I would love a counterpoint to my opinion but given that public honest nodes have trivial donations I don’t understand who can afford to support this network other than incentivized agencies.
Btw, the big ISP's being backdoored with high-bandwidth, Tor nodes on same networks drawing people to use them is about the worst-case scenario for Tor. Global visibility into traffic patterns on top of huge, attack budget for partial or full defeats of the technology. Plus lots of storage to keep as much encrypted traffic as they can as long as they can. That lets them hit today's systems or encrypted data with future attacks.
I assume NSA sees it all. I assume the FBI gets a part of it which will grow over time, concealing how they got the information. I did anonymous activities using equipment bought in cash over WiFi and HTTPS-looking connections to blend in with the less-interesting crowd. If worried about publicity, use cantennas so folks can't see your face on camera. Preferably suburban areas with more empty space and trees than cameras. Maybe Tor, too, but just don't use it anywhere near devices or a residence that's obviously yours.
Or TLDR read some news article from the time
I say this partly as an appeal to his authority (which I'll argue is not insignificant), but I don't mean it in an aggressive way. I don't know him personally, and I can't say very precisely how much trust I have in his claims.
With that said, he's claimed that he personally knows a substantial number of relay operators by volume, and there is significant pressure from certain levels of the US executive branch on the Tor Project to either compromise or abandon development of the Tor network in order to stop child porn.
Of course, he could be entirely unaware that the relay operators he knows are compromised or are simply federal agents, or he could be himself.
But I think these, among other pieces of information, must be contended with to develop a theory that tor is entirely compromised.
For instance, there are claims that people within the intelligence community use and rely on tor for their own work.
Sure, if you’re trying to sell a stolen nuclear weapon then don’t use it. But for stolen credit cards it’s probably very safe in practice.
The entity using the information works backwards to construct a plausible fake chain of events which is acceptable to a court and hides the true source of the information.
The referenced Tor Project blog post, "One cell is enough to break Tor's anonymity", was written in 2009, prior to any Snowden revelations about the scale and scope of state-level actors to see the entirety of the global networks.
AFAIK, Tor still refuses to have nodes add random delays and random padding, etc. to make this style of analysis more difficult, but I am just going off what I researched a few years ago, so I could be wrong.
A more recent and thorough real world analysis of the traffic correlation problem is https://www.freehaven.net/anonbib/#ccs2013-usersrouted . In general, that site has a lot of great papers on these topics.
Why not? I'm talking about shuffling queues such that it cannot be determined that a given node is relaying traffic in the order that it receives it. This is how most packet shaping works, no?
At a minimum, I would expect Tor to be more secure by having nodes:
* Not process traffic in the order in which its received, obfuscating the cause-and-effect of a packet being received and a packet going out
* Pad traffic substantially with garbage such that the outgoing size cannot be associated with whatever came in, potentially splitting packets in half so that they can appear smaller than they actually are, forking around many different nodes.
* Sending lots of random garbage traffic between relays such that input and output is meaningless overall, perhaps relaying packets to several nodes needlessly, when only a single node is instructed to actually do something with it.
To my knowledge, Tor doesn't do any of this and has explicitly ruled out the possibility because they're more concerned with usability than security. And maybe that's the right call to make in the end, I don't know enough to say. I'm just saying that it's possible to imagine a system like Tor that is more secure than Tor, and that's something worth talking about.
I'll check that link out, thanks for posting it.
Already lots of people pick less safe options because "Tor is too slow". If you make it slower, you lose users, and everyone loses anonymity. That's only part of the answer and not the only argument against some of the changes proposed.
I highly recommend the original design paper.  It touches on the very valid suggestions you make, and the tradeoffs. Sadly, not much has changed since. If you have a valid proposal, and you double-checked briefly what is covered on Anonbib as previous considerations, post to the tor-dev list and it will be looked at by Tor developers. At least that is my experience from following that list.
But what about when no exit nodes are involved, when you connect to hidden services? And if your underlying connection is properly encrypted, then the most that could be divuldged is metadata. You'd have to believe the U.S. government has also broken popular crypto, and I believe that if that were the case we would've never seen things like Dual EC DRGB. Even powerful quantum computers could only weaken cryptographic algorithms, if my understanding of Shor's algorithm is accurate, so you could always use paranoid-sized keys or post-quantum cryptographic algorithms.
