intelligence Confronts a 'Reproducibility' Crisis
Machine-learning systems are black boxes even to the researchers that build them. That makes it hard for others to assess the results.

But we are still only scraping the surface. Another problem is that criminals and hostile nations will always find ways to acquire any "derogatory information" USG holds on you and your acquaintances:

theguardian.com
Canada: arrest of ex-head of intelligence shocks experts and alarms allies
Police say charges of stealing covert information against Cameron Ortis pose ‘potential risk’ for US, UK, New Zealand and Australia
Leyland Cecco in Toronto
16 Sep 2019

Most notably, CN intelligence apparently obtained USG's files holding all the information it has on "cleared" employees--- including none other than Tom Ridge.

Another problem is that the "information sharing" regime created after 9/11 encourages outrageous abuses in which data collected for some seemingly "beneficial" purpose--- "curing cancer", perhaps--- is abused for some entirely different and highly malign purpose:

thehill.com
Kobach sent residents' names to ICE during gubernatorial run: report
Justine Coleman
15 Sep 2019

> Former Kansas Secretary of State Kris Kobach sent the names of Nebraska residents to Immigration and Customs Enforcement (ICE) during his run for governor. Kobach exchanged emails with then-acting Director of ICE Thomas Homan in December 2017 in which he released the names of applicants for an occupancy license in Fremont, Neb., for the agency to investigate, The Kansas City Star reported. The gubernatorial candidate asked ICE officials to "verify the immigration status" of each person on the list, The Kansas City Star reported.

For example, some doctors (with the enthusiastic support of candidate Biden) want to collect the complete genome of every citizen, to assist them in phishing in this data for clues to the presumed genetic mutations which they believe cause various rare diseases. But this could all to easily be abused by some fanatic (inside government or without) to identify everyone with "Hispanic genes" or "Hasidic genes" [sic], for the purpose of genocide. The suggestion that some law enforcement officials would be happy to pass data to hate groups for the purpose of an American genocide is strongly founded in historical fact. Throughout the 1930s and 1950s, FBI agents and California Sheriffs looked the other way while American Nazi groups, the KKK, and other US hate groups plotted genocides in the Los Angeles area. Fortunately, none of them ever were executed, but that was only because the Anti-Defamation League foiled them by infiltrating the hate groups and (in at least one case) making off with the money which would have been used to buy grenades and machine guns to be used in an attack on "Jewish homes" [sic], based on address lists gleaned from pro-Nazi law enforcement officials. See for example:

hollywoodreporter.com
When the Nazis Tried to Exterminate Hollywood (Book Excerpt)
Steven J. Ross
21 Sep 2017