 Hey everybody! I've got one o'clock by my watch, and since I was here last time, my goon has put me on the honor system, so I'm going to start talking. I'm Nick Mathewson, I'm one of the Tor people, and this talk is about social attacks against anonymity networks. So I told people I was doing this talk, and they said the title was confusing. So first, what do I mean by social attacks? I mean generally the kind of stuff you would put in the category of social engineering, you know. Lying to people in order to trick them into doing something that's a bad idea so that you violate some sort of security requirement. And you know, this can be as simple as, hey, you know, so I consider, hey, I'm an FBI agent to be a social engineering attack. I consider phishing as a great example of social engineering attacks. Those idiots who keep getting my parents to install screensaver trojans so that they could look at pretty pictures of hedgehogs. Those are on my current hit list. My mom really likes hedgehogs. Alright, so that's social attacks. What do I mean by anonymity network? By anonymity network, I mean stuff like that tries to hide what users are doing on the internet, hide connections between users' activities and other activities of the same user. For instance, you don't want people to know that hacker X9000 is the same person as Fred Jones, ordinary businessman, and so on. There are different kinds of these I'll talk about in a little bit in a minute. Not covered here will be how to do these attacks most effectively. I'm kind of hoping you don't do them because I kind of spend all my time making these networks. Instead, I'll try to talk about how to recognize them and different attack vectors to worry about. I'm going to start by talking a little bit about anonymity networks. First off, the basics. They'll also get into the basics of traffic analysis because lots of these attacks don't win on their own. They win by making traffic analysis attacks easier. And I'll talk a little bit about why social engineering is really good against anonymity networks. By good, I mean effective, not ethical or desirable. I'll start then with trivial attacks that don't need any traffic analysis. Then I'll move into ones that exist to help traffic analysis, either by getting more input or better input for your statistical attack. And I'll close by talking about some defenses that have worked or might worked. So here's the basic idea of an anonymity network. You hide users among users. Anyone who was at my last talk, you saw some of these slides before. I'll be done with that in a minute. So here you can tell that somebody is talking to these Bobs, but you don't know who. And these Alice's are talking to somebody, but you don't know which of the Bobs. But what happens when users act differently? Like Alice 1 is sending a gigabyte every day, and Bob 2 is getting a gigabyte every day, and nobody else is sending more than a few K every day. When users act differently, you can tell them apart by observing. Also, if you can separate users, they don't hide so well. Previously, all of the Alice's hit among three Alice's. If you can get Alice to use a network that is split, whether it's actually a different network or whether it's just a different part of the network from the other Alice's, then you keep them from hiding each other. Now, in practice, we use distributed networks. So the big blob that was networked here is now a whole bunch of little servers, typically operated by volunteers, so that no one single server can compromise users' traffic. Examples of these are remailers like Cypherpunk, Mixminion, Mixmaster, onion routing style designs like onion routing, Tor, and others, and so on. Now, how do these differ? These differ largely in the kind of security they provide and the kind of performance they provide. If you want to... Now, say you're going to build one of these and you start by saying, I want good performance because whoever's beeping not... So against the low latency ones, so you can say when you're starting to build your network, I want to be useful for web browsing and IM and SSH and fast stuff. Well, that kind of means you need to deliver all the traffic pretty quickly because people don't accept three-hour delays between clicking on a link and getting the web page plus an additional three-hour delay between getting the web page and getting the images. So you've got to be pretty quick, but when you're pretty quick, you don't disturb traffic patterns end-to-end sufficiently to keep anyone who's watching both ends from noticing that the pattern Alice sent looks a lot like the pattern Bob2 got. All of the defenses for this are expensive that anybody knows of. This is the biggest open problem in the anonymity field. If you think you know of a solution, then you should talk to us and maybe we can publish about it. If you just thought of the solution in the last 30 seconds, chances are somebody thought of it before. Examples of low latency systems are Tor, Freedom, Pipenet, I2P, John Doe, which used to be the Java and non-proxy. Possibly FreeNet, although what FreeNet is changes a lot between FreeNet versions, so I can't say that with any certainty. Now, high latency networks can give you better security at the expense of worse performance. If you can accept a multi-hour delay on your messages, you can get a whole bunch of messages at every step, batch them up, delay them, shuffle them, and really hide the traffic patterns so that all you really get are how many messages did Alice send in aggregate in a given time frame, and how many did Bob receive aggregate in a given time frame. These still fall to traffic analysis, but they fall