 Okay, hi everybody, I'm Roger Dingledine and this is Jake Applebaum and we're here to tell you more about what's going on with tour over The past year we actually wanted to start out Asking Laura to give us a little bit of context from her perspective about citizen for and the value of these sorts of tools to journalists my life, okay So Roger and Jake asked me to say a few things about about tour And what does it mean for investigative journalists and I can say that certainly the work that I've done on Working with disclosures by Edward Snowden and first communicating him with him would not have been possible Without the work that that these two people do and that everybody who who contributes to the tour network So I'm deeply grateful to everyone here When I was communicating with Snowden for several months before before I met him in Hong Kong We talked often about the tour network and it's something that actually he feels is vital for you know online privacy and To sort of defeats surveillance. It's really our only tool to be able to do that And I just wanted to tell one story about what happens when journalists don't use it I can't go into lots of details, but there's a very well-known investigative journalist who was working on a story He had a source and the source was in the intelligence community And he had done some research on his computer not using tour and I was with him and he got a phone call and On the phone the person was saying what the fuck were you doing looking up this this and this and this is an example of what? Happens when intelligence agencies target journalists so without tour. We literally can't do the work that we need to do So thank you and please support tour. Thanks So to follow up on what Laura has just said We we think it's important to really expand not just into the technical world or to talk about it political issues In some abstract sense, but also to reach out to culture So in this case this is a picture in the rena sofia Which is one of the largest museums in Spain and that in the middle is Mason Judy and Trevor Paglin And that's me on the right and the only time you'll ever find me on the right And so it is the case that this is a tour relay It's actually two tour relays running on the open hardware device novena made by bunny and Sean and It's actually running as a middle relay now But it may in some point with one configuration change become an exit relay And it is the case that the rena sofia is hosting this tour relay So now if so we live in capitalism So so it is the case that if the police want to seize this relay They've got to buy it like every other piece of art in the museum And part of the reason that we're doing this kind of stuff or at least that piece of art Which I did with Trevor and Mason and leaf riggy who's also in this room and Aaron Gibson also in this room Is because we think that culture is important and we think that it's important to tie the issue of anonymity Not just as an abstract idea, but as an actual thing that is representative not only of our culture But of the world we want to live in overall for all the cultures of the world and so for that reason we also have quite recently been thinking a lot about social norms and It is the case that there is a person in our community and many persons in our community that have come under attack and have been deeply harassed and we We think that that sucks and we don't like that even though we promote anonymity without any question That is no backdoors ever and we'll get back to that in a minute It is the case that we really want to promote being excellent to each other in the sort of spirits of noise bridge And this is a little bit American centric, but you can get the basic idea It applies to Europe as well just replace First Amendment with some your local law or a local constitutional, right? It isn't the case that we're saying that you shouldn't have the right to say things But we are saying get the fuck out of our community if you're going to be abusive to women And you'll note that I use the word fuck to say it And I'm sorry about that because the point is we all make mistakes And we want to make sure that well, it's true that we have transgressions We want to make sure that we can find a place of reconciliation and we can work towards conflict resolution And it's important at the same time to recognize that there are people whose real lives are harmed by harassment online In this case one of the people is in this audience and I hope that they won't mind being named But we want to give her a shout out and say that we stand behind her a hundred percent. Yeah, so So one of our developers on core tour Andrea has been harassed on Twitter and elsewhere Really a lot more than should happen to anybody and there are a couple of points to make here One of them is she's a woman and women online have been harassed for basically since online has existed Not just women other minorities pretty much all over the place Especially recently things have been getting worse the other important point to realize She's not just being attacked because she happens to be there She's being attacked because they're trying to attack the tour project and all the other people in tour So yes, she may be the focus of some of the attacks But we the rest of the tour community the rest of the security community need to stand up and take on some of this burden of Communicating and interacting and talking about these issues. We can't just leave it to her to defend herself And so we want to set a particular standard Which is that there are lots of journalists that have a lot of questions and we really think that there are a lot of legitimate questions to Ask for example I think it sucks that we take Department of Defense money sometimes and sometimes I also think it's good that People have the ability to feed