 The second invited talk of this conference will be given by Roger Dingeldine. Roger is the president, director and co-founder of the TOR organization, and TOR, in case you don't know, is a widely used system for ensuring online privacy. Roger? Okay. Hi, everybody. I'm Roger Dingeldine from the TOR project, and I'm going to tell you a little bit about the software that we've been working on and the project that we've been working on. So there are a lot of different topics that I'm going to try to cover today. I'll try to mash in several talks into one talk, so hopefully everybody will find something they're interested in, and I'll be around for the rest of the conference wearing a bright green shirt so you can chat with me more if you have any more questions. So the basic idea of TOR is it's a program that you can get and install and run on your computer, and the idea is that you can browse the web or connect to other TCP sites where somebody watching you locally can't figure out where you're going, somebody watching the website and can't figure out where you're coming from, and some person participating in the middle of the infrastructure can't link you to where you're going. So those are the three main anonymity goals that we're working on. So in a bigger picture, TOR is a variety of things. TOR is that software I was just talking about. It's also the TOR network. There are about 2,000 or 3,000 volunteer relays around the world right now who are relaying traffic for hundreds of thousands of TOR users. So we have an overlay network that's actually deployed and much larger than Planet Lab. And it's also the TOR protocol. We have specifications that say this is how you can do your own TOR client or your own TOR relay. And several other groups around the world have built their own compatible TOR clients. I really recommend multiple implementations. I can tell you more stories about that later. So one of the neat things about TOR is the community of different people around the world. Pretty much every city I go to these days, there's some university who has grad students doing TOR research. So there are maybe 50 or 100 people, grad students, professors, all around the world who are working on TOR research right now. So part of my goal is to teach them what the real problems are so that they can be more likely to solve mine. And then we've got developers and users all around the world. Another interesting thing about TOR is the diversity of funding that we've had over the years. So we started out funded by the U.S. Department of Defense. And then we were funded by the Electronic Frontier Foundation, the EFF. So even from that first step, we've got two completely different groups who never really think that they have anything in common. But in fact, what they have in common is they both want this security or privacy or anonymity online. And from there, we were funded by another U.S. government group called the International Broadcasting Bureau. You haven't heard of them, but you've probably heard of Voice of America or Radio Free Asia, stuff like that. So they have some websites that some people around the world can't reach, and they want to fix that. It turns out once you've built an anonymity system, meaning somebody watching the user can't figure out what destination they're going to, then you're also partway to a circumvention or anti-censorship system where somebody watching the user can't decide which websites they're allowed to reach and which ones they're not allowed to reach. So that is one version of TOR. Another version of TOR is we're an actual 501C3 nonprofit American corporation. We were founded in 2006. We fund something like 10 or 15 people, mostly developers to work on TOR. So we've got two main goals as an organization. The first goal is I want to build software to keep everybody in the world safe on the internet for all definitions of safe. And once I'm done with that, the second goal is I want to teach everybody in the world what it means to be safe and how to evaluate things like that. So right now we've got instructions saying, look for the lock in your web browser and then you know you're safe and there's more work to be done there. So we've got some number of users, over 100,000, less than a million, maybe 400,000 or something of TOR clients running right now. It's an anonymity system, so it's a little bit hard to count exactly how many users we have. So let's look at this from the threat model perspective. So we've got Alice over here. She's trying to browse the web or something like that. And we've got Bob. Where can the adversary be? The first issue, the adversary could be watching Alice. Maybe that's Alice's ISP. Maybe this is the Tunisian telephone company monitoring all of its citizens. Maybe it's Starbucks. Or maybe the adversary is watching Bob. Maybe they're really watching indie media, so they want to know who's connecting there. Or they're watching Gmail because they're colluding with China. Or they're watching WikiLeaks because they really want to know who's publishing there. Or maybe the adversary is Bob. Maybe it's CNN.com, and they want to know who all their users are so they can advertise to them better. Or maybe the adversary is somewhere in the middle. Maybe it's AT&T or some other large backbone provider. So if the adversaries in all of these red boxes were screwed, we can't protect against that. So I guess this is... I've heard from a lot of crypto people who use the phrase threat model to define exactly the funny-shaped adversary that provably cannot defeat their system. So in our case, our threat model is the actual adversary that we expect to see in practice. And I'll explain later on why we can't defeat somebody who's watching all of these different places. So anonymity is not encryption or integrity or other stuff. I talk to a lot of corporations who say, I use a VPN, so I don't need anonymity. I'm all set, thanks. And encryption is good. You should use encryption. But even when you're using encryption, somebody watching your traffic gets to learn what you're talking to, how much you're saying, when you're talking. And that's what all the intelligence agencies use to try to break these things these days. Nobody actually goes after the crypto. It's all about let's build the social network and let's figure out who that person in the middle is, the one that talks to a lot of people and hears from a lot of people, and then let's break into his house and take his computer or whatever the next step is. And there are other variations on what anonymity is or isn't. There are a lot of peer-to-peer designs on the internet that are based on plausible deniability. The idea is, yeah, you asked me for the file, and yeah, I gave you the file, but it might not have been me. I might have been relaying it for somebody else. You can't prove it was me. So there are a couple of problems there. One of them is, what about the 40th time you're the one involved in that transaction? And each time you say, well, you can't prove it was me this time either, statistically that starts to look a bit weird. The other issue is, imagine your group of journalists in Burma and they've lined up five people and they're pretty sure it's one of these five, but they can't prove which one of the five it is. That's bad news for all five of them. So I want something where you can't even start to narrow down which user you should be investigating more. And then there are a bunch of commercial, single-hop proxy systems out there. There was one called SafeWeb long ago, Anonymizer, there are a bunch of different examples. And the idea is it's one computer somewhere and it proxies all the traffic for people and they say, we promise we won't look at any of the traffic. Okay, okay, we look at all of it. We promise we won't write anything down. We won't log anything. Okay, okay, we log everything. We promise we won't tell anybody what we see. I don't know what the fourth line is, but I want something stronger than that. I want something that's not based on trust. So I was talking to the chief technical officer of one of these Anonymizer companies a while ago and he was saying, we never answer subpoenas. If we ever answer the subpoena, none of our users would trust us ever again. So of course we never answer subpoenas. And then I was doing a talk for the U.S. Department of Justice and partway through one