more slowly. The typical traffic analysis approach is that the attacker, in this case you assume a global attacker, although you don't really need a global attacker because it's a statistical attack and sampling works, but you assume the attacker is watching the network. They get a view of, for every given recipient, I'm naming all the recipients Bob, for every given recipient, how much do they get on average when Alice has sent a message recently and how much do they get on average when Alice has not sent a message recently, and then you compare those two vectors, and those Bob's who get more traffic after Alice has sent are probably the ones that Alice likes to talk to. This is the long-term intersection attack, also known as statistical disclosure. It needs lots of traffic to work, so we're talking days, weeks, months, or years of traffic, as opposed to the minutes or seconds worth of traffic that you need to break low latency networks. But of course, people don't just always use low latency networks because they're too slow for web browsing, SSH, IM, and other stuff you might want to do. Yes, people have had the idea of mid-latency networks. No, no one has proven that any network fast enough to do web browsing is secure against these attacks, but it's an interesting field. So what should you do if you're a smart attacker? If possible, you should try to remove the benefits of the network from the user. Otherwise, you should try to speed up your traffic analysis. You can either get more traffic that's more input into your traffic analysis system, or in the high latency case. In the low latency case, you want to increase the odds that you get both ends of the circuit, or both ends of the connection, so you can watch them both and do the correlation. You want to make the traffic that you get more useful. Try to make it stand out from all the other traffic. Also, remember that you are hiding users among users. So if I can knock off half the users from the network, even if they aren't the half I care about, that's great because the remaining ones, because I now have half as many suspects, and half as much traffic to hide the ones that I'm looking at. So two caveats for the rest of this talk, because I'm going to talk about ways to do this with social engineering, including specific examples. And because of the specific, the examples are going to be specific, I want to be really clear. I am not accusing anyone, with a couple of exceptions. No, I'm not accusing anyone of actually attempting these attacks, because even if you start spreading an idea that's really harmful to this stuff, well, gosh, everybody has bad ideas. Never attribute to Malus what can be explained by being human. Also, many ideas that work for social engineering work because they are plausible. Say, hi, I'm from the phone company. I need to look in this closet, classic social engineering. Only works because sometimes people from the phone company need to get into that closet. Or sometimes people do need to get into that closet. So when somebody tells you about the say you're from the phone company to get into the closet attack, they aren't saying anyone who says they're from the phone company should be shot on site. And similarly, just because some of this stuff is a decent way to do an attack on the network, doesn't mean or on a user, doesn't mean that everyone who says it is actually trying to do so. So first, trivial attacks. Why would you actually attack the network or attack a user on the network when you can get them off the network? So for a lot of stuff, a lot of applications aren't supported by all networks. Like Tor, you can't really make your Flash plug-in be anonymous. Even if you do manage to anonymize all of the traffic from your Flash plug-in, Flash can be made to leak enough system information to probably identify you. Some people will argue with me, I will argue with them. Let's talk about that after this talk is done. So one way to attack users is to get them to enable stuff that they've been told to disable or disable stuff they've been told to enable. Hey, I've got a video of a kitten. You've got to turn on Flash for that one, but it's a cute kitten. Or click here for some service you shouldn't be using. Another one that has worked, and we've seen both of those in practice, people saying, oh, come on, don't worry, it's not a big deal, just do it in both cases. Another one is, hey, this system you're using, it's just not working for me. Just use Yahoo, that's pretty anonymous. They can't trace you, they will trace you, they will out you. And the classics of police investigation. I love your ideas, and I would like to meet you. Or I support your cause completely. Viva, whatever we're doing, down with whatever we're fighting. I am fully in favor of the things you were advocating. I am also a beautiful 19-year-old with the kind of hair you like best. Please meet me in the coffee shop across from the police station. Oh yeah, totally, can't you tell? Also, why attack the network when you can replace it? When you can replace it, you know? And everyone likes to promote their networks, so I'm not saying that people who promote their own networks are actually attacking stuff, but you know, if you're an attacker and you know of one network that's harder for you to attack than another one, you want to get all the people on the other one. So one approach is to come up with your own and, you know, pimp it really hard. We have seen this with remailers a lot. Some people have claimed that this has happened with remailers. Again, you can't really prove anything, but there have been cases of this alternate approach is better, you should use