themselves and have the ability to actually have a home and a family now I don't have those things really I mean I can feed myself but I don't have a home or a family in the same way that say the family people inside of tour do and They need to be paid It is the case that that is true and that raises questions like I I personally wouldn't ever take CIA money And I think that nobody should I don't think the CIA should exist, but we have a diversity We have a diversity of funding because we have a diversity of users And so that raises a lot of questions and I think people should ask those questions and Roger and the rest of the tour Community feels that way, too But it's important that we don't single out a specific person and in particular to single out Andrea again She does not deserve all of the heat about some of the decisions that the tour project as a nonprofit makes She is a developer who is integral to tour if it was not for her a significant portion of tour would not exist It would not be as bug-free as it is and it would not be getting better all the time So we want people to reach out to this alias if they actually want to talk and have a forum where The whole of tour can really respond and think about these things in a positive way and really engage with the press In a way that we can manage because at the moment we get I would say five on average press request every day That's really a lot and it is also the case that Four of those requests are very well phrased extremely reasonable questions and one of them is you know, why did Jews run tour and We should address all of them we really should and at the same time We have to recognize that some of these people that are kind of harassing They might trigger me that one would trigger me and I would probably write back with something kind of shitty So we want to distribute the work in a way where people will be nice even to the people that are unreasonable because at the core We need to be held to account and we need people to look to us about these things and to ask us these hard questions And so this is the address to reach out to not harassing Andrea online on Twitter not coming after individual developers Not posting crazy stuff on the mailing list Wait until we've actually talked here then post the crazy stuff on the mailing list or wherever you're going to post it And then hopefully we can actually answer the questions in a good faith helpful way There's no reason to talk about conspiracy theories. We can just talk about the business plans and then to that point We want to make it clear Stop being an asshole to people in the community, but this is not negotiable We are not saying because we don't want you to harass people that we're going to backdoor tour That will never happen You will find a bullet in the back of my head before that happens and maybe Rogers too depending on the order of operations Okay, so we're going to talk a little bit about the various things we've done over the past year To give you a very brief introduction to tour tour is an anonymity system You've got Alice the client over there She builds a path through three different relays around the world and the idea is that somebody watching her local network connection Can't figure out what destinations she's going to and somebody watching the destinations can't figure out where she's coming from And we have quite a few relays at this point Here's a the red line is the graph of the number of relays We've had over the past year for those of you who remember heart bleed You can see the big drop in April when we removed a bunch of relays that had insecure keys But this is not the interesting graph the interesting graph is capacity over the past year and we've gone from a little over six gigabytes per second of capacity up to more than 12 gigabytes per second of capacity and As long as we can make the difference between those two lines big enough then tour performance is pretty good But we rely on all of you to keep on running relays and make them faster and so on so that we can handle all the users who need tour Okay, another topic Deterministic builds Mike Perry and Seth Schoen did a great talk a few days ago So you should go watch the stream on that the very short version is We have a way of building tour browser so that everybody can build tour browser and produce the same Binary and that way you don't have to worry about problems on your build machine And you can actually check that the program we give you really is based on the source code that we say that it is and this is of course important because We really don't want to be a focal point where someone comes after us and says you have to produce a backdoor version so it's very important because we do receive a lot of pressure from a lot of different groups and We never want to cave and here's how we think it is the case that we will never cave Free software open specifications Reproducible builds things that can be verified with cryptographic signatures That's will not only keep us honest Against the what do you call it the angels of our better nature? I don't believe in angels But anyway the point is that it will keep us honest But it will also keep other people at bay from trying to do something harmful to us because when Something happens you will be able to immediately find it and Mike Perry by the way is incredible He probably hates that I'm saying his name right now. Sorry Mike. Are you here? Bastard But Mike Perry is a machine I mean he else has a heart but he's a machine and he's incredible and he has been working non-stop on this and he is Really groundbreaking in not only doing this for Firefox But really thinking about these hard problems and understanding that if he was just building this browser By himself and he was doing it in a non verifiable way That it would really actually be a