The folks that work on and support Tor are by all accounts some fairly intelligent people. It is obviously very possible the whole network is compromised, but it would be very impressive if it was compromised and nobody ever found out.
I think software like Tor-based IM is still useful even in the event that the network is compromised to some degree.
Given that, I would at a minimum route your network through an anonymous VPN (or two) before touching the Tor network.
It all depends on your opsec requirements but don’t be a naïve fool - Tor is not a magic anonymity service. It has pros and cons like everything else.
Even if there is N% possibly that a three-letter agency can find an identity correlated to a Tor client in M time, VPNs are much more likely to either be malicious or compromised. And worse, most if not all VPNs don't onion or scatter-route traffic; every single network request goes directly to the VPN provider whom I must explicitly trust.
Granted, this isn't a problem if you run your own WireGuard/IPSec/OVPN instance on your own hardware, but for most people in unfree countries this simply isn't possible.
What's worse is that now not only do governments possibly collect your data, but a random third-party entity as well. Because of this, I only use VPNs when the alternative is nothing at all (like airport wifi that blocks Tor connections).
You probably don't want to connect with a home cable connection. Break into other WiFi or use public WiFi hotspots. Preferably never the same one twice.
Compromised machines can be a mixed bag and require some actual work, but people definitely use them as additional routes in their chain of proxies. You could also use cryptocurrency to buy VPSes to use as VPNs potentially, which offer usefully different privacy characteristics than VPNs as a service.
Even if you get everything else right, the worst enemy will always be you. You need to regularly cycle identities, never reusing them or linking them back to previous identities. If what you're trying to accomplish does not make this possible you most likely are not going to be able to stay anonymous forever.
This is basically the same advice you'd give to someone trying to commit crimes. Well, if you consider any potential adversary to be a threat, it's pretty much the same approach. I think it's wild overkill for most folks because most folks would never have even nearly good enough opsec for this to matter - I know for a fact that my opsec is simply not going to be good enough, I'm just not that organized. For most of us, the best approach is to just not give three letter agencies any reasons to want to destroy our lives. It's easy if all you want to do on the internet is listen to music and talk about programming.
Still, despite the fact that I don't really have any need for this, I find it to be a really fun thought experiment. And there's some pretty good talks about it, too.
That doesn't matter since you're still connected to them with your IP address, plus there's the additional problem of browser fingerprinting which alone may leak enough information to de-anonymize you and let us not even mention the lack of first-party isolation.
That doesn't matter since you're still connected to them with your IP address, plus there's the additional problem of browser fingerprinting which alone may leak enough information to de-anonymize you and let us not even mention the lack of first-party isolation. Running your own VPN is even worse since it basically links you to all of the traffic.
OP is claiming that a combination of traffic/volume analysis and dishonest nodes can find a hidden service source.
One, you are assuming that all parties interested in deanonymizing Tor collaborate. As you say: agencies, not agency.
The design makes sure that you do not need to trust any node in particular. The damage individual nodes can do are small and basically amount to temporary denial of service for non-exits (which clients will quickly route around) and messing with your traffic as exit (which becomes less and less of a problem as everything moves to e2e, and https is improved/hardened with key pinning etc). The remaining problem is statistical correlation, where studies show it is actually not trivial to perform and takes time and repetitive behavior.
Your argument also assumes that everyone is immediately fucked when one powerful adversary can break the anonymity. This will very rarely be the case in real scenarios, where "the NSA" will just not care about you, but plenty of other actors might. By spreading not necessarily false but very simplified claims, you are drawing users who don't know better to systems where they will be clearly much worse off!
The list of relays is public. There are actually surprisingly few exits that carry most of the traffic, which yes, is a weakness, but that weakness is still stronger than anything else you could compare it to. You can look at the large operators like universities and nonprofits like www.torservers.net, their relays, and you will see that it does not take that big of a budget to run the majority of all exits in terms of total capacity. Is is much easier even to contribute high bandwidth entry nodes -- again, feel free to check the largest non-exits in terms of capacity, and investigate the motives. It's all public information.
> As you say: agencies, not agency
This seems to willfully ignore the immense degree of cooperation between Five Eyes, Nine Eyes, SSEUR, etc. It's hard to get real numbers, but I think one would be safe in making the assumption that spending of Five Eyes + friendlies absolutely dwarves any other intelligence expenditure. So call it "the NSA" or whatever, but we are referring to the giant, interconnected "Western Intelligence" supra-national agency whose capabilities were considered to be the stuff of science fiction before the Snowden leaks.