of them interrupted me and said, why can't you be like Anonymizer? It's great, we send them a subpoena, they send us an answer, it's great. Why can't you be like that? I don't want to pick on any particular companies, but the point there is in that centralized model you have to trust them with your anonymity and I'd like a design that's decentralized in a way that as long as the design is working, there's no single organization that promises to keep you safe. Okay, so I actually only use the word anonymity when I'm talking to other researchers. When I'm talking to my parents and grandparents, I tell them I'm working on a privacy system because anonymity is a bit weird, but privacy is a good American value. And when I'm talking to companies like Google and Walmart and so on, I work on communication security or network security because anonymity is bad news, privacy is dead, I think that's, maybe it was the Oracle guy who said that, but communication security, you're right, I do need that. And when we're working with the Naval Research Lab and law enforcement and militaries and governments, we work on traffic analysis resistant communication networks, which again are all the same security properties. It's the same system that everybody's using, but the goal is to figure out how to phrase this for different communities so they all realize that this is the sort of network they want to use, this is the sort of security properties that they're missing. And then the fourth category that I'm going to be talking about more today is the human rights activist or journalist side where for them, they don't mind the fact that they can reach their destination safely, but for them it's about reachability, it's about I couldn't get to BBC and now using tools like this, I can. Okay, so there are a bunch of different examples of why individual citizens and so on care about this sort of thing. I'm going to mostly skip over that so that I get to some of the more interesting stuff. So here are a few examples. Maybe your insurance company wants to learn about your browsing habits so that they can change your insurance premiums. Maybe your ISP is collecting all of your click logs and selling them. Most ISPs actually are doing that right now, they just don't admit to it very loudly. Businesses also use Tor. Maybe you want to check out the competition's website without letting them know which company is investigating them. What are your engineering department's favorite search terms? Google knows, lots of other people know. Is that the sort of thing that you want to be broadcasting everywhere? Law enforcement uses Tor. I do a bunch of talks to FBI to try to teach them that I'm not actually the reason why their job is hard. And after each of these talks, one of them comes up to me and says, I use Tor every day for my job, thank you. So part of our goal here is to get all these different communities into the same network so that they can blend together. And then governments also use Tor. What would you bid for a list of Baghdad IP addresses to get email from .gov addresses? Does anybody else out there want that sort of information? What does the FBI Google for? Lots of examples there. And then, more to today's topic, journalists and activists also need this sort of thing. For example, let's say you're in Iran and they're monitoring all of the users to connect out and they say, are you the one who just posted to that blog because we're trying to figure out who is making comments or who's running that blog discussion? Or maybe the website end is monitored. There's a scary example where... So everybody here know about LiveJournal.com, I hope? Sounds good. So LiveJournal is a popular blogging platform and it has a thriving Russian activist community. So if you live in Russia and you want your country to be different, you're on LiveJournal talking about making it different. So a few years ago, a really rich guy in Moscow bought all of the ads on LiveJournal, which means every time you load any page on LiveJournal, you tell Moscow who you are and which page you're loading. And nobody really cared about that. And then a few years later, some other really rich guy in Moscow bought the company. So now the KGB operates the company in which the Russian activists are trying to coordinate and they can't build the activation energy to move off. So that's kind of a sad story. Another example is yahoo.cn. A couple of years ago, there was a user who had a yahoo.cn email address from inside China and China went to Yahoo and said, tell us who this user is because we want to make them a better citizen. And Yahoo said, why, of course. You are a government. We follow the laws of all governments. Here's your user. And then a bunch of people in the U.S. got angry about that and now there's sort of a shift out of keeping your servers in China. Now they're in Taiwan or Hong Kong or Singapore or something. I imagine eventually we're all going to creep back so that all the servers are in Iceland. I'm not sure how to solve that particular problem. Okay, so the big picture is you can't get anonymity by yourself. I remember talking to IBM long ago and they said, well this is great but I want to run my own anonymity system where only IBM people use it. And that means that anybody who pops out of that system, you know they're an IBM person. So the goal is to blend them all together so you can't tell whether it's an FBI person or a Russian activist or an American citizen or so on. So far so good? Okay, and bad people need anonymity too. But if you're willing to break the law, there are a lot of other ways of staying safe on the internet. So a brief taxonomy of bad people, which is a separate talk, you start with your Trojans and your viruses and your exploits and from there you break into millions of computers and from there you profit. So I periodically talk to law enforcement who say, but what about terrorists? Terrorists could use your tool and you're enabling them. So let's take a step back. Scenario one, I want to build a tool that works for a million people. It's going to work a year from now and I can tell you how it works so you can help me evaluate it. That's Tor's problem. The bad guy problem is I want to build a tool that's going to work for 15 people for the next two weeks and I'm not going to tell you about it. There are a lot more ways of solving scenario two. So the story about the 9-11 hijackers was somebody walked into an internet cafe, I'm sorry, somebody walked into a library, they logged into their hotmail account, they drafted an email but they didn't send it and they walked out. Somebody else walked into a different library, logged into the same hotmail account, pulled up the draft, no email was sent so no email was logged. There are a million little tricks like that. I go to eBay and start a flame war. I mean there are a lot of different ways of communicating if nobody knows what the plan is. So the goal for Tor is to build something that scales, that we can be transparent about and that's going to work for a long time. So the current situation is the bad guys are doing great on the internet and the good guys have very few options. So I'd be happy to chat more about that one later on if you're one of those ooh ooh ooh Tor is for bad people, people I'd be happy to talk to. Okay, so how do you actually build one of these? The simple answer is you have that computer, the central centralized proxy and all of the users go to it. If they're very lucky they use SSL or some sort of encryption so somebody watching Alice doesn't learn her destination immediately but the bad news there is what about that central point of failure? There are all sorts of ways that a single point of failure of subpoena, maybe you bribe the CEO, maybe he sells the company, maybe somebody breaks in but it's actually worse than that. Generally there's one cable going into that computer and it's the same cable coming out and if I can monitor that traffic, for example I run the co-location building or something or I am AT&T or all sorts of other examples. If I can see the traffic coming in and the traffic going out then very simple statistics lets me match up incoming flows to outgoing flows and at that point I break all of the anonymity of all the users because I say this flow has these certain timing and volume characteristics and this flow has matching timing and