it. And it wasn't in fact better. Now, were these people confused or were they trying to get more traffic for an attack? The nice thing about this kind of attack is it's really hard to prove that anyone actually is doing this in order to be bad. But yeah, be careful what you believe. Or also, another fun thing is that secure popular networks gets lots of analysis. This makes sense. If you're a researcher, are you going to attack a network that everyone has heard of and, you know, get in all the blogs? Or are you going to attack a network that no one has heard of and people will go, well, you just broke Fubarnet. And, you know, if you break Fubarnet, then nobody cares. So you're going to attack a popular one. And then, but the thing is that when you read about a popular network getting attacked and you don't read about an unpopular network getting attacked, that's a great vector for telling everyone, hey, look at all of these research results against popular network. You should use this unpopular one where there are fewer users and you're easier to analyze. I mean, you should use this unpopular one that has no published attacks against it. Another one is just spreading the rumor that there's a secret backdoor. This works pretty good. Most people can't or won't read source code. And most people are willing to believe what some random guy on IRC told them. I'll talk more about some guy later. But yeah, when some guy says there's a secret backdoor, some folks will believe it and move wherever you want them to move. Or attack the providers. Show up and say, hey, I really need you to help me out this user. Sometimes you, some people will check that you're an actual law enforcement agent. Some people won't check that you're an actual law enforcement agent. There's actually one guy right now who's been claiming to be a law enforcement agent and working one of our operators of TOR for information. We're not too worried about this because, A, he refuses to supply actual law enforcement agent credentials. So we're pretty sure he's fake. And B, they're TOR servers by default. And if you configure them right, and if you're not a bad person who deliberately screws up your TOR server to be mean, don't have any information. So it's perfectly fine to turn over all of your logs because all of your logs are useless for this stuff. Another is, you know, be a slightly evil developer or a slightly evil friend of a developer. Say, hey, I'm doing a research project. Or, hey, I'm looking for a bug. Could you turn on really, really verbose logging and install this network analysis tool and send me all of the logs from it? And another fine one that we saw in the Remailer days was, here is some extra-fast, extra-stable server software that's better than the server software you're using now. You should run it instead. No one really knows for sure who wrote the extra-fast, extra-stable server software. No one can prove that the fact that its random number generator was deeply, deeply compromised was an accident because if this was the random number generators are hard, people do screw them up by accident. On the other hand, a crappy random number generator is exactly what you should use if you're trying to pass off an insecure server as an accident. So we'll probably never know whether that was a real attack or just a programmer with his heart in the right place. Now, in the long term, if your goal is to not compromise specific users but to get everybody, you want to make the network un-maintained. You want to get everybody off the network and you want this thing to go away because it's a problem for you. Fortunately, we haven't got this so much in Tor so far, but if you look in the remailer world, the field is pretty much littered with developer X is a jerk, developer X is a xenophobe, developer X is a bigot, let's all pile on developer X, now let's pile on the other developers, now let's flame each other forever. This has made not any core remailer developers that I'm aware of quit, but it has made developers of several graphical front-ends for remailers just decide it wasn't worth their while to be in this culture anymore. This is an example of a successful attack. I'm pretty sure that they weren't flaming these people with good intentions and because it's all anonymous, you don't know who did it. Another is try to disinherit developers by convincing them that you're using their stuff for evil. This could work, could not work. From time to time, I get some idiot Nazi asking me for tech support. I tell them that although I will defend their right to say what they say, that defense doesn't mean free tech support or any tech support, go screw off. Another one is trying to get providers to leave en masse by intimidating them, posing as one of them, so on and so on. So all right, say you failed at actually getting the user you want to meet you in the coffee shop across from the police station and say instead you're going to do traffic analysis. Well, traffic analysis is pretty easy if you are a popular server. In this case, if anyone is using the first red server, the red means compromise here to talk to... say, else too is using the red server to talk to Bob to, then it sees both ends and it wins in a low latency network. Well, if you get even more traffic, you compromise even more users. So if you can find a way to be the most popular servers in the whole network, your odds get better and better. So how do you win traffic and compromise people? Ask for it. Hey, my server is better than all of the other servers, please use it. People say this a fair amount in the remailer world. Again, we don't get this so much in tour, but we do have people