 Great. Hi everybody. I'm Roger. I'm going to tell you a bit about how Tor works and what we've been doing lately How many people here know a lot about how Tor works and decentralized trust and anonymity and okay I see quite a few hands, but also quite a few hands not great I'm going to start With a bit of introduction about what Tor is and and how it works and then we'll get on to the more exciting stuff So Tor is software the goal is you install it on your computer or Tor browser or things like that and the goal is that you're routing your traffic through a Network of volunteer relays such that somebody watching your local network can't figure out what websites you're going to and People on the website side can't figure out where you're coming from so those are the the two big pieces of anonymity Another key piece of the Tor world is the community of people everywhere who are working on it We've got professors and research groups. We've got free software developers We've got activists and advocates and that huge community of people who care about Tor is critical We're also a us 501c3 non-profit shtiktung style Organization as well and there are some number of users. It's an anonymity or privacy system So it's a bit hard to tell how many users we have really But one estimate has about two million daily users and there's a more recent Privacy preserving measurement that shows about eight million daily users Which is both of these numbers are are quite huge compared to what they used to be Okay, so in a lot of situations Let me see did I just Yes, I just I skipped a slide perfect. Okay, so the first question to ask from a security perspective What's our threat model? What are we concerned about? What are we trying to protect? So we've got Alice over here She's trying to browse the web to some website Bob. Where could the adversary be? Maybe the adversary is watching Alice's local network. Maybe it's the local coffee shop Maybe it's the Tunisian telephone company something like that or maybe the adversary is watching Bob They're watching WikiLeaks and they want to know who connects to WikiLeaks or maybe the adversary is Bob Maybe it's cnn.com and they want to learn all about their users so they can advertise to them better Or maybe the attackers in the middle of the network Maybe it's AT&T or Deutsche telecom and maybe that means it's NSA or other intelligence groups So there are a bunch of different things we have to worry about One of the other key things to remember Anonymity is not just encryption when you're using encryption Nobody can read what you say, but they still learn who you talk to when you talk to them how much you say and This social graph approach is actually what all the intelligence agencies use these days. Nobody tries to break the encryption It's all about let's build a map of who is talking to who and when they talk and who is in the middle and Whoever that is will break into their house and steal their laptop and change things. So it's not about breaking the encryption It's about learning who is interesting and that's what Tor is trying to protect Everybody here knows the word metadata I hope and you've all seen creepy NSA dude with this phrase we kill people based on metadata So a lot of this this is the metadata. This is the communications Metadata the network metadata about who talks to who that is is critical to protect HTTPS is great encryption is good But you need the next layer past that in terms of providing metadata security Okay, I actually only use the word anonymity when I'm talking to Researchers and professors and so on when I'm talking to my parents I tell them I'm working on Privacy systems because privacy is is a good thing that everybody should want and anonymity is a little bit scary I'm not sure if I want it and When I'm talking to companies I tell them I'm working on communication security or network security Because privacy is dead anonymity is scary But of course I want to protect my communications if I'm trying to buy things from the internet or research other companies Of course, I want to protect that and then when I'm talking to governments and military and law enforcement I work on traffic analysis resistant communication networks and Again, it's the it's the same security properties. It's the same system. It's the same users The goal is to bring everybody together into the same network so that they can protect each other You need people who look at it as privacy the activists in the world and you need Governments and diplomats and so on who are saying Yes, I'm going to Israel and no I don't want anybody to be able to learn what my affiliation is or what country I'm going to because because that's my metadata and Then there's the fourth category, which is the reach ability side where I want to go to BBC but I'm in Turkey or Uzbekistan or something and they've blocked the websites I'm trying to get to so the goal of Torus to take all these different groups and bring them into the same network So that they can blend together you can't have a privacy system only for cancer survivors Because then the fact that you're using it tells people too much about why you're using it So far so good. Am I speaking too quickly or hopefully understandable thumbs up great Okay, so how do you actually build one of these the easy answer is you put some Central proxy in the middle and you route all the traffic through that and the first problem with that is What happens if that central point of failure turns bad and? There's actually a okay, I'll get back to that in bit So the second problem is even if that central point is perfect and totally honest you can still look at the traffic going in and match up the traffic going out and It doesn't matter if the person in the middle is trying to be perfect You can still see the timing and volume flows