volume characteristics so I'm a winner. So the goal of Tor is to distribute the trust over multiple relays so no single relay gets to learn about both Alice and Bob. So that means if R1 is bad he knows Alice is using Tor but he doesn't know where she's going he doesn't know about Bob and if R3 is bad he knows somebody is talking to Bob but he doesn't know who both bad then we lose because then they can match things up and we'll talk about that a little bit more in a bit. So there is crypto but I'm going to mostly gloss over that for this talk in hopes of talking about some of the broader issues. So the basic idea is Alice is going to learn about the relays in the network and their keys and then she's going to connect to R1 and establish a session key an ephemeral session key and then she's going to through R1 tunnel her connection to R2 and then tunnel to R3 and establish a third session key and at this point she has the ability to encrypt to any of these relays in a way that the other relays can't read it and from there she can say please connect me to CNN or please connect me to BBC stuff like that. So I should point out here that in the crypto literature there's a discussion of a concept called onion routing which has been mixed up with the phrase mixed net so once upon a time there was a paper from David Chom in 1981 which said you've got your mix and a bunch of Alice send in messages and the mix waits until there are a pile of messages and then you decrypt them, permute them send them out in a different order and nobody watching the mix can figure out which incoming message corresponds to which outgoing message. So onion routing is different in a couple of ways the main difference is we have traffic streams and messages which means that one of these Alice's is asking for the front page of CNN and this other Alice is trying to download an iTunes mp3 or something like that and they are way different in terms of their timing and volume signatures so the other difference is in the way that you lay the circuit we actually lay the circuit as I described and end up with session keys and then from then on out we just use symmetric crypto after that because it's fast and does what we need. So another thing to keep in mind here so I was talking on this slide about if R1 and R3 are both colluding then we're screwed because of that traffic confirmation attack one of the open research questions in the anonymity world is can we make that traffic confirmation attack harder without adding so much extra padding that nobody's willing to do this. So the extreme version is every Alice sends full rate padding into the network all the time including when they're offline somehow we solve that and then the network sends full rate padding to every possible Bob all the time and it doesn't even make sense to send full padding to eBay it doesn't know what padding is so there are a lot of engineering questions there but even if we could do something like that we can imagine active attacks where somebody delays Alice's traffic a little bit and then rather than looking for presence of spikes now you look for presence of spikes so it seems like it would be the same math even in the case of full padding so that's a question we should think about more the other question is if in fact we're vulnerable to this and correlation attack then that means the security or anonymity or privacy from the tour network comes from having as diverse a set of these relays as we can so part of the goal here is to have a lot of different relays in a lot of different places right now we're up to 2,500 relays in pretty much every continent so the goal there is as we get more relays the set of adversaries who's big enough to be able to compromise both sides should get smaller and smaller so I can imagine that NSA has suborned enough American telcos to be able to watch a lot of the internet and therefore a lot of the tour network but maybe French intelligence doesn't have that capability but we shouldn't be looking at it just as the number relays we should be looking at it as the capacity because some relays are really fast and some are really slow so tour clients automatically try to prefer the ones that are faster so they load balance so we are pushing something like 1 gigabyte per second of traffic on the internet on average and for those of you who know networking professors whenever I show them this graph they freak out because if the capacity is anywhere near the amount of load on the network then the network is going to have horrible performance problems so that's certainly something we've been wrestling with but that's something for a different talk we're actually doing reasonably well in terms of performance here's a graph of how long it takes to fetch a 50 kilobyte file over tour and right now we're quite stable around the 3 or 4 second mark so that's we're doing about as well as we can be doing at that point and we've got some graphs of users over time the way we do this I'll explain a little bit more later but the way we do this is each of the tour relays sees who is connecting into the tour network at it they don't know what they're doing but they can see where they're coming from and we ship a geo IP database with each one so it can convert the IP address so that it sees into a country and start publishing statistics about that ok so now let's go on to the interesting stuff how many people here remember the Iran story from June of 2009 when they were all in the streets protesting I see a couple of hands I see many hands, perfect ok so our story starts in June of 2009 when we have basically nobody using tour in Iran and then suddenly it spikes up to 8,000 people a day or something and it was I think this is a pretty conservative number actually I was talking to the chief security officer of one of those large web 2.0 companies who really didn't like tour before this month and then suddenly his big website got blocked in Iran and then they were big fans of tour because their users can use tour to get to their website and now they can connect to their social network and so on and he was telling me that he was seeing 10,000 people a day connecting through tour so there were a lot of different people using tour at this point in order to be safe there were also a lot of people using plain text proxies which worked great for June and then in July they were all arrested which is an important lesson for us to learn about this sort of situation so at the same time I've got China graphed here because all the western newspapers were saying Iran, Iran, Iran and nobody was mentioning China so the, let's see I've got one of these so this spike over here was June 4 or as they call it in China May 35 because they can't actually say the phrase June 4 on their internet so this is the anniversary of the human square massacre where there were a lot of people who were saying I'd like to learn more about what this is and I can't read about it on my network but over here is where China blocked Google search, Google groups, Google calendar, Google something else and at that point there were a lot of people who started out saying I'm so glad my government keeps me safe on the internet and then switched over to holy cow they're censoring Google this is actual censorship I need to learn how to get around it so one of the neat things here is China has this habit of blocking a bunch of stuff as a show of power to say remember that we're still in charge and then they teach a whole lot of people how to use tools like Tor and then they back off because a bunch of people are getting angry that Google is still blocked so they're sort of inoculating their populace against censorship where they keep going this round over and over where they teach more and more people and then back off so there are a lot of people in China who know how Tor works at this point which who knows if that will become relevant later so that was the good news Iran actually blocked Tor again let me back up so that was the good news it worked Tor worked in Iran in 2009 but in January of this year Iran had caught up in terms of technology and they'd figured out how to block things like Tor so they bought some very fancy boxes from Nokia that do deep packet inspection and they could recognize SSL flows they basically have a knob to turn down the bandwidth that's allocated to SSL flows and in January