claiming special properties for their servers from time to time. This is basically why when somebody comes up with a neat new enhancement to make servers better, we would ask them to send us the code so we can roll it in so everybody can get it and all of the servers can be good as opposed to trying to get all the traffic yourself, which maybe you're doing to be a good citizen, but it's also the sort of thing a bad citizen would do. Another thing you can do is I've added extra features to my server. Same kind of thing. From time to time, people publish guides to fast performance, better performance. You should use fast servers. Here is a list of the fast servers. Of course I am not running any of these fast servers. Would I lie? Another is just get people off specific servers that are in competition to you. Say it's compromised, some people will believe you. You don't need to present any evidence and some people will still believe you. It is surveilled. No, really. It's in country so-and-so. Everything in country so-and-so is surveilled. Would I lie? It's in a bad country. You see these from time to time in flame wars, in anonymity circles. It can't prove it's malicious, but in some cases maybe some of them are compromised, are surveilled, which makes it kind of hard to know what to actually do if you're a user of one of these things. Moving onward. Let's talk a little bit about network partitioning. It's not completely trivial, but it does help your traffic analysis. Say you've got one big network and you're having problems doing traffic analysis against it. If you can get some servers to stop talking to each other, and this works okay for e-mailers, or you can get some servers to go one way and some servers to go to another, then you can split one big network into many small networks. Smaller networks means fewer users on each network, means fewer places to look, and means that you've got better likelihood of seeing all of the traffic if you're trying to eavesdrop on or compromise these networks. So another thing you can do is just partition clients' knowledge. So the network is all the same, but Alice knows or likes or uses some servers, and Alice too knows or likes or uses other servers, and so you can tell that anything that comes from a server that Alice One doesn't know about couldn't have come from Alice One. So here Alice One doesn't know the server on the bottom right, so there's no way that she's talking to Bob too. And also in a smaller set of servers, it's easier for you to get a pretty large foothold. It's easier to compromise three servers and out of 30... Compromising three servers out of 30 is better than compromising three servers out of 300 in terms of how much traffic you're likely to see. And also you can do even better than just simply binary knowing which users know which servers. Even if you don't know which users know which servers, but you can say, well, not every user knows every server, it's kind of random. Say it's random with different probabilities for each server and you've got a bad compromised S2 here and you're kind of obvious about it. You're such a bad server that 80% of users say, I don't want to use that. Well, okay, now 0.2 of users might use you and say somebody comes to you from S1, which 40% of users know about, and goes to S3, which 80% of users know about. You know, you now split off. Only about 6% of actual users are going to use this path. And over time you can build up profiles of... All right, I saw this chain again. It's one of the same users who used this chain before and probably not the average population. And you can use that as a stepping stone to get to better traffic analysis results. So what are some good ways to encourage partitioning? Well, through social attacks, just everybody come up with their list of favorite servers and convince everybody to use it. And if you're really lucky, not only will people use your list of extra favorite special servers or his list of extra favorite special servers or your sock puppet's list of extra special servers, but they'll mix and match. They'll say, well, I'll take the top five on his list and the top five on his list, and now they're in a set of one. Or start Flame Wars, you know. But if you say, don't use any servers in Germany or France, and everyone believes you, then you've cut down the size of the network. But if you say, don't use any servers in Germany or France, that's not going to work. Someone else is going to come back and say, no, don't use any in the USA because of the NSA. And someone will say, well, actually no. Germany's data retention laws and the NSA mean you shouldn't use either one of those, but France actually is fine and you get a massive flame war on the mailing list or the news group or whatever. And the clients who listen to all of you will come up with different answers and they'll all be on smaller networks and then your social engineering attack wins. And we have seen Flame Wars like this with Germany's data retention stuff, with USA wiretap stuff, with France's old anti-crypto stuff. Gosh, where else? China's a big one too. And everyone has a point. It's unclear for certain whether there are places that are better than others to put servers. It seems like geographical diversity is probably better than no geographical diversity. That is to say, having all of your servers in one country is kind of a bad thing. And then we can start the flame war also about geological diversity versus topological diversity that is probably just as important as not having all of the servers in France all of the servers' connections to each other go through the same exchange or not having them all go through the