going in and match them up with the timing and volume flows going out So this centralized situation is bad news and it's why in the tour case We want to distribute the trust over multiple relays, so no single relay gets to learn what's going on Our one gets to learn that Alice is using to our but he doesn't learn what Alice is doing Our three learns that somebody is talking to Bob, but he doesn't learn who is talking to Bob And there's encryption. I'm not going to talk about that today, but I'd be happy to chat about it later So this centralization is really in Decentralization is really important long ago I was talking to the CTO of Anonymizer comm one of these central proxy systems and he said I never answer subpoenas If I ever answer to subpoena nobody would ever trust me ever again So of course I never answer when when law enforcement asks and then I did a talk for the US Department of Justice Six months later and what and one of them interrupted me and said why can't you be like anonymizer? It's easy. We send them a subpoena. They send us an answer. It's easy. Why can't you be like that? And I say that not to pick on a particular company. The problem is the architecture The problem is they have all of your data and they promise not to screw you That's not a stable situation. You there's no way for you to be able to learn Whether they're following through on their promise or not So the key for tour is to distribute the trust so there's no single point that could screw you and promise is not to We want something stronger than privacy by promise. We want privacy by design Okay, so that was actually only half of what tour is that was the network level privacy or IP address privacy The second piece is application level privacy. So the first one is when I go to a website I don't want somebody to learn which website I'm going to the second one is when I go to a website I don't want the website to be able to track everything. I'm doing and recognize me from time to time so all the things like cookies and font size and flash cookies and How many pixels by how many pixels your browser window is there it turns out there are hundreds of Browser level tracking and tracing mechanisms, which we've had to turn off and this is tour browser Which is based on Firefox and has a lot of privacy bugs fixed in it and There are other ways of using tour one of the safest ways to do that is a live CD based on Debian called tails You get it you install it on your USB key you boot tails And it has all of the software preconfigured to correctly use tour And it's missing all the stuff like Microsoft Word that you shouldn't be trying to use tour with tour at the same time so if you're For example, the journalists who were looking at the Ed Snowden documents were using tails while they were doing that to Make sure that they were as safe as they could be and Just this year. We are finally finishing tour browser for Android It finally got to the point that you could run a real Firefox on Android and we've ported all the issues all the fixes inside Firefox and we're gonna have a real first-class tour browser for Android right now It's an alpha you should go to our website if you're an Android person download it try it tell us about the bugs Okay, so this is a great so the green line here is capacity of the tour network since 2010 and the purple line is load on the tour network since 2010 So there are a couple of neat things to look at one of them is they're going up yay Another one is there's a whole other talk that I I don't have time for here about performance Where the difference between these two lines has to do with how fun it is to use the tour network It used to be way back when that these two lines were really close together And that means there was very little extra capacity on the tour network very little That meant that there was a lot of congestion When you were trying to use tour you had to wait for somebody else's page to load before your page could load And as these two lines separate more and more it's more likely that you're gonna have a fun experience using tour Okay, so there are two pieces to how what I mean by tour safety or tour diversity The first one the first way to measure how safe tour is has to do with where the relays are so we have about 7000 or 8000 relays all around the world and Imagine a tour network that was all in Boston We have tour relays at MIT tour relays at Harvard tour relays at Boston University in that case you're bouncing around a small tour network and There are several internet providers around there who get to see all of it And that means they're very likely to be able to see the connection coming into the tour network and the connection coming out of The tour network and then they can do traffic correlation attacks to realize This user was connecting to that website. So as we get more and more relays. It's not just the number It's where they are as the relays are more and more diversely spread around the world The set of attackers who are in a position to be able to see Traffic going in and corresponding traffic going out gets smaller and smaller So that's one way of measuring how safe tour is another Key thing is diversity in terms of number of users in that area who are using it for different reasons. So for example Imagine you're a tour user in Iran. I talked to security people who say okay. Here's my algorithm I'm going to find a tour user in Iran I'm going to kill them and then I'm going to repeat until there are no more tour users in Iran And if you're you know a person who doesn't understand society and politics, but you're just looking at it from a technical side Okay, fine solid algorithm But the problem there is the average tour user in Iran is the average citizen in Iran They censor their internet So a lot of people install things like tour in order