of this year they figured out how to actually recognize Tor flows on the wire so there are a lot of different ways you can block Tor the way that they did it was not at all what I was expecting so they first do deep packet inspection to look for SSL flows and then they they search those flows for our Diffie-Hellman parameter P and block those flows so boy was that not what I was expecting them to do for their first attempt at blocking Tor so that worked for a week or so in January so here's a graph of the number of users who were connecting to the Tor network over time in January the red dots are a seven day moving average of gosh that's way lower than it should have been and the blue dots are a seven day rolling average of that's higher than it should have looked like it was going to be so we've got a blocking right there the interesting thing here so we fixed it in a week or two and right here was when there was a huge pile of people on the streets protesting there had been a scheduled protest and Iran knew about it so they worked really hard to block a bunch of different circumvention tools and we managed to fix ours before that so there were 60,000 people connecting to Facebook to figure out where they should be going and then more than a million people coordinating out of that so there were a lot of other tools that didn't recover in time which means there are a lot of people in Iran right now who know a lot more about Tor than they did before okay so that was another sort of good news we dealt with it we fixed it here is September 25 2009 here's one Tor relay and how many users it was seeing from China so basically China managed to block the entire network by IP address and that was bad news but let's take a step back so how do you actually build one of these circumvention tools there are actually two components to all these things there's the relaying component which is how do I build my paths how do I get my encryption right how do I do flow control and all of that and then there's the discovery component which is what do I connect to how do I learn about the network topology and I've been mostly focusing on the relaying component so far that's what Tor spent most of its time working on but from the discovery side we have a very simple distributed directory system so there are eight directory authorities and each of them tries to figure out its own view of all the relays and every hour they publish a consensus and they all sign it and then all the clients get that consensus and that means that all the clients have the same view of the network which is necessary if you're trying to be anonymous together if Alice one has one view of the network and Alice two has another view of the network then you end up being partitionable based on the choices that you make in the past that you build so we have this big central thing and it works fine except the consensus includes a list of all the IP addresses of all the relays so the first way you can block Tor is you block those eight directory authorities they're hard coded in the Tor software and that means that nobody can bootstrap you download Tor you run it it tries to connect to one of these eight it doesn't work it gives up and China did this in September 2009 the second way is you block all the IP addresses that are in that big list China also did this in September 2009 the third way to block Tor is based on protocol fingerprint for example what Iran did in January 2011 and then the the last way is you block our website so there are for example Torproject.org was blocked in Thailand for a long time and it's blocked in a lot of different countries at this point so there are a lot of people in Thailand who are saying well that was nice while Tor lasted but the website's gone so I assume the tool doesn't work anymore and the program works fine but you can't get to the website so they give up and we've got an email autoresponder where you email gettor at torproject.org from your Gmail account and you can do the Tor binary and you download it so there are other ways of getting Tor but it's really hard to communicate this to the people who need to know about it so the fix that we have for all these different ways of blocking is what we call bridge relays so the idea is we've got a bunch of users out there who are running Tor we've got hundreds of thousands of users what if we sign a few of them up as bridges or dark relays or hidden relays and the idea is the user will connect through the blocked user will connect through this bridge to the Tor network and we've changed the arms race now the earlier game was how do I give 2000 public IP addresses to all of our users without China learning them which is an impossible problem the new arms race is how do I take this list of bridge addresses and give them out one at a time to the good guys without letting the bad guys learn all of them and that turns out to be a hard arms race but it's at least a little bit more manageable so how do you actually give out the bridges there are four ways that we're giving them out right now and we need more smarter ideas about this so the first one is you go to the website bridges.torproject.org and we look at where on the internet you're coming from and we give you a few answers so that means everybody's going to get a few bridges but if you want to learn all of them you have to come from a lot of different places around the internet China also broke this one in September 2009 so they learned about our public IP addresses and they enumerated all the bridges that they could find but they didn't break the second one which is you email bridges.torproject.org from your Gmail account and then we send you a few and if you want to learn a lot you have to make a lot of different Gmail accounts which Google has incentive to make hard because they're already battling all the spammers and fissures and so on so China actually waited until March 2010 to break this one I don't know if they found it harder to break or if they didn't notice it the first time around or if they felt like they did a good enough job that they didn't need to break the rest of them so from our perspective we had two main ways of giving out bridges and China blocked one of them and then I'm like oh dear I've got only one left surely they're going to break that one tomorrow, what do we do we actually had a reserved set of bridges which we hadn't given out to anybody our plan was if everything goes bad then we're going to quickly come up with a brilliant new bridge distribution design and then start using it so at that point I sent mail to a friend of mine in Shanghai and said here are 40 bridges please do something smart with them so he set up a password protected Twitter account signed up his 1200 closest friends and tweeted bridges every couple of hours and those bridges had tens of thousands of users each so there were a lot of people using those bridges which is good I would have liked something a little bit less centralized but at least the people who knew this guy could continue to have connectivity so the third approach I mailed this guy in Shanghai every day a new set of bridges and he does something with them I don't actually care what he uses his social network somehow to answer people who need bridges and then the fourth approach is self you don't have to tell us we don't give it out you give it out so we're working with a lot of human rights groups in China and other places so to teach them how to run bridges for themselves and then give them to their users in country so they've got a lot of members in the US who run bridges tell those bridges to the non-profit and then the non-profit shares them and we've got nothing to do with that so back to this story on that day September 25 so they were actually blocking because October 1, 2009 was the 60th anniversary of some guy becoming in charge in China so they really wanted to prepare for whatever was going to happen by blocking a lot of different circumvention tools and censorship resistance tools and stuff like that so they blocked a lot of things but we'd already prepared for this we knew it was easy to block tour so we'd already put out the bridge design we translated into Chinese we said they're going to block tour eventually and when they do here's what you do you need to get a bridge and the result was over the course of a week 30,000 people