> The remaining problem is statistical correlation, where studies show it is actually not trivial to perform and takes time and repetitive behavior.
You are disingenuously shrinking the problem space here, by pretending that Tor is somehow bug free, or that all known bugs and flaws are already known. This is vanishingly unlikely. The question is not "are there exploitable bugs in Tor", but "how many zero-days do these organizations have?"
Further you hand-wave away a well-known problem by saying it's "not trivial to perform". You're talking here about an organization that literally taps underwater cables with specialized submarines, and arguably scans and extracts metadata from virtually _ALL INTERNET TRAFFIC_.
The parent said:
>> "I’m confident the government can demask users on demand as needed."
which you then attempted to reduce to the absurd by saying:
> Your argument also assumes that everyone is immediately fucked when one powerful adversary can break the anonymity
Which is a bizarre reading.
> feel free to check the largest non-exits in terms of capacity, and investigate the motives. It's all public information.
Other people's motives are "public information"? Lulz.
Everyone be careful, nothing is as simple as it seems. Notice how I’m responding to an anonymous user. This is expected.
You also make it sound like there would be an alternative design, like a closed set of operators. Now, that would obviously be worse than an open system. All you need is two non collaborating entities in your path.
Note how I am trying to convince you with facts, whereas you point to my preference of anonymity as something that makes them less worthwhile. Such ad hominem attacks should be avoided in serious discussions, thanks. I value my anonymity.
But like most other things related to tradecraft, I doubt we will know the true case for decades (if ever). I mean there were rumblings that NSA had siphons in major pops for 20 years before it was confirmed -- and you could not count how many times people that stated that belief over the years were looked at with suspicion/disbelief.
This is implying that over 190 countries have that capability, and it is available to all "state" organizations. Like so many comments on HN, saying that it offers "0 anonymity", this shows ignorance of what is going on in the rest of the world, and the kind of surveillance the world's population is under.
Further above, Five Eyes were mentioned. From the Snowden leaks it is known that some eyes get assistance for sacrificing all data upstream to NSA, but its not like all participants have equal access. So even claiming that "any" "Western" "state actor" has that capacity sounds far-fetched.
Also, this is ignorant of all the non-state actors interested in your data.
given anonymity requires that your identity is not known by any other entity and
given that it is known that at least one state actor has known ability to inspect/siphon much of the traffic around the world either directly or through data sharing and
given the ability to inspect traffic at such locality and breadth allows for unique attack vectors to tor which greatly reduce the need to park/own ingress or egress nodes
It is highly likely that there is no (0) implied guarantee of anonymity for any specific user on Tor.
Because the fact is that i use TOR to be anonymous and escape data mining by dangerous Big Companies : i can elect a government and should give him access to part of my data needed to be a citizen of my country, but i never elect thoses dangerous companies that steal and sell data, violate privacy, accumulate large data set about us behind our backs to cross-annalyse and compute who know why we didn't ask or envisage ... Governments are supposed to be accountable, companies are not unless we publicly discover they did something wrong.
If you use your residential internet connection you're definitely not anonymous.
If you use Tor you're maybe not anonymous. That's still better.
Like I said, I would appreciate someone explaining why I’m wrong but I’ve been closely following Tor for years and I haven’t seen anything to refute my opinion.
That's gonna be tough, as the network would be broken if we could show you're wrong. Anonymity means you don't know. I've also been closely following for years and haven't seen anything to support your opinion. I believe most Tor nodes are run by aliens and haven't seen anything to refute it. Not saying you shouldn't be cautious about anonymity, aliens, or whatever, but to tell everyone it's non-anonymous, intergalactic, etc and wait to be convinced by your own standards you're wrong doesn't help the practical user.
Curious though, if a popular non-nefarious app that used Tor were to emerge and communicated only on onion services (i.e. no exit nodes) and most users (i.e. non-mobile) were also relays, do you think that would help reduce the percentage of surveillance relays enough to feel comfortable? Or are there any ways that you could feel comfortable in a popular, anonymous, distributed network environment that most participants weren't surveillers?
Compared to anything else in that space, I always liked how Tor does not promise magic, but is actually pretty open about its weaknesses. Most of what comes up as "new discovery of a weakness" is actually already covered in the original design paper and FAQ.
But what are you going to do? Not use Tor? That's surely worse.