same ISP and so on. And if you are a backbone ISP, my goodness, you see a lot of the network. More fun, and you see this a lot, especially on networks that have been around for a really long while, like the Mixmaster and Cypherpunk Remailer networks, start operator feuds. A really good way to start an operator feud is to show up and say, I intend to be really, really evil. No matter how evil you intend to be, there's somebody who will think you've got a good point because, you know, bell curve, there's always somebody off on that end. And, you know, they will go, yeah, actually, I kind of agree with the evil operator. And everyone will say they don't, and people will stop peering with each other or start peering with each other, and you do this a few times, and the network is pretty well messed up. Who here has actually... I guess I'm going to tour the last book. Who here has actually used a remailer ever? Who here has run a remailer ever? Oh, wow. Gosh, this is probably the biggest convention we've had in a while. Yeah, so, yeah, you guys know what I'm talking about, and everyone else, you can ask them later if they're willing to talk to you about it. A lawyer has told me I should not name names in any of this stuff because not naming names is probably my easiest way to stay out of libel issues. I'm pretty sure that, in fact, some of these deliberately evil operators are, among other things, though, trying to do partitioning attacks against remailer networks. I can talk to you about it evidence later. Also, user preferences are a great partitioning opportunity. So, you know, if you've got some servers that have very low latency, some that have popular operators, some that are on Bob's Fast server list, some that are in the USA, and users mix and match sets, then, well, okay, here we've got one, two, three, four sets. So that's 15 different possible, non-empty unions of sets you might do, and if you do unions and the intersections, it's even worse. And so just by having different options, you can turn on and off, you can make or different options users should select from. It can give people the illusion more control and more security and exactly the perfect security for you. But the problem is that when you're hiding users among other users, the perfect security for just you is an anonymity set that contains just you and no one else, and you're there by yourself. Also, you know, if you can't partition network, you can try partitioning the traffic. That is, you know, come out and say, hey, next version. Some of you have complained about AES, so in this version you get to choose AES, Blowfish, Twofish, earlier versions of various ciphers, Triple Des, and so on and so on. Well, you know, that's all well and good for something like PGP where you don't really where, you know, if you're the only person using Triple Des, you're just as encrypted as if everyone was using Triple Des. But if you're the only person using Triple Des on an anonymity network where everyone else is using AES, then you're kind of screwed. This was actually a mistake in the earliest designs for the Cypherpunk Remailers, but there's been a large contingent in favor of keeping this mistake in later revisions of the Cypherpunk Remailers and later implementations, and I'll leave it to you to speculate why. So, yeah. Onto defenses, and here I'm going to try to talk about generally stuff that has been tried and failed, stuff that's tried and succeeded and, you know, sort of speculate about what might or might not work. And, you know, later during the Q&A time I'd like any great ideas you guys have for how to resist some of the stuff. Well, some of the stuff is in the code. It's just a matter of code. So Remailers are really vulnerable to network partitioning attacks because there is no standard popular method for getting a list of servers other than download a list of servers from a trusted source and there's really nothing that stops anybody from becoming a trusted source. Mixminion kind of solves this, but Mixminion is not really being actively developed these days because I got a job on tour and I can't really build two anonymity networks at once. I'm very sorry. If you want to hack Mixminion and send me patches to finish it, please do, but anyone like Python? No one likes Python. Okay, yeah. So just provide a good list of servers and make it so that by default everybody uses the same set of servers and if anyone, you know, disables particular servers they don't like, they can, but if you start everybody out with the same set by default, ideally a set that is chosen in some sort of non-centralized multi-party fashion so that it can be relative, so that, you know, any one point of failure can't just change the set on people, then you're doing pretty good. It needs to be self-updating because the list will change over time and you don't want the situation that most remailer networks are currently in where you pick at random how often you're going to update your list of servers and then, you know, and someone who gets their list on Monday acts differently from someone who gets their list on Friday and, you know, so far so good with the Tor approach on this and, you know, we kind of hope it will work out. There is from time to time people are encouraging users to split off and go do different random stuff from each other so, you know, we'll see how this actually works in the end. Hmm. If you're building a network and someone asks for an option or submits a patch for an option ask, is this option really necessary? There are some bad options out there mostly in cypherpunk remailers so, I talked earlier about how choosing how having a option to choose your