switched from using tour directly to using a bridge so that was pretty cool it felt like our first little scuffle with China worked out pretty well unfortunately we don't have enough bridges and they don't change often enough and we don't have smart enough ways of giving them out so right now we've got maybe 800 bridge addresses and that means that most of the bridges are now known by China at least the public ones there are private ones that we don't know about which are doing better but in terms of the ones that we give out in an automated way bad news so I started out saying we need to get lots of bridges so China can't block them all that was the wrong statement to make the correct statement in retrospect was we need the rate of change of our bridge addresses to exceed the rate that China can sustain blocking them so it's about changing them over time it's not about getting a lot and then hoping you have enough so another way of looking at that when you're volunteering to run a relay for the tour network the primary property that you're contributing is bandwidth the more capacity you have the better you are for the network but when you're volunteering to run a bridge for the tour network the primary property that you're donating is your IP address and if you have one and China is pretty good at learning them then they're going to learn that one and then you won't really be very helpful anymore so we'll get back to that one in a few more slides also okay so what else is going on does everybody know about the whole Middle Eastern Tunisia Egypt I hope you've been reading the news over the past couple of months sounds good so these blue dots up here are when you were reading about Tunisia in the news there were a lot of people in Tunisia who were saying something's going on maybe I want some safety my friend just got disappeared I want to be able to learn what's going on and tell people what's going on in a way that keeps me a little bit more safe and then there's Egypt which so this right here is when they blocked Facebook in Egypt and then there were thousands of people who said I'm going to get to Facebook through various circumvention tools and some of them decided the tour was a good one because they would be kept safe here is when they shut off the whole internet in Egypt and then my favorite part is this baseline here is twice what it was before so there are a lot of people in Egypt now who've learned that in fact maybe they do want some safety or protection from people monitoring what they're doing and then Libya is not quite as pleasant a picture so nobody actually wrote about Libya turning off their internet so Egypt turned off their internet by actually making phone calls to all the ISPs and having them actually like unplug things whereas Libya just strangled their internet to the point that it wasn't worth using anymore and that wasn't as exciting an article to write for western journalists so nobody really noticed that and it might be recovering a little bit over here I think they're turning a little bit back on but bad news for Libya in general in Syria we've been reading about them recently I don't know what's going to happen there but generally a spike like this tells me something about what's going to be going on in a country and this little blip right here was actual censorship there were one of the ISPs in Syria figured out how to block tour by protocol so we were hearing from a lot of users I think that it had something to do with our SSL handshake and we try to look like Firefox talking to Apache but we don't do it perfectly so that means that if they examine the SSL handshake they can figure out this is not Firefox this is tour so there was one ISP that figured out how to do that and it was doing that for four or five days and we were really worried that it was going to spread and then that whole ISP fell off the internet and when it came back it wasn't censoring tour anymore so I have no idea what was going on there but we'll see if we can learn any lessons from that okay so let's take a step back here I talked to a lot of computer scientists who misunderstand the threat from large foreign censors so one of the key things to keep in mind if you read the wrong thing on the internet they're not going to kick down your door and say you read the Wikipedia article on democracy you're coming with me so if you wrote the Wikipedia article on democracy yeah that's another story but there are a lot of people out there who read things the worst that the Chinese firewall does if you read something you shouldn't have read is they say oops and then they fix their censorship then they start to block it they don't start rounding up people who read the wrong thing at the same time censors have an economic, political, social incentive not to block the whole internet so I started this thinking if I make China turn off their internet did I win or did I lose and the answer is China is not going to turn off their internet they've got too much at stake but there are collateral damage situations a couple of years ago there was somebody in India who read some blog post from Pakistan and it was religious and the fellow in India said we have to censor this blog post or we're going to have a war on our hands so the guy in India sent mail to the seven major ISPs in India saying can you block this web page for us so that everybody will stay peaceful and so they blocked the web page and everybody was happy except it turns out that the web page they blocked was a little domain that they didn't know much about called blog spot which meant that they blocked 8 million blogs for a week and there were a lot of people in India saying wait a minute I live in a democracy I thought I was free here how are they censoring the internet that's a story I hear over and over I remember long ago getting email from people in Thailand who were saying they blocked tourproject.org so I'm going to sue and then a few years later the tanks roll and it turns out that maybe not quite as free as they thought so part of the interesting side there is that we can use whether our website gets blocked as an early warning system to figure out whether there's going to be political or social change in the country okay so what are we actually up against once upon a time I was saying okay it's me against the Chinese government I can handle this and it turns out to be that because the folks who built the Chinese firewall are an American company called Cisco now they don't still run it because China managed to figure out how to build better routers for their purposes but the people who run the Syrian firewall are an American company called WebSense the folks who run the Saudi Arabian firewall I don't remember which one but it's smartfilter or Cisco or WebSense there was a company called Fortinet that built the firewall for Burma and Cisco outcompeted them so part of the challenge here is that it's me against 2,000 PhDs at Cisco who are trying to figure out how to censor employees of American companies better so Syria can't actually afford to buy this stuff if Syria goes to Cisco and says build us a censorship system Cisco is going to say that'll be a couple hundred million dollars and Syria will say I can't afford that never mind we don't need it but the problem is that Boeing goes we need a censorship system for our employees we need to keep them from reading news at work and then Cisco builds it and then afterwards Cisco's happy to sell it to Syria or whoever else out there wants to buy it so I was talking to Whit Diffie about this a year ago or something and he was explaining it's simple you make two categories you make the category of companies that are willing to sell stuff to countries that they shouldn't sell it to and then you make a list of the people who aren't willing to sell to countries and then you publicize both lists and that way everybody can choose let the market decide that might work but the second list is empty there are no companies that won't sell to any country that's happy to buy this stuff so I don't know how to deal with this I mean the US State Department has rules against selling this stuff to certain countries but nobody actually enforces them I mean how did Iran get its stuff from Nokia the answer is they went through a European distributor which is totally fine so there are so many loopholes at this point I'm not