Bandwidth consumption in Tor is not that big at 300Gbit/s. While its not perfectly comparable, a 1gbit/s connection residential connection cost about $100 a month. Imagining 300 users, or rather 7000 servers, is really not that big for a community project by volunteers. Naturally this finding is a double edge sword, as it also mean it is not costly for a nation to become the majority owner of all servers if they wanted to. Bandwidth is cheap. It is so cheap that one ISP has started to roll out 10Gbit/s for residential use.
7000 nodes are nothing for high bandwidth nations, and its not without reason that some over represented nations in the Tor network match those that subsidized broadband infrastructure. Sweden is about as big as UK but with 1/6 of the population. Germany is twice the size of US (https://metrics.torproject.org/bubbles.html#country).
I do not think cost is relevant to the question. Any agencies of any nation could afford it. The question really is if they would bother, and if they could continuously do it stealthy enough to not rouse suspicion. Its rather know that the hardest security to do is to run operation security continuously without mistakes. In additional we have leaks from inside (Snowden, Manning), internal politics, and I personally do not think it is likely that they would have managed to run perfectly stealthy for 16 years. I would give them the benefit of the doubt that any given year they could take over it, but once they do it won't take too long until it is detected.
You obviously never bothered to look at who runs relays: https://metrics.torproject.org/rs.html Plus Tor's threat model already assumes that some nodes are compromised: https://www.torproject.org/projects/torbrowser/design/#adver... And as others pointed out, the oft-stated "using Tor is better than not" applies.
SAFE Network is much better, as was stuff like Freenet and PerfectDark.
If you stick with providers like AWS or Amazon, sure its absurdly expensive, but its yet another way they have a huge amount of markup.
Now more than ever the world needs Tor.
Instead, try to lobby at work to make you site directly available on a onion address.
Normalizing is more important IMHO.
If you can't do that at work, just install the client on W10, and show it to friends and family.
Because there is strength in numbers.
I’ve set it up this morning, I’m running a relay but NOT an exit node, as per Tor’s recommendation. I’ll keep an eye on it and my network connection.
Further advice welcomed, I just want to do the right thing. Thank you.
: And when I do ‘work’ it tends to be at the sort of place where you absolutely could never run a Tor relay!
Then I moved house again, and now I'm back in a non-NBN area. No more Tor relay from me.
I think running relays is great idea to help speed up the network to improve user experience. Just note, for middle relays (which is sadly the only sane option from home unless you're fine with police banging down your door at 4am at any time due to your IP address publicly sharing all manner of illegal material), you may not get use for weeks or even months, apparently the network waits until you prove your track record of consistency first. But it's important to just be there to support sudden surges in Tor use like when a dictatorship crackdown happens somewhere, and en entire country suddenly needs to access normal websites again. So if you can afford the electricity of a small tower running 24/7 at home to support Tor, I'd recommend it, I've done it before. try the tor relays IRC chan for support.
I'm running this on an old Mac Mini which sits under my desk, is ethernet connected to my router, and is never turned off. My only concern is CPU usage, this thing is a mid-2010 Core 2 Duo. It runs quickly enough because I stuck an SSD in it, but I've no idea how Tor might affect it once I start seeing actual traffic.
Also interesting that there are only 78  active relays in Australia as of the time of writing. That's not many!
The UNHRD is nothing like universally accepted. For example, Muslim countries considered that it violates their idea of what human rights are, so they made their own Islam-friendly human rights declaration . That's like 1/4 of the world population rejecting your universal human rights at the outset.
That's a feature.
We don't have a single entity that can prescribe and dictate specific rulings in specific scenarios under the diverse range of city, state, and nation laws the world contains.
Acting like the UDHR was ever meant to be something so specific is asinine.
"The Declaration was the first step in the process of formulating the International Bill of Human Rights, which was completed in 1966, and came into force in 1976, after a sufficient number of countries had ratified them."
> The UNHRD is nothing like universally accepted.
Except by most states the world over it is and has been for decades.
"Some legal scholars have argued that because countries have constantly invoked the Declaration for more than 50 years, it has become binding as a part of customary international law."
> For example, Muslim countries considered that it violates their idea of what human rights are, so they made their own Islam-friendly human rights declaration . That's like 1/4 of the world population rejecting your universal human rights at the outset.
Except they didn't reject the UDHR at the outset. Nobody did, not one member of the UN voted against.
"Of the then 58 members of the United Nations, 48 voted in favor, none against, eight abstained, and two did not vote."