cypher is kind of a bad idea that you might, you want replaceable cyphers if there is a major flaw found in one cypher suite you want the ability to bump the protocol version from version 3 to version 4 and version 3 is all the bad cypher and everyone switches over time to version 4 which is using a better cypher but you don't want use any random, whichever random combination you think is best because really look you are the developer here your typical, if your typical user knew it only makes sense to force your typical user to choose which cypher if you think your typical user would make a better decision than the default because if only a few users would make a better decision than the default well they wouldn't get very good anonymity because there is only a few of them and if most users are smarter than you about the cypher suite maybe you should just ask them and do what they say so another example for cypherpunks for a bad choice was you would like to hide the length of your message by padding it so cypherpunks has padding length of any length you like so you can choose to pet all of my messages to 30k and you can choose to pet all of your messages to 100k and my message will move through the network being 30k and all of yours will move through the network being 100k and our messages will look nothing like each other and we will get very little anonymity out of that good options well looking for examples of good options we have a whole lot of options in Tor most some of them are a bad idea to use willy nilly some are kind of obviously though what the user wants for instance you need to be able to choose the text of your message and who you are communicating with if you didn't then you would be way more anonymous everyone sends the same message to the same person but it wouldn't be a terribly useful piece of software similarly automatic translation software is not good enough so that Alice who likes to talk in aerobic and talk in Bulgarian are ever going to come out with messages where you can't tell that the aerobic one might have been Alice but not Bob providers need thick skins and provider culture needs to build thick skins people will try to tell you stuff to try to get you to stop being a provider is it all true some of it is basically unverifiable it's hard to tell people will from time to time will spam all of the nasty stuff that they can imagine anyone doing with your system and tell you it's all happened and you know try to get you to decide that it's just not worthwhile giving people privacy it's just not worthwhile helping people in censored countries communicate and you know the defense here is basically to remember well look you hear about these systems you hear about your users when something goes wrong when something goes right you don't hear about you know the user who's got an embarrassing disease and is using this your stuff to talk to a specialist you don't hear about your users who are in some censored country who are using it your software to talk to to look at to talk to reporters to look at censored news sites and so on because they're kind of trying to keep it quiet and the news sites aren't going to necessarily tell you because they don't even notice so you are going to get a fairly biased view of activities and the antidote here is actually keep in contact with your community some people are going to tell you anyway about all your good stuff because they like you a lot keep it in perspective if you have 200,000 users or so it's hard to count they're anonymous like Tor does and you get one abuse report every couple weeks you're doing pretty good even though that is even if some of the abuse reports are pretty sad you know you're doing pretty good also people will try to start provider flame wars so you want to kind of build a culture where people kind of default not to trust but towards more or less agnosticism with respect to one another's good faith and so on and aren't really easily let us stray when you hear about attacks you want to demand a pretty clear description of them you know see if this attack is already on the frequently asked questions find out what are the requirements for the attacker and what are the results that the attacker can get like pretty well sometimes somebody will come up with an attack that is a really cool attack from a theoretical perspective except you need some resource that's harder to get than watching both ends of the connection and what you get is actually less than linking users so it's actually a worse attack than existing attacks even if it's cool and you know also ask does this attack work against other systems of the kind you know this is kind of a pet peeve of mine in that all of the neat results are published on tour these days and I'm really proud of that but most of the neat results are published on tour the free net talk at 11 was really cool if you guys are still in the room are you guys still in the room oh yeah cool, yeah if anybody saw his free net talk that was really cool if not ask him how you break free nets routing algorithms but yeah pretty often somebody will come up with an attack against tour and people assume that every other because they didn't try this attack against every other low latency system every other low latency system is secure in a few cases they've been right like when we screwed up crypto back in 2002 for which I'm eternally embarrassed but we fixed that and we had like 60 users at the time all of whom were like just crypto geeks trying it out to see if it would work and you know but you know mostly attacks that work against low latency systems work against other low latency systems so you know look into