really sure from a societal pressure perspective how we can resolve this particular problem okay so there are a bunch of other topics to cover but I'm going to skip over some of them for example Torr provides anonymity meaning nobody knows where your packets are coming from or going to but if you write your name in your blog post we can't help you and there are a lot more subtle examples of that where you put cookies and you can be recognized by them or you go to a website and they look through your browser history or every time you go to a website internet explorer sends exactly how many pixels by how many pixels your browser window is so the website can figure out how to display stuff to you best so all of these are ways to track you over time we have a firefox extension called Torr button that tries to block a lot of these without making your life too miserable which brings me to flash so flash is there are a bunch of different plugins but in general you go to a website it gives you a flash applet which is an arbitrary binary blob the flash applet routes around on your hard drive find some interesting documents figures out your IP address sends it back over Torr Torr is doing its job Torr is anonymously sending your IP address back to the website that sent you the flash applet that might not be what you want so the fix that we have is no flash for you which is especially frustrating because if you're in turkey and they block YouTube and you install Torr so that you can get to YouTube and then Torr button turns off flash to keep you safe something's gone wrong there so there's a definite competition contradiction between usability and security in that case but it gets worse did you know that Microsoft Word is a networking application if I embed an image link with enough backslashes it turns into a net bios call that goes out immediately to the network to fetch that image so if somebody downloads a doc file over Torr safely and then they click click it and that's the end of their privacy security anonymity so I mean we hear stories about the Chinese government sending this sort of thing to Tibetan activists so the very short answer is don't use flash don't use windows don't use any of these other dangerous things but that answer doesn't work very well for most of our users so that's another discussion so there are a bunch of different ways to install it there are basically two safe ways to use Torr at this point there's the Torr browser bundle which comes with Firefox and Torr button and everything it's standalone you can stick it on a USB key you walk into an internet cafe and you use it and then you close it and you walk away and it doesn't leave very many traces and the other approach is a live CD where you have an operating system everything's pre-configured to keep you safe it doesn't have windows or word or flash and whatever you do hopefully will remain safe okay so I talk to a lot of users who say I'm using Torr so I'm totally safe right and there are a lot of other things that you have to keep in mind there's the application level stuff like cookies and history but there are a bunch of other assumptions that we have to make about our users for example if you have spyware installed or a keyboard logger or something like that then we can't help you for the extreme example of that is if you're lucky enough to be using the internet in North Korea there's a guy standing over your shoulder with a machine gun watching you type so my software is not going to help you in that situation because they're going to see what you're doing there was another there was a law in Beijing a little while ago that says every seat at the internet cafe has to have a video camera watching the screen so if you're in that situation I also can't help you I'm told that one's not so bad because the first person who walks in in the morning reaches up and turns it away and nobody ever turns it back so I mean maybe that's okay but that's another situation where you need to think a little bit harder about this so I was doing a training for a bunch of folks in Vietnam a while ago and I showed up to teach them about PGP and Torr and off the record messaging and 128 bit good 40 bit bad things like that and they were getting phone calls in the audience saying so and so just got arrested what should we do and it quickly became clear that I should be teaching them OPSEC operational security rather than infosec and that's not something that Torr is particularly well suited for so they were telling me really horrible stories like I go to the bathroom and they break into my house and answer my Skype calls so yes I use encrypted Skype but we still have to have some informal protocol afterwards where we ask a question that the other guy ought to know and sometimes the other guy doesn't know the answer or they steal my laptop and install new hardware and software can you take a look at it or there's a guy across the street with a parabolic microphone listening to everything I say so yes I use encrypted Skype but that's not going to do it for me and so we actually finally tracked down one of the ways that these folks were being monitored so they had laptops they were pretty sure we're being monitored somehow but we couldn't find the root kit we couldn't find the back door and eventually there was an instance where there were seven Vietnamese activists and one of them PGP encrypted mail to the other six and sent it and the plain text of it got published in the national newspaper the next day and so everybody's like is there a mole, is PGP broken what's going on here and it turns out that Windows doesn't ship with Vietnamese keyboard driver support by default so if you want to use Vietnamese with Windows you go to the same place everybody else goes and you download the Vietnamese keyboard driver and you install it it turns out that the Vietnamese secret service has backdoored the keyboard driver that every Windows user uses so if you're using Vietnamese on Windows you are part of the Vietnamese secret service botnet so they get to watch people and read their mail and whatever else they want to do there's another situation where I can't solve that another situation that I can't solve how do you know you really have Tor so you go to Torproject.org if you can do the SSL thing great you can make sure that you're talking to the website unless the CAs are broken or unless somebody's lying to you or all sorts of other problems so the very short answer is whenever I do a talk I find people and say here's my business card and it's got my PGP key on it that means that you can download the software, download my key check the signature, make sure that it's actually the authentic software and if you understood that sentence you are all set but none of them understand that sentence so I'm not sure where to go from there and even if they do understand the sentence so I've given my business card to maybe 10,000, 15,000 people in the US and Europe and I've given my business card to maybe a thousand people in China I hear they have more people than that I don't know how to solve this problem because they're going to end up downloading yellow dog tour or something like that and the only thing from my perspective is they're going to send me mail saying it's great, tour works again and it's faster than ever, I love it and they won't be using tour at all so I don't know how to solve that okay another challenge, publicity attracts attention so a lot of circumvention tools start off going to the New York Times and the Wall Street Journal and saying we're going to deploy this fantastic new thing, it's going to be great nobody's ever going to be able to block us their website gets blocked before they've written a line of code so from the sensor's perspective there are two reasons that they want to block something one of them is it's working really well so everybody knows about it and they have to regain control in the minds of their populace or it is threatening them in terms of appearance of control so the way that the Chinese firewall works as I understand it is the directive from on high is don't embarrass us and that means every ISP has some poor technical guy who's like don't embarrass us, what does that mean what am I supposed to block and that's why you've got a lot of variation on blocking from one ISP to the next and the more you have articles in the