serious problem because we distribute this software and so I mean there is a reason that the NSA calls Mike Perry a worthy adversary and it is because he's amazing So let's give it up for Mike Perry Not only that but his work along with bitcoins work has pushed Debian and Fedora and other groups to work on Reproducible builds as well. So hopefully the whole security community will get better to The point about citizen for one of the things that's been happening quite recently is that Really respectable nice people like the people at Mozilla have decided that they really want us to work together Which is great because we've wanted to and we have respected their work for a very long time and so tour is now partnering with Mozilla and That means that Mozilla as a group will be running tour relays at first middle nodes and then hopefully we believe exit relays and That is huge because Mozilla is at the forefront of doing a lot of work for end-users just everyday regular people wanting privacy Things like do not track for example are a way to try to experiment Things like the tour browser are a way to experiment even further to really bring privacy by design and it's amazing that Mozilla Is doing that and we've made a partnership with them And we are hopeful cautiously optimistic even that this is going to produce some very good results where our communities can sort of fuse and Give privacy by design software to every person on the planet with no exceptions whatsoever Now we also have a couple of things that we would like to talk about just generally that are a little bit technical But with the same time we want to keep it accessible because we think that this talk Well, it's useful to talk about technical details The most important thing is someone who's never heard of the tour community before who watches this video We want them to understand some of the details and enough Let's say Technical understanding that they'll be able to go and look it up if they want to but they'll also understand We're not just glossing over it completely So pluggable transports are very important right now The way that tour works is that we connect with an SSL TLS connection the protocol SSL TLS one of the two depending on the client library and the server library and That looks like an SSL connection for the most part But as some of you know there are people on this planet that connect SSL collect SSL and TLS data About everything flowing across the internet That's really a problem. It turns out we thought in some cases that it was just censorship that mattered But it turns out broad classification of traffic is really actually a problem not just for blocking but also for later doing identification of traffic flows So I've already lost the non technical people in the audience So let me rephrase that and say we have these other ways of connecting to the tour network And they don't look just like a secure banking transaction they look instead like DNS or HTTP that is your regular web browsing or name resolution and We have a lot of different pluggable transports and some of them are cool Some of them make it look like you're connecting to Google when in fact you're connecting to the tour project And it's because you in fact are connecting to Google Leaf riggy, are you in the room here? Maybe no, this is really you guys in your anonymity, so It is the case he showed this to me I mentioned this to some other people on David five field I think either independently rediscovered it There's also the go agent people that discovered this you can connect to Google with an SSL connection and the certificate Will say dub dub dub google.com and you of course verify it and it is of course signed probably by Adam Langley personally and Maybe it's just the Google CAs and Then you give it a different HTTP host header So you say actually I want to talk to app spot I want to talk to tour bridge dot app spot calm and inside of the TLS connection Which looks like it's a connection to Google which is one of the most popular websites on the internet You then make a essentially an encrypted connection through that And then from there to the tour network Using Google, but also cloudflare. They don't just provide you with captures We were joking we should stand outside his office and make him answer captures to get in the door All of those people clapping wish you would solve the cloudflare capture issue So it also works with other compute clusters and other CDNs And so this is really awesome because it means that now you can connect through those CDNs to the tour network Using meek and other pluggable transports like that So that's a huge win and deploying it by default I think we have another slide for that. Nope, that's it We've got a different one. Yes, so one of the neat things about meek is Because it works on all these different sorts of providers Akamai and all the CDNs out there a lot of those are still reachable from places like China lots of our Pluggable transports don't work so well in China, but meek does at this point. So there are a lot of happy users Here's an a graph of an earlier pluggable transport that we had called obfus 3 It still works in China and Iran and Syria and lots of places around the world But the sort of blue aqua line Is how much use we've seen of obfus 3 and you can tell exactly when we put out the new tour browser Release that had obfus 3 built in and easy to use by ordinary people So one of the really important pushes we've been doing is trying to make Rather than trying to explain how pluggable transports work and teach you everything Just make them really simple make them part of tour browser You just click on my tour isn't working So I want to use some other way to make my tour work And we've got 10,000 people at this point who are happily using obfus 3 I think a lot of them are in Syria and Iran