Furthermore, The CDHR came what 14? years later? Likely after the radicalization of islam that took place during that period. I mean hell, back in the 60s/70s muslim women were wearing miniskirts.
In fact, the simple fact that the CDHR exists tells me that,
a) the UDHR is working as intended as it allows its existence, and
b) the UDHR got things mostly right if a religous entity feels the need to disavow it and make their own.
A paragraph later in the wiki-article you copied from, this is opinion is immediately refuted. Instead the buck stops at constitutions and the like.
It's a declaration of interests. It is heavily stressing the word law, which is very much not an inherent value, that the term competing interests should be hard to shrug off. I am not going to write a fully fledged critique in a HN comment about this monumental document, but it's always going to be a two edged sword.
For one funny bit see this paragraph:
> Everyone has the right to leave any country, including his own, and to return to his country.
Which is asymmetric, not to say utterly useless, without provision about where to leave to. I forgot what GP's point was :(
This is basic stuff and doesn't work in a vacuum you can safely assume we live on the same planet that happens to have mostly open borders.
Regarding the customary international law thing it was not refuted at all. It says that it does not constitute international law for the USA, and does not constitute domestic law for some  other countries - likely because of the vague at times wording.
The fact some nations dispute it doesn't make it any less customary international law, hell it's kind of the definition otherwise it would just be international law.
Customary is just that, it doesn't have to be upheld but it can be used as a moral guide to defining and shaping other laws.
For example, "This right may not be invoked in the case of prosecutions genuinely arising from non-political crimes or from acts contrary to the purposes and principles of the United Nations."
I thought it was pretty clear that Tor is for everyone.
can be used by all camps
only people in the "libertarian" part of the political spectrum can use it
Additionally, the organisation that controls it don't control the content or who can use it. They continue to improve it and maintain it for the purposes of maximizing anonymity and preventing the type of 'control' that you seem to think they're capable of.
When has the Tor Project ever excluded anyone based on ideology?
If Tor is to remain as an acceptable thing to run and use, the Tor Project can't outwardly espouse ideology that drives away the normal users that allow Tor users to blend together. Those browsing Tumblr over Tor, shitposting on Reddit, watching YouTube, etc are key to retain so as to normalize the use of the Tor Browser Bundle.
And even so, note that that is not the same as blocking 0.15% of users, which is impossible.
I dunno about opposite, but certainly in opposition on certain points:
(1) Everyone has the right to a standard of living adequate for the health and well-being of himself and of his family, including food, clothing, housing and medical care and necessary social services, and the right to security in the event of unemployment, sickness, disability, widowhood, old age or other lack of livelihood in circumstances beyond his control.
(2) Motherhood and childhood are entitled to special care and assistance. All children, whether born in or out of wedlock, shall enjoy the same social protection."
Obviously, this means taking from those who have to give to those who have not, which is pretty strongly opposed by the right-libertarians.
a bunch of the others also conflict with right-libertarian principles; like article 24 limits working hours and says I should get some paid vacation and 26 says elementary education should be free (and compulsory)
Right-libertarians generally don't believe that you have a right to any of those things if nobody else wants to give those things to you.
Generally this is talked about as the conflict between positive vs negative rights, or human rights vs property rights.
I mean, you could come up with some version of "human rights" that doesn't include the right to food, shelter and medical care... but you could also come up with a definition of libertarianisim that includes some form of welfare for everyone. I personally know several people who identify as libertarians who also support universal basic income...
I'm just saying, that's not how those words are usually used. Usually 'human rights' includes some kind of positive rights, and usually 'libertarian' means 'primarily focuses on property rights'
As I understand your argument you were saying that Tor's rebranding-- emphasizing human rights advocacy-- could ironically make it more difficult to operate nodes in countries that have a poor track record on human rights. You gave some examples of Asian countries which took firm stances against corruption, for example, but which also took stances against western ideals of human rights. The implication being countries which might allow Tor to enhance whistleblowing capabilities might reject Tor if it is closely associated with human rights activities.
That said, your article is 2+ years old so there should be substantial data on your claim by now. What does it show? Has Tor usage diminished measurably in those countries due to their rebranding, or not?
As a point of comparison, look at the nodes for Ethereum, which, IMHO, is a even more disruptive idea than Tor.
Ethereum is a much younger project than Tor, and explicitly eschews the human-rights / internet-freedom branding, even though it will obviously be incredibly useful for those purposes.