western press about things like tour the more likely it is that the policy people are going to read those and if you just read the tour works what are you doing about that so part of our strategy is to avoid having popular articles like that and that means that they don't get any pressure from above so we were talking to the folks who run the firewall in Bahrain and they use tour so they don't want to block it so their job is to keep their job without doing too much to ruin the internet most technical people don't like censorship and they don't want to block the firewalls so there was another a couple of years ago where Hal Roberts from the Berkman Center ended up doing a blog post where he was looking at a different circumvention tool and he found their frequently asked questions list and one of the questions was do you sell user data and the answer was paraphrased yes and the more you pay the more fine-grained the data is and there was a big fuss because a lot of the users are like hey I'm using you as a circumvention tool and the answer was we're a circumvention tool what does that have to do with safety we let you reach BBC of course we log everything and sell it how else can we make money so there's a big clash right now between various designs where from torus perspective if you're going to let somebody get around censorship you need to do it in a safe way so that nobody can figure out en masse who's doing it but there are a lot of other VPNs that are that only focus on the circumvention side Australia censors New Zealand censors England censors Denmark censors Sweden's working on censoring there's a US government law that tries to get pushed through each year to censor Canada's working on censoring so there are a couple of problems here the first one is when the US State Department goes to China and says you're a bad government because you censor the internet then they turn around and say we're just keeping our citizens safe just like everybody else does England keeps their citizens safe how come you aren't picking on them so part of the challenge here is pretty much uniformly the way this works is the government decides they need to censor something bad on the internet so they build a censorship infrastructure and then they have some sort of quasi-government organization in charge of deciding which country aren't allowed to look at and they start out with a pretty small list and then they end up putting more stuff on it and then there's a new politician in power and he's like I've got this headache from this organization and if I just put it on the list then it'll go away, my headache will go away so the list grows and grows I was in Australia a while ago and they have a dentist website on their censorship list and I think the way that it happened was he had malware on his website somebody broke in, somebody put something on it the website on the censorship list turns out there's no way to get off the censorship list they never bothered thinking about that side of the equation because clearly we only put bad things on the censorship list so there's a group in England called the Internet Watch Foundation and they sent me mail a while ago they're the group in charge of building the UK censorship list and the mail that they sent was not what I was expecting a lot of people would say surely they're trying to hassle you into either giving up your users or disappearing or something their question was how can we make TOR faster and that's because they use TOR to check out the internet a bunch of websites have realized that if you're coming from the Internet Watch Foundation's IP address you don't give them the stuff they're looking for so they need an anonymity tool in order to be able to do their job okay so there are there are a bunch of different advocacy and education sides of this I spend a lot of time in DC talking to policy people to try to teach them about the internet and security and stuff like that and once I'm done teaching them they go get a better job which makes this particularly challenging so part of what we need to do is teach a bunch of law enforcement and journalists and other policy people about bad stuff on the internet and bad policies they're heading towards that's also a separate talk we have an eager from NSF to figure out how to collect statistics about the TOR network and its usage in a way that doesn't hurt users and then give everybody the data those graphs that I was showing you before come from that sort of thing so we've got a bunch of data that nobody's really looking at and we have some algorithms for making sure that it's safe that nobody has really evaluated so I'd love to chat with you more about that to see if you can de-anonymize our users or something like that okay so technical solutions to solve the whole problem here the problem in China is that a lot of the people there say I'm so glad my government keeps me safe on the internet so it's not about building a better circumvention tool until everybody's free you need to change society as well and there are plenty of people in China who are working on that I remember long ago I was there was some journalist at the San Jose Mercury News who called me up and her question was so how are you doing against China wait, wait, wait, I'm writing software there are people in China who know how China should change I have no idea how China should change it's not up to me, it shouldn't be up to me I provide tools to let other people around the world change the world in the way that they think it should be changed so at the same time those people need some sort of security while they're doing it you guys should all run relays every relay has an exit policy that lets you decide whether you're going to allow something or other stuff so if you run a non-exit relay all you're doing is contributing bandwidth and making the world a better place you're at a university you're in a perfect position for doing that okay so what are some of the technical stuff that we're messing with towards the end of the talk so we've got this bridge distribution system so we've got 800 bridge addresses and we've got those four strategies I was talking about through HTTPS or Gmail or I send it to a guy in Shanghai step one we need to figure out how much use each bridge is seeing and we're actually doing that right now because the bridges ship with the GOIP database and they publish I saw this many users from China this many users from Tunisia this many users from Egypt step two we need to figure out when the bridges are blocked that turns out to be harder than it sounds because we need to learn at what point this bridge is no longer reachable from some IP address that we can't easily test from but once we've got those two then we can imagine having a bunch of different distribution strategies we've got the email one or the website one or a guy in Berkeley or a guy in Shanghai or a guy over here and you can sign up to be a distribution strategy and then we can start coming up with metrics where we say if your bridge doesn't get blocked for a long time and it has a lot of use that distribution strategy scores a 10 but if it gets blocked quickly or doesn't get much use then it scores a 2 so we can start adaptively rewarding the strategies that work well and dynamically give out more bridges more addresses to the ones that are more efficient I could imagine that we could start automatically recognizing which individuals are good at getting bridges into the hands of the right people so we need more bridge addresses we need them to change more often we need better distribution strategies and I was talking to Dan Bonet about a design that we're working on called flash bridges, the idea is you get a bunch of users around the world to go to a website it gives them a flash badge which is a little program that turns them into a bridge so at that point we would have millions of users running bridges but for very short periods of time which produces lots of open research questions about exactly what Dan is excited about so measuring bridge reachability there are a bunch of different ways but I'll have to cover that one afterwards other stuff to think about traffic camouflaging, so right now we try to look like SSL on the wire we try to look like an actual SSL handshake but we can't be exactly like SSL because Firefox uses the libnss library whereas we use