at this point Something else we've been doing over the past year is working really hard on improving the robustness and Testing infrastructure and unit tests for the core tour source code So Nick Matthewson and Andrea Shepherd in particular have been really working on robustness to make this Something that we can rely on as a building block in tails in tour browser in all the other Applications that rely on tour so in the background things are getting a lot stronger Hopefully that will serve us very well in the battles to come Okay So this fine gentleman who was a teen heartthrob on Italian television many years ago. Thank you for doxing me. Sorry You've been using tour Yeah, TV over tour so a project that we started a couple of years ago with with Jake Is sort of related I guess to the tour project's goals of increasing privacy and having a better understanding on how People's lives are impacted through technology and this this project is called the uni or the open Observatory of the network interference And what it is before being a piece of software is a set of principles and best practices and specifications written in English For how it is best to conduct Network related measurements the sort of measurements that we're interested in running have to do with identifying Network irregularities. These are symptoms Then can be the sign of presence of surveillance or censorship on the network that you are testing And we use a methodology that has been peer-reviewed through we which of which we have published a paper It's implemented using a free software and all of the data that we collect is made available to the public so that you can Look at it analyze it and draw your own conclusions from it and and so we believe that this effort is something that is helpful and useful to people such as journalists researchers activists or just simple citizens that are interested in being more aware and have a better understanding that is based on facts instead of Just anecdotes on what is the reality of the internet censorship in their country? And we believe that historical data is especially important because it gives us an understanding of how these Censorship and surveillance apparatus is evolve over time so I would like to invite you all to run uni probe today if you copy and paste this command line inside of Adebian based the system obviously perhaps you should read what is inside it before running it But But once you do that you will have a uni probe set up and you will be collecting measurements for your country if instead you would like to have an actual hardware device we have a Very limited number of them But if if you're from an interesting country and you're interested in running uni probe We can give you a little Raspberry Pi with an LCD screen that you can take home connect to your network And and adopt an uni probe in in your home network To learn more about this you should come later today in At noisy square at 6 p.m. To learn more about it Just just to finish up here I mean uni uni is a human rights observation project which Arturo and Aaron Gibson also somewhere in the room. I'm sure he won't stand up. So I won't even ask him It's great because we went from a world where there was no open measurement with only secret tools Essentially where people acted like secret agents going into countries to do measurements There wasn't really an understanding of the risks that were involved how the tests functioned where non-technical people could have reasonable Explanations and now we have open measurement tools. We have open data standards We have really like a framework for understanding this as a human right to observe the world around you and then also to share that data and to Actually discuss that data what it means and to be able to set standards for it And hopefully that means that people have informed consent when they engage in something that could be risky like running uni in a place Like it's dangerous like the United States or Cuba or something like China and so Our tarot personally though is the is the heart and soul of uni and it is really important that we see that the tour Community is huge It's really huge. It's made up of a lot of people doing a lot of different things and part of uni is tour We need tour to be able to have a secure communications channel back to another system We need that so that people can log into these uni probes for example over tour hidden services that kind of Fusion of things where we have anonymity But at the same time we have this data set that is in some cases identifying some cases It's not identifying depending on the test We need that anonymous communications channel to do that kind of human rights observation And so just so we can make our tour a little feel a little appreciated I just want to give him another round of applause for making this human rights observation project So I encourage all of you not only to run uni probe in interesting places and in boring places because they might become Interesting but also to help write new tests and work on the design of these things so that we can Detect and notice new problems on the internet more quickly Something else we've been up to over the past year is tour weekly news We were really excited by Linux weekly news and and so on and so every week There's a new blog post and mail that summarizes what's happened over the past week We encourage you to look at all of these a special shout-out to Harmony and Lunar for helping to make this happen Over the past year. Thank you. Yeah Finally, there's a tour list you can be on that you really want to be on Being on list is good. One of the other features. We've been really excited about over the past year EFF has been helping with outreach EFF ran a tour Relay challenge to try to get a lot of people running relays and I think they have Several thousand