to get around the censorship So the average tour user is the average Facebook user They're using it to try to read their kitten blog posts just like everybody else in the country And that diversity of ordinary people is critical for security You can't have 50,000 political dissidents in Iran and they're the only ones using tour Because then the fact that they are trying to download tour the fact that they're trying to use it is Itself bad news for them So far so good Great Okay, another key thing to think about is the transparency side. So yes, we're free software. Yes, we're open source Yes, we give you specifications that describe. This is what we this is what we Here's our source code. Here's the specifications that say what we think we built Here's the design documents and proposals that say why we built it this way and we need all three layers of that But it's more than that. We also show up to conferences and Explain hi, I'm Roger. I want to answer any questions you have about tour and this level of transparency is critical for Community building and trust in the software. There are a lot of other privacy tools out there who say I'm I'm gonna go by a pseudonym and I'm never gonna show up at a conference and nobody can meet me And I'm just gonna write good solid software and it will be fine Tour is about a community of people around the world who know each other and trust each other and that's how it grows So I also hear from plenty of people who say oh Ha ha the privacy project is talking about transparency. That doesn't make any sense It's not a contradiction Privacy is about choice privacy is about you being able to choose who learns things about you and we choose To be public and transparent in order to build a stronger system in order to build a community That that can grow and trust itself Okay, and yes, there's always somebody out there who's like but what about bad people aren't aren't you helping bad people in the World so there are a bunch of different answers to this and if you If if you think the tour is mostly for bad people I'm not gonna solve this in one slide happy to chat more afterwards But so the first answer is remember that we have something like eight million people using tour every day so through sheer volume we are like the average internet user at this point and Yes, you see a couple of bad people here and there But all the ones that you don't see are the ones who are using it successfully and happily to get to Slashdot or CNN or Facebook or whatever they do on the internet Another answer is Yes, maybe it's a two-edged sword. You got to accept the good with the bad I hear a lot that technology is you know neutral So it's about what the humans do with it. I Think that technology and is neutral side is bullshit Technology is inherently political It benefits some people more than others when you're building it if you don't think about that you will end up Reinforcing the status quo you'll end up reinforcing the current power structures So one of our goals with chore is to think that through Understand the current power structures and think about how to benefit the people who are who don't have as much power right now The people who aren't Governments and companies and so on if you're a government you can buy your own anonymity system You can go out and handle Opsiac You can do a lot of trainings and so on if you're one person in Syria who just saw something terrible happen You don't have any other options besides tour. You don't have any ways to stay safe on your internet So yes, it's a two-edged sword But I think one edge is a lot sharper than the other or however that metaphor goes Good people need to or a lot more than bad people another way of looking at that if we took tour away from the world The CIA would still be doing fine, but the people in Syria would suffer a lot more than that Another way of looking at that Imagine two scenarios so scenario one I want to build a tool that works for the next year It will work for millions of people and I can tell you all about it. That's the tour problem Scenario two I want to build a tool that will work for the next two weeks And it will work for 20 people and I'm not going to tell you about it. That's the bad guy problem There's so many more ways of solving scenario two you get in a flame war on Wikipedia You hide your images on in steganography and eBay. There are plenty of things that don't scale Don't last and don't stand up to transparency and scrutiny whereas we want to build something that can grow to actually provide strong security to lots of people forever and that's a much harder problem and It benefits the good people a lot more in the long run and if you didn't buy any of that I'd be happy to debate more afterwards Okay, another fun thing to think about The Toronto Public Library has rolled out a pilot program where they have tour browser on all of the computers in One of the the big rooms in the library and they're working on getting tour browser in every single computer in the Toronto Public Library System which is awesome because there are so many Ordinary people in that world who need more protection from the internet in America at least we have laws about how libraries have to Sensor the internet and there's a bunch of problems with law enforcement going to to try to surveil what people do in libraries I don't think Canada is that bad yet, but Giving people back control of their information Control of who gets to learn what they're doing is a really cool thing to do Okay, so let me switch gears to the censorship side of things. I'm trying to smash together too many talks at once So here is the tour website from various countries around the world It might not look like the tour website. You're used to seeing here's one up there saying surf safely This website is not accessible in