openSSL which means that we're going to be offering a different set of cipher suites and other stuff that can make us distinguishable so right now we've been working on hacking openSSL to make it pretend to be looking like Firefox that arms race sucks we're losing it so the next step is what would happen if we ship another proxy that adds another layer of encryption on top so that we just look like complete encrypted garbage out of the gate so there's no handshake at all the simple intuition is Alice sends some bytes, Bob sends some bytes and then you talk from there so at that point the deep packet inspection tools aren't going to work anymore is that going to be enough to win the arms race for a while? so the next step is let's try to actually look like HTTP we can imagine some distribution of what people looking like HTTP would be maybe we put our message in the cookie, maybe we do some sort of binary thing maybe we hide it stagnographically there's a question about how much in overhead we can have there but at the same time we need obfuscation metrics so if I give you five different encoders which all claim to be unblockable by some Cisco box how do we actually decide which one is better which one is worse so those are some more topics to cover and I've got a couple of graphs at the end just to raise some unknown questions so here's a big spike of people in Ghana a few weeks ago that we're using Tor for some reason it ramped up and then it clipped did they censor Tor? I don't think so there's some political event that happened I have no idea what's going on so if you know what was going on in Ghana please let me know at the same time we've got Chile where it spikes up and then goes down so thousands of people were using Tor for some reason a couple weeks ago in Chile and we've got Venezuela that looks the same but it takes a lot longer I have no idea what's going on in these various countries but we've got graphs of interesting events where Tor usage goes up or down so if you know how to protest okay quite plausible ideally we should figure out some way to automatically map something going on in the country maybe in Google news to these graphs that would be really cool pardon okay so I am 25 seconds out of time and I think we have 4 minutes left or something for questions or should we let them go to lunch I think we should take questions thank our speaker if you do have questions could you please come up to the microphone to ask it that'd be fantastic because there's a lot of echo in here you'll have to route it through your neighbor Roger can you tell us a few words about relation between Tor project and WikiLeaks a few words about the relation between Tor project and WikiLeaks so the very short answer there is Tor project and WikiLeaks are not the same organization Tor writes software which a lot of different people around the world use including WikiLeaks so WikiLeaks made use of Tor it was the recommended way of safely getting stuff to the WikiLeaks website so part of the challenge there was a lot of journalists really wanted to mush them together so we got a lot of calls over and over saying hi we're from the New York Times can you give us a statement about WikiLeaks and then we had to explain actually maybe you should talk to the WikiLeaks people if you would like a statement about WikiLeaks so hopefully that answers that there was a case a few years back where somebody added his own relay to Tor and found a lot of Iraqi Iranian embassy passwords can you comment yes so the embassy password thing so there was a guy in Sweden who went to as many journalists as he could find and said I have hacked the internet it's great and I'm not gonna tell you how I did it so then all the journalists had to produce newspaper articles saying Swedish hacker breaks internet brilliant hacker won't say how and then a week later he went to all the journalists again and said I did it by running a Tor exit relay and it turns out that not all the Tor users use end to end encryption so I could see their password plugging into their pop server or something like that and then all the journalists were forced to produce another round of publicity brilliant Swedish hacker snoops Tor network learns passwords and he ended up winning I think he won the hacker of the year award in Australia and that same day that he won that award he got arrested in Sweden and all the stuff got taken by the Swedish law enforcement I was meeting with Swedish law enforcement I guess it was a year ago or something and I was asking them about this case and they didn't want to specify because it's an ongoing case so the very short version is if you are planning to wire tap the internet and then publicly talk about it maybe you should chat with a lawyer first so that's the short version I was actually chatting with some other people in Sweden apparently this guy is well known and well hated in Sweden he signed up for the Swedish pirate party and then he called up law enforcement and said I'm your man on the inside except Sweden is actually kind of small so Swedish law enforcement called up the pirate party and said apparently we have a man on the inside so that yeah I don't think that he's doing too well socially in his community other questions are there any analysis on what sort of traffic is on the exit servers I was on the privacy enhancing technology conference once and I got one opinion from a person who ran a relay which seemed to be pretty biased and he said that he had run the proxy for a few months and looked at what was going on and said that it was almost all pornographic especially much child pornography but I know I work on privacy domain so I'm not against TOR at all but I think some people have such an opinion even on the community and I want to know what was your opinion or if you have some data more large data on this subject so the first answer is the median connection over TOR is web browsing and the median byte over TOR is file share so that leads us to a performance discussion about how do you squeeze down the file share so there's space left on the network for other people in terms of what people are doing nobody's actually done a formal study on that mainly because there are wiretapping laws or the EU has its own equivalent of that so you can't really look at what's coming out of your exit relay without breaking the law so we've got anecdotes we've heard from lots of different people who are using TOR for various good reasons I've also heard from the FBI innocent images unit that they use TOR in order to try to hunt down bad people so I've heard from a lot of different law enforcement groups that need systems like TOR in order to be able to do their job catching child pornographers but that's certainly a longer discussion that we could have later my very short answer is let me tell you about all the good uses of TOR if you want to make bad people disappear from the internet that seems like a hard challenge to do for the first couple of thousand users they were all technical people for TOR but now that we've got hundreds of thousands of users in TOR we have a snapshot of the internet it's sort of a cross section of the internet sorry can I do a small follow-up on the question in fact it's just as you say well I'm not aware of any third and scientific study of what's going on and I just had an idea of I mean like great percentage there is interesting things nobody doubts about it but it's more about what is the percentage the part, the share of the interesting thing and what is the share of other things I have mentioned pornography or whatever you have had probably more small stories and opinions than anyone your estimation on the share of each thing I think most of the TOR traffic is ordinary people in the US and Europe who read newspaper articles about NSA wiretaps America or they read newspaper articles about US government agency loses 30 million names, addresses credit card numbers and they say oh my gosh I need to find a way to be safer on the internet here's this TOR thing, I'm going to use it so I think the way that we get to hundreds of thousands of users is by having almost all of them be ordinary citizens caring about civil liberties and freedom from being stuck in some huge corporate database and then lost so I suggest we continue our discussions over lunch and let's thank our speaker again for wonderful talk