relays that signed up because of the relay challenge pushing a lot of traffic. So that's really great And at the same time not only did they get a lot of more people running relays But they also did some great advocacy and outreach for getting more exit relays at universities and basically teaching people Why tour is important? We all need to be doing more of that. We'll touch on that a little bit more later So you all I hope remember what was going on in Turkey earlier this year Here's a cool graph of tour use in Turkey when they started to block YouTube and other things then people realized I need to get some tool to get around that censorship But you probably weren't paying attention when a rock filtered Facebook and Suddenly a lot of people in Iraq needed to get some sort of way to get around their censorship So there are a bunch of interesting graphs like this on the tour metrics project Of what's been going on over the past year and we actually if you could go back Yeah, all right one thing that's really interesting about this is across and losing who's I think Not also not going to stand up. Maybe you will are you here? I don't see you Carson. No, okay Well, he does all the metrics this anonymous shadowy metrics figure And if you go to metrics to a project or you'll see open data that is properly anonymized You would expect that from us as well as actual documents that explain the anonymity the counting techniques that explain the privacy Preserving statistics and you can see these graphs you can generate them based on certain parameters If you are interested in seeing for example Geopolitical events and how they tie into the internet this this project is part of what inspired uni This is how we get statistics and interesting things about the tour network itself from tour clients from tour relays from tour bridges And it tells you all sorts of things platform information version number of the software what country someone But not which someone might be connecting from and so on where they're hosted If you are interested looking at this website and finding spikes like this You may in fact be able to find out that there is a censorship event in that country and we haven't noticed it there are a lot of countries in the world if we split it up by country and Sometimes 50,000 tour users fall off the tour network because another American company has sold that country censorship equipment We need help finding these events and then understanding their context If in your country something like that happens Looking at this data can help us not only to advocate for anonymity in such a place But it can help us to also technically realize we need to fix a thing change a thing And it's through this data that we can have a dialogue about those things So if you have no technical ability at all, but you're interested and understand where you come from look at this data set try to understand it and then reach out to us and Hopefully we can learn about it. That's how we learned about this That's how we learned about the previous thing and many years ago We gave a tour talk about how countries and governments and corporations tried to censor tour and of course a Lot has happened since then there's a lot of those things and it's very difficult to keep up with them So we really need the community's help to contextualize to explain and define these things Okay next section of the talk things that excited journalists over the past year that actually turned out to be not so big a deal and We're going to try to blow through a lot of them quickly so that we can get to the stuff that actually was a big deal So I guess in August or something There was going to be a black cat talk about how you can just totally break tour and then the black cat talk got pulled It turns out that it was a group at CMU who were doing some research on tour And I begged them for a long time to get a little bit of information about what attack they had Eventually they sent me a little bit of information And then we were thinking about how to fix it and then Nick Matheson One of the tour developers said why don't I just deploy a detection thing on the real tour network? Just in case somebody is doing this and then it turns out somebody was doing this and then I sent mail to the cert People saying hey, are you like are you like running those hundred relays that are doing this attack on tour users right now? And I never heard back from them after that So that's sort of a there that this is a sad story for a lot of different reasons But I guess the good news is is we identified the relays that we're doing the attack We cut them out of the network and we deployed a defense that will first of all make that particular attack Not work anymore and also detect it when somebody else is trying to do an attack like this this of course is This is a this is a hard lesson for two reasons But the the first reason is that that is awful to do those kinds of attacks on the real tour network And there's a question about responsibility But the second lesson is that when these kinds of things happen and we have the ability to actually understand them We can respond to them it's Really awful that the talk was pulled and it is really awful that these people were not able to give us more Information and it's also really awful that they were apparently carrying out the attack and there are lots of open questions about it But in general, we believe that we've mitigated the attack which is important But we also advocated for that talk to go forward because we think of course the answer to even really frustrating Speech is more speech. So we want to know more about it It somehow is very disturbing that that talk was pulled and they should be able to present their research even if There's a gun our face It's important for our users to know as much as we can