the UAE Here's another one saying this do it blocked due to content contrary to the laws of the Sultanate This one's fun because if you believe that the website you are trying to access does not contain any such content Please send us all of your information using this form and then we'll we'll you know take care of it for you Whatever that means so I'm not sure how that works in practice But I think a lot of people in these countries are smart enough to to not fill out these sorts of forms But here's some other fun examples access to this site is currently blocked and then in in cutter They try to make it fun Oops, we're fascists oops. We blocked this thing So there's a recurring theme where it's not, you know, we're a totalitarian government. It's you know, something went wrong I don't know what went wrong. You tried to do something you shouldn't have haha. This is all fun So this is the the first introduction that we had to the censorship side of things where people would block our website And that means that when you try to download the source the tour software You can't get it and that means it's harder to connect into the tour network So this was one of the very early Censorship experiences from the tour side you can see in this so this is a graph of the number of people Connecting into the tour network from Egypt don't pay too much attention to the y-axis the numbers there aren't quite right But the the relative Graph is pretty accurate. You can see on this graph when they blocked Facebook That's when a whole lot of people decided they needed tour and you can see on this graph when they unplugged the internet So this is a very early experience from the tour side Much more recently Here's a graph of the set of people who are connecting into the tour network from Russia And you can see here when they blocked Facebook as well because they blocked Facebook and suddenly hundreds of thousands of people switch over to using tour in order to get to Facebook and I say Facebook in this case because I talked to one of the security people at Facebook who says they have a Secret data set that's exactly the inverse of my graph on their side They have a data set of people connecting to Facebook from Russia and it looks like this It looks like exactly the opposite of this So so we have the set of users who have switched over to using tour in order to get to the the Facebook site but Eventually and this happened in several countries there People try to use tour to get around censorship great But that means the countries are going to try to censor connections into the tour network with the goal of okay Fine, we blocked Facebook and we're gonna block tour so that you can't use it to get around the censorship So the fix the first fix for that is what we call bridge relays and the idea is you've got a bunch of volunteer users Who are harder to enumerate they're not they're they're not a static list They're not a public list and the censored users route through these bridges into the tour network We'll get back to that think of that as a building block for later So another challenge that we have in the censorship world is deep packet inspection DPI The idea is rather than looking at the IP addresses that you're connecting to and blocking Filtering by that you instead look at the content that's going back and forth And you look for patterns or protocols or something like that and you block certain patterns that you don't want to see Certain protocols so in this case tour tried to look like TLS because who would block HTTPS and We had a slight difference in the Diffie helman prime that we were using in our TLS We used the one from the DNS sec RFC and Apache uses the one from a different one and somebody tuned the Nokia box in Iran to look for TLS handshakes that use the DNS sec prime and Cut them and that meant that over the course of a day or so All the users disappeared from Iran and we heard a lot of people saying oh my god What's going on and they weren't blocking by IP address? They hadn't gotten the list of the tour relays and blocked them They were blocking all the bridges and all the relays because they were blocking through the protocol approach and in this case we figured out what it was and rolled out an update and a few weeks later everybody recovered and it Was fine, but this DPI approach is certainly One of them the one of the more pervasively used approaches for censorship these days And the answer that we have for that is what we call pluggable transports The idea is the tour side still takes care of the privacy anonymity security metadata side of things and the pluggable transport Transforms the tour traffic in some way that's going to make it look like something the sensor doesn't want to block So there are two main categories here one of them is you transform it into HTTP or HTTPS or Skype video or web RTC or stuff like that So it looks like the sort of protocol. They're happy to let through and then another answer is you transform it into Just a random Random stream of bytes and the goal with that random stream of bytes is they can't figure out what the protocol is now They're forced to either block everything. They can't classify in which case there's a lot of false positives in their blocking or Allow everything through if they can't classify it and that protocol works pretty well in a lot of places How many people here know the story about blue coat in Syria from Five years ago or something One hand down here One hand down here. Yep. Okay one hand down here great Everybody should know this story. It's a terrible story Everybody should so a few years ago There were folks from anonymous the like the online group and they found a misconfigured FTP server in Syria which had gigabytes of web logs Publicly available because they screwed up and made them available and they were