that and make informed decisions as users also paranoia is for noobs yeah you know we can all be paranoid we can all trust nobody but trusting nobody includes trusting not even trusting the people who tell you not to trust other people like no I don't trust you know I don't trust telecom providers in the US not to turn stuff over to the feds because hey they do they have on the other hand I don't trust the people who tell me that the telecom providers in other nations are particularly better I don't trust the people who try to you do this to get me to like you know just only use remellers in France and the UK or maybe not the UK or maybe not France or maybe only Austria I think I did get a guy telling me to use only Austria you know but anyway yeah just because you know people have a good point about trust no one that includes them follow information to its source remember where you heard stuff so there's so some guy is spreading disinformation about tour I know this because whenever somebody comes up to me and says is it true that such and such and such and such and so I say you know no that's not actually true at all who told you that is it how some guy told me so some guy on IRC um don't trust him I don't know who he is but you know somebody shows up with like handle some guy somebody's totally going to show up on our channel now with handle some guy and start you know um yeah but no seriously remember where you heard stuff so that like if you find out later that it wasn't true you don't believe them the next time they tell you um also if you hear something from some random person see whether you can confirm or disconfirm it um yeah and now I'm going to wow got some good time for questions like 10 minutes or so um and then I'm going to be in um the corresponding Q&A room for Q&A on this talk and on the previous talk and I'm just going to close with my shameless plugs section um which is check out tour oh um one public service announcement if you are using tour upgrade to the latest version really there's a reason um if you were in if you are using tour and you did not already know this this is because you did not subscribe to the announcements on the mailing list subscribe um there's an attack it's kind of tricky we aren't going to say too much about it until people have you know some time to upgrade because it takes a while for all the people who aren't on the mailing list to actually hear about it from everybody for the people who don't speak english to hear about it from people who do and so on if you can think of a if you want to help us build a better way to notify users we really like some help with that um I'd really like to get something into the system so we can like narrow vulnerability windows um no this is not a remote exploit that you can do use to hurt anything but tour but you can sure hurt tour with this um right let's see what else um yeah run a server if you like um if you have any questions about how stuff works we have written down in copious detail how everything works and we and you know if you don't understand how it works then after you read the stuff then let us know and we'll try to rewrite it so it's even more clear um tour as of earlier this year is now a tax exempt charity in the US the tour project you can donate to us if you pay us taxes and write it off on your taxes consult your tax advisor I am not an accountant CPA or lawyer but yeah um if you want to help us out help us out also you should help out the EFF because they're great people I'm going to help them out by going to their dunk tank at 630 if anything I have said offends a noise or irritates you or if anyone has used tour to say you are a poopy head to you on your IRC channel and you think this is my fault somehow then come dunk me in the dunk tank at 630 um there is another cool talk after this by Roger at 2 o'clock on using tour to defeat censorship and Mike Perry is talking at 5 about neat security stuff and yeah questions anybody anything well not ideally anything yeah can you be louder yeah um all versions earlier than 01216 and 0204 alpha are affected if you have if you have the control port open closing the control port will also solve this I'm not running a browser but you are probably running a browser aren't you also everybody should if you're not running tour button tour button is great software it works with Firefox it locks down nearly everything that you might forget to lock down and gives you nice checklists of everything that you might forget to lock down so you can decide whether you want to lock it down in this particular case or not it's pretty good software made by maybe a large number of people currently maintained by Mike Perry check it out see if it works for you report bugs we like fixing bugs more questions concerns yeah ah so right good question um 200,000 users roughly so we check from time to time we try to estimate how many users it's kind of hard because so so first off yes that is estimated number of distinct IPs that we would observe over um connecting to the network the way you do something like this is you have a node count the distinct IPs that it sees you don't log them because that would be wrong you just count internally in RAM and you don't set it to disk you keep that going for a week or so so you get a count you figure out what fraction of the users are using this node based on the routing algorithm using this node you multiply it's an imperfect estimator but it's about the best we can do another approach is to do a similar thing with a directory but um clients are better than they used to be about not rotating among all of the directories so enumerating users is getting harder