blue coat web logs And each line of the gigabytes of lines was this IP address Tried to access this URL and we allowed it this IP address this URL. We blocked it lines and lines and lines of Apache style Logs explaining who was trying to do what and whether it worked from all around Syria and at the top it said, you know blue coat so In America we have a law about how certain We're the companies in America are not allowed to Sell their stuff to certain countries and Syria is on that list. So blue coat was Was breaking the law in the US so anonymous went to blue coat and said what's up with this? You seem to be running the censorship surveillance infrastructure in Syria and blue coat said oh, no, that's not us And so anonymous was like but the top of the log says blue coat on it What do you mean? It's not us and then blue coat said oh, well gosh We we sold it to Dubai or something How are we supposed to know that that they they resold it to Syria? You can't blame us We don't we don't know and then they were like but but it's it's auto updating all the updates are still working What do you mean? You don't know you're serving updates to a blue coat server in Syria How do you how do you not know that you're doing that? So then blue coat was like oh shit. You're right. We okay. We disabled the updates now We're definitely not helping this at all. So then anonymous Went and got the serial number for the blue coat device and logged in and asked for some updates and they got the updates so basically the end of the story is and then blue coat got an award from the US State Department for their cooperation in All of this so it's a miserable story every step of the way and it's a recurring theme where European and American and Western companies are building and deploying and operating the surveillance and censorship infrastructure all around the world and So I actually went to a meeting at the German Foreign Office a few years ago where they were trying to figure out What should we do about this should we should we make a law saying European companies can't can't sell Stuff to certain countries should we outlaw certain kinds of technologies? And I'm not a fan of that one because every time people try to draw a line my stuff's on the wrong side of the line So I think trying to delineate what technology should be illegal is probably not not so good This was a fun meeting from my perspective because I was basically the only technology person there So I would be sitting in the room and at one at some point one of the the diplomats or something would lean over and say Hey, Roger. What does the technology community think about this and I would try to represent every hacker in the world to Explain how how the internet actually works So I don't know how they're actually going to solve this one of the theories that I heard from privacy International Was don't look at the actual software Look at the brochures that they use because there are there these huge trade shows where like blue code and Everybody else show up and they have Glossy beautiful Documents saying I can arrest 500 bloggers per hour and then somebody else says I can do 800 bloggers per hour And then the the Saudi prince goes over and says ooh, I want the 800 one so actually looking at the the Extremely bold advertising that these companies do they're they're shameless They they they're they're making billions of dollars off of this and nobody is stopping them Australia sensors the internet Denmark sensors the internet Sweden sensors the internet Belgium sensors the internet England sensors the internet so when Governments go to places like China and say look you're being bad for the world. You're harming your country You're you're not playing well. You're censoring. You need to stop censoring China very reasonably says Look, I'm just doing what everybody else does. I'm keeping my citizens safe from the internet Just like you do. Why are you picking on me? So part of what we need to do is not think about Just over there a stand where China is doing something bad with their internet The problem is all over where we're starting to try to control and surveil and monitor and prevent connections and and when we're doing it in Western countries How are we possibly going to convince other countries to stop doing it? So if we're trying to solve this sort of thing, maybe we should start at home trying to solve the fact that Belgium wants to censor the internet and does it These are the actual official Chinese cyber police This is the you remember the you know oops. This is fun This is fun to be the Chinese cyber police. They're all cute and cool and and don't worry So there are a bunch of things I can talk about China I don't have enough time to talk about all of them But one of the the critical points One of the things China did recently from the censorship side is what we call active probing the idea So you remember I talked about the pluggable transports where you transform the traffic into something that that they're not willing to block Or they're not able to recognize and you drive up the false positives in the active probing world They do a DPI attack to figure out if they think they might want to block it And if they think they might want to they connect to the destination themselves talk the tour protocol to it And if it talks tour back, then they're sure then they cut it So they have a nationwide active probing infrastructure where within a few milliseconds of me making a tour connection They make a tour connection spoofing it from an IP address somewhere in China and follow up and try to connect So the fix that we have for that is when you're connecting to a bridge you need to prove knowledge of some secret and that means the active probing infrastructure when they when they connect They can't prove that they know the secret and the challenge there is what should the bridge do When somebody connects and can't show that they know the secret the the answer is back natural Whatever that means do you do you provide an Apache error file? Do you so the the answer that we've come up with right now is you wait a random number of seconds and then you Hang up because if you ever answer anything, that's a fingerprint that they can use to say That is a tour bridge trying to pretend. It's not a tour bridge. So this is a Terrible arms race going back and forth Okay, another fun thing we can talk about a while ago a nice guy named Ed Snowden brought a bunch of documents out He tried to get every single document He could find about tour in order to give it to us so that we would have as good an understanding as possible About what the intelligence agencies are trying to do with and about tour. So this is a slide deck from I'm not sure if it's NSA or GCH Q and I'm really curious which one where they were talking through I tried to attack tour like this and it didn't work. I tried to attack it like this and it didn't work I tried like this. So it's a it's a series of tour stinks. I can't break it Which is a fun slide deck that they used internally at one of their meetings Another challenge we had there you see the fine tour sticker up there on Ed's laptop This was the first introduction to tour for a lot of journalists So we had a lot of people calling us and saying so what's this tour thing that Ed invented? Because they had no idea that there was a thing called the tour project and that we'd been working on it for 12 years and so on There's also this great quote in there from one of their slides as endorsed by the NSA Still the king of high secure low latency internet anonymity So on the one hand yay, they couldn't break tour as of 2012 on the other hand All these intelligence agencies are huge and they have a lot of different groups that don't talk to each other So we need to make sure not to be too confident based on one group not being able to break it That doesn't mean that there wasn't a group down the hall that didn't talk to them That we're working on some other mechanism for being able to do it But it's still a good sign the fact in 2012 they were having meetings between NSA and GCHQ Because they didn't know how to tackle this confusing tour thing which distributes trust all around the world Okay, so you remember the bridge thing I was talking about earlier All of that I was talking about in the censorship context in the context of somebody's trying to connect To the tour network and we're gonna block that connection, but what about the surveillance world? What about the world where we're trying to learn who is connecting to tour? So one of the other pluggable transports that we've been working on that I'm optimistic in the censorship context And I'm intrigued in the surveillance context is something called snowflake So the idea is rather than you run you install tour or you edit a text file You do things that that we find normal, but most users find confusing Instead you let people volunteer to be a tour bridge by going to a website with their browser You give them some JavaScript it turns them into a JavaScript browser running into a JavaScript bridge running in their browser And they do a web socket connection into the tour network and a web socket connect and a web RTC connection to the censored user So as far as China or other censors are seeing There is a Google Hangout style video chat thing going on from the user in the country To some random web browser and from there the connections being passed on into the tour network So there are a bunch of cool properties here. One of them is web RTC I hope they don't block it another one is you get built-in NAT piercing because web RTC already does all of that You get encryption and you get a whole lot of transient We call them snowflakes a whole lot of transient bridges that Come up and go down and if China's goal is to blacklist all the people on Are part of the internet running web browsers? That's probably not going to work So the other thing to think about is the surveillance style of Question where if they're trying to learn who's connecting to tour by building a list of everybody who does web RTC Everybody who does Google Hangouts everybody who does internet video chat. That's going to be a much harder approach Okay, so one of the lessons Censorship arms races are crappy because China puts billions of dollars and tens of thousands of people into this sort of thing But at least you you have a handle on whether it's working like you try to connect to the tour network It doesn't work you change something now it works your feedback loop is pretty good there And they've been making it worse by not just not actually cutting the connection But throttling it or slowing it down or something But at least you have a feedback loop in the surveillance case There's no feedback loop you connect to the tour network. You don't know if they saw you You don't know what they're looking at you don't know what databases they have you don't know what part of the internet They can see and you don't so you don't know whether you should change something and if you change something You don't know whether you helped it or you heard it So one answer is we need a new ed coming out every week giving us the the new documents that they have I don't have other answers. So I'd love to chat more about that. Okay. Let me switch over to another topic in the last 12 minutes onion services or hidden services So everything I talked about before was I want to go to a website without the website learning where I'm coming from Now let's use that as a building block where I want to connect to another person running the tour software And I want to do it so that I get a bunch of cool security