than it used to be and again this is IPs this is under counting when you have many users behind the same IP with dynamic IPs if you have any sense of how to get it better without compromising people's security then we'd like to hear it roughly a thousand roughly a thousand volunteer operated servers do you have a better number roger something around there we didn't measure that it turns out that so we wouldn't measure at all if we weren't trying to like convince people that we're a pretty good deal doing a fairly good job and that we have some users who are not doing evil stuff we kind of try to measure as little as possible because the more you measure the less people trust you yeah oh that's five minutes that's not a question yeah oh yes good okay good question so there were two questions I think there organizations that donate to us demand anything in particular in exchange the answer is the organizations that donate to us tend to have areas of development that they would prefer that stuff happen in some of them care a lot more about anti-censorship than they care about in oppressive countries than they care about regular privacy in the rest of the world some of them care a lot more about regular privacy in the rest of the world than they do about anti-censorship some of them care a lot most of all about solving interesting research problems and sort of feel that the fact that we're actually using this to deploy a network is kind of a neat hobby that we've got we try to work things out so that we're doing good work that ought to be done on the tour network to make stuff better and everybody's happy donating money to us so they want to now the other question is if you've got some money and you either wanted to donate it to us to help development or you wanted to spend it on bandwidth to run a server, which should you do depends how much putting up $10,000 worth of servers would probably be a poor idea simply because you'd wind up getting a whole lot of traffic on the network and people would assume you were up to something bad putting up a server is always a great thing and I feel like it's kind of a jerk saying no no give the money to us to us to us people do ask given that we're asking folks to donate to us if they want to tax right off or if they think we're doing good work or something it's probably a good idea to say what we're actually what we would do with more money we would not raise our income we would instead spend it on more developers on subcontracting for problems that are outside of the expertise of the people who are currently working on Tor so for instance we suck at Windows the fact that Windows works on Tor is due to the fact we've got a pretty decent volunteer community and dumb luck and yeah so you know the fact and the fact that it ever started working on Windows in the first place was due to a donor who gave me a one year MSDN subscription once upon a time and that year was enough to get a couple of anonymity networks that weren't previously working on Windows working on Windows and I think the anonymous donor is in the room and I'm willing to credit him if he waves his hand otherwise I'll assume he wants to be anonymous alright yeah any more questions oh other stuff we want to work on we want to work on speed and performance we now speed and performance is tricky if you've used Tor recently you'll know it's slow two things we want to do to make it better you would think one of the things is just add more capacity adding more capacity typically means we get more users because typically what happens when we hit wired or slash dot or something is a whole bunch of people show up Tor gets slow for a day because we just got slash dotted and people start leaving until Tor is tolerable for everyone who remains typically when the stuff gets faster we get more users and performance reaches a baseline again so increasing capacity is important because the more people who use it in some sense the more anonymous you are but we also want to increase speed at the same time we're looking into ways of doing this including providing incentives for people to add more capacity by saying if you relay then you'll be better off in terms of your performance this is tricky and there are subtle anonymity issues there which is why we haven't just done it but yeah we want to make stuff faster we want to make stuff more secure we want to work on censorship beating we want to make stuff easier to use so you don't need to worry about being misconfigured and stuff like that and I think I have time for one more question before I run off to the QA room anybody yeah where's the QA room it's the one corresponding to this track this is track 4 I'll be in QA room 4 I'm trusting my goon to drag me there if you follow the large fellow in the red shirt dragging me off you will get to the QA room I'm going to it'll be QA room if this is track 4 it'll be QA room 4 you had a question we are in Google summer of codes this year through the EFF we got 4 students working on 4 awesome things we hope that Google still thinks that we're worthwhile and EFF still thinks we're worthwhile next year and we hope we work on different things next year if anyone here sent in summer of code applications this year that didn't get in we're sorry it's not because you sucked it's probably because we were just too short-sighted to realize that your stuff was more important than the stuff we thought we needed or the phase of the moon or we were having a bad day or you didn't send us a code sample like we asked you to and I think I'm out of time am I out of time? yeah cutting off alright thank you everyone for coming thank you whoever loaned me this laptop