properties And so this is how it looks in practice up there you have a blah blah blah dot onion address and This is the rise-up website running as a tour client Available and reachable over the tour network and that blah blah blah is the hash of the key of the onion service Which gives us a bunch of cool security properties one of them is? It's self authenticated if you know the blah blah blah dot onion You can fetch the key hash the key make sure it matches the blah blah blah And that means that you know you're talking to the place that has the private key that corresponds to this address You're trying to go to so you know the whole certificate authority world where Turkish telecom can lie to you about whether it's Facebook We bypass all of that you get end-to-end Authentication where you know who you're talking to without needing to rely on Digisert or verisign or Turkish telecom or Chinese telecom and so on You also get end-to-end encryption and you get a bunch of other cool things But one of the questions we were wondering in the beginning So a while ago there was some idiot on the internet trying to sell drugs And he set up a website selling drugs and he put it behind an onion address and then some cops found him and busted him And there was some cop who was saying and the tour network traffic went down by 50% when we busted this guy So tour is only for bad people and I was thinking well shit that that's not good. I thought there were millions of tour users I thought we had all these you know good people doing things. I hear good stories Yeah, there's some some some jerk, but you know, that's just one guy So then I was thinking wait a minute. We don't actually have any data about that We don't have a way to to argue with this guy other than say him saying it was half the tour network and me saying I Hope that's not true So at that point I'm thinking how do we actually gather data to refute this sort of thing So here's a graph of the amount of onion service traffic that happens over time and it's It's you know a gigabit per second or something But remember at the back back at the beginning of the talk. I was showing you 150 gigabits per second of Actual tour load so it's complicated to figure out what fraction of the tour network that is but it's something like 3% So something like 3% of the traffic on the tour network has to do with onion services at all So it is a tiny little toy that I built back in 2005 and it hasn't gotten much use It should get a lot more use there is a lot more potential out there But it's it's basically at the very beginning of its lifetime So that means when you see Confusing terrible iceberg pictures scaring you about the other 99 internets out there that you didn't know about Try to figure out what their business model is try to figure out why they're why they're trying to scare you with an iceberg slide Is it some sort of threat analytics or threat intelligence or something where they want you to give them a million dollars? And they'll tell you if they find you on the dark web or whatever that means I actually talked to one of these threat intelligence companies and they said Yeah, we have to say dark web because that that's what sells But actually all the interesting stuff we find is from our paste bin pro account We pay paste bin and they tell us every time a new paste bin thing happens and that's where all the good stuff is We don't find anything on onion services. They basically don't exist so another interesting piece of that a while ago BBC did an article saying you can buy drugs on the internet and here's how and The comment section was full of people who are like, oh my god, that's amazing. Thanks. Thanks. I don't have to go get shot on the street corner Wonderful. Thank you for telling me about these sort of things and BBC's business model is they sell ads on their article So of course they want to write something that people want to read And then they did a follow-up a week later saying and we bought some and we had them tested and they were really good So what was BBC's motivation in writing these things and getting all these people? This was like the most commented on article ever. They had to shut down the comments So what what's their business model there? Think about that when when you see an iceberg slide So another another version of that question. What do you think the biggest website on the dark web? is is it some someplace in Malaysia the answer is It's Facebook a while ago Facebook was looking at how many users are connecting from the tour network into Facebook and they saw over the over a One month period in April a few years ago They saw a million people logging into Facebook accounts over the tour network and they said wow Users want safety. We should set up an onion address. We should embrace tour We should give them the choices that they're that they're clearly asking for so that they can Connect to our network the way they want to so one one One reason why they do this They know that there are people in Turkey trying to reach Facebook and they know that Turkish telecom is trying to attack The people in Turkey and Turkish telecom can lie to them about what as what HTTPS websites. They're seeing Another key thing to think about here This is still the Facebook website It's not like Facebook set up a new internet and put themselves on it or something. There is no dark web That doesn't even make sense. It's the Facebook website I was talking to an analyst a while ago who said I found a copy of Facebook on the dark web And I'm like no, there's a computer. It's called Facebook. They're running a website. It's called Facebook comm You can get to it over HTTP. You can get to it over HTTPS. You can get to it over its onion address It's the same computer. It's just a matter of what transport security you get Do you get HTTP where you get very little encryption and authentication? Do you get HTTPS where you have to rely on one of 300 companies vouching for this thing? Or do you do the onion address where you don't have to rely on that sort of thing? So there are a couple of other cool use cases for onion services that That might expand your idea of what onion services might be one of them is secure drop There's another one that's similar called global leaks out there in the world And the idea is you run a website where people who want to whistle blow or give you Anonymous tips for your like New York Times runs one of these and you can talk to a journalist Safely where you control your own privacy. It's not an anonymous tip line where they promise to keep you safe But it's up to them. You get to control these things Another fun use case is a tool called ricochet it. So, you know Jabber XMPP Google chat all those things iChat iMessage they're all centralized There's all even signal has a central point that knows who you are and who all your friends are and when you talk to them And that metadata is the really interesting stuff So there's there's a juicy middle that you either subpoena them and they give you the answer or you break in and you get The answer the cool thing about ricochet every user is their own onion service. There is no middle There's no place to break into you're all rendezvousing with each other through the tour network in a way where each of you Keeps control of your privacy and your contact and who you're talking to in a way that there's no place to go To attack in order to learn who's doing what and then a third fun use case is called onion share Imagine you're a journalist and you just got the ed's notan documents and you're sitting next to another journalist And you want to share them you're actually in the same room. What do you do? Do you email them through your Gmail thing? That's probably not a good idea Maybe you put them on Dropbox, but wait Dropbox looks at all the files Maybe you put them on a USB key, but we've all been taught that US keep USB keys are bad news so the answer here is you run a tool called onion share which spins up an onion service and a website and you Ricochet or signal or whatever the URL to your friend your friend goes there downloads the file and then the website disappears So it's a transient way of moving a file around on the internet in a way There's there's nothing there afterwards. It's not like a website like Dropbox where they can go subpoena of them afterwards Okay, so another So some some wrap-ups to think about Tour is not magic. Tour is not foolproof User error is one of the most common ways where things can go wrong one piece of that is Obstacle mistakes where the idiot trying to sell drugs Apparently wrote his name down in various places and screwed up in all sorts of ways So if you're trying to stay safe on the internet There are a lot of things that you want to think about and a lot of examples of how people are screwed up Another challenge is metadata Browser fingerprints where it's not just cookies It's all sorts of other things at the application level that can let the websites recognize you over time And then another challenge we have as the whole browser exploit world We're based on Firefox Firefox is not the best software out there. No browsers are the best software out there browsers are shit So if you're trying to actually browse the web and be safe This is a terrible world to live in but that's what everybody does so we also are in that game and Coming up with a way to keep you safe from people sending you scary JavaScript and scary images and scary text and scary XML and so on is a challenging world and I've tried to order these in terms of how How how prevalent they are how relevant they are to ordinary people because you're much more likely to have an upset problem than Than have an intelligence agency try to look at the entire internet and try to match up Who's talking to where and so on but these are four areas that we think a lot about in terms of keeping people safe So how can you help one answer is we need a lot more relays you can run an exit relay Which means you're the last hop in the connection and websites are going to get confused about whether Whether it was you or whether it was Tor and sometimes you get the chance to teach law enforcement how Tor works Or you can run a non-exit relay Which means you're never that third hop in the in the circuit in the path And you are just moving in crypto traffic back and forth inside the tour network So whichever of those you're excited about we need both of them another thing we really need is Please tell everybody how Tor works Explain to them why privacy is important why metadata security is important Explain to them why the dark web isn't what they think it is and that guy with the hoodie They saw on the television show is not representing the internet in the way that that actually matches facts another piece Use our software find bugs if you're an android person download Tor browser Android and Try to break it try to figure out what happened This summer in july is the pets conference privacy enhancing technology symposium where all of the privacy Anonymity researchers get together and it's in Stockholm, which is not so far from here So in five months or six months or something consider going there to meet all the researchers and if you happen to have a real job We're a nonprofit and we'd love to get a donation and also this afternoon at 1500 in room H dot three two four four is a relay Operator meetup if you run a relay or if you want to run a relay Then please come and chat with us and also I will be wandering around in a bright green shirt Happy to answer questions for the rest of the day and I am Out of time is that I'm out of time so thank you and I'll be around