so that we can move forward with protecting tour users Okay, so another exciting topic from a couple of months ago Russia apparently put out a call for research work to come up with attacks on tour and It's another attack on tour. Enjoy your water Jake. I hope that was worth it So Russia put out a call for research proposals on attacking tour Somebody mistranslated that phrase from Russian into prize or bounty or contest And then we had all of these articles saying Russia is holding a contest to break tour When actually no they just wanted somebody to work on research on tour attacks So this would be like the US National Science Foundation holds a contest for tour research That's not actually how government funding works mistranslations cause a lot of exciting journalist articles, but As far as I can tell it turned out to be basically nothing. Also, it was basically no money So maybe something will come of this. We'll see something else that's been bothering me a lot lately Crypto wall now called crypto locker. So there are jerks out there who break into your mobile phone of some sort Give you malware viruses something like that They encrypt your files and then they send you basically a ransom note saying we've encrypted your file If you want it back send some Bitcoin over here So this is this is bad so far But then the part that really upsets me is they say and if you don't know how to do this Go to our website tour project org and download the tour browser in order to pay us Fuck them. I do not want people doing this with our software Yeah, fuck them. I mean, I don't really have a lot to contribute to that I mean, it's really a you know hidden services have a really bad rap and it's frustrating, right? There's of course, there's quantitative and qualitative analysis It's that we can have here and the reality the situation is that one global leaks leaking interface is one dot onion for example, what is the value of that versus 10,000 hidden services run by these jerks I mean, it's very hard to understand the social value of these things except to say that we really need Things like hidden services and jackasses like this are really making it hard for us to defend the right to publish anonymously And so if you know who these people are, please ask them to stop I don't even know what though the ask is there But they're really they really should stop or maybe there's some interesting things that you can do I don't know but we really really don't like that This is someone's first introduction to tour is that they think that we are responsible for this We most certainly are not responsible for these things We certainly do not deploy malware and hidden services are actually very important for a lot of people These people are not those people another exciting story a month or two ago was 81 percent of tour users can be Deanonymized and then some more words depending on which article you read So it turns out that one of our friends Sam Budo, who's a professor in India now did some work on Analyzing traffic correlation attacks in the lab He found in the lab that some of his attacks worked sometime Great, and then some journalists found it and said ah, this must be the reason why Tour is insecure today. So he wrote an article it got slash died it got all the other New stories and suddenly everybody knew that tour was broken because 81 percent of tour users So it turns out that Sam Budo himself stood up and said actually no you misunderstood my article But that didn't matter because nobody listened to the author of the paper at that point So I guess there's there's a broader issue that we're struggling with here in terms of how to explain the details of these things Because traffic correlation attacks are a big deal. They probably do work if you If you have enough traffic around the internet and you're looking at the right places You probably can do the attack, but that paper did not do the attack So I keep finding myself saying no no no you're misunderstanding the paper the paper doesn't tell us anything But the attack is real, but the paper doesn't tell us anything and this is really confusing to journalists because it sounds like I'm Disagreeing with myself with these two different sentences. So we need to come up with some way to To be able to explain here are all of the real attacks that are really actually worrisome and it's great that researchers are working on them and they probably are a big deal in some way But know that paper that you're pointing at right now is not the reason why they're a big deal We also saw this in the context of an NSA paper, which was published a couple of days ago. Thanks to some other folks And yes, some other folks some other folks I won't specify exactly which other folks and they similarly had a traffic correlation attack And in the paper it's really a bad one. It's it's the same as a paper that was published in 2003 in the open literature. There was a much better paper published in 2004 in the open literature That apparently these folks didn't read so I don't want to say traffic correlation attacks don't work But all these papers that we're looking at don't show Aren't aren't very good papers. Yeah So one of the solutions to a lot of journalists don't understand technology is that it's actually quite easy to be a journalist by Comparison to being a technologist It it's possible to write about things in a factually correct way Sometimes you don't always reach the right audiences that can actually be difficult. It's Depends so you have to write for different reading comprehension levels for example We try to write for people who understand the internet at least when I write as a journalist And so when I sometimes take off my tour hats I put on my journalistic hat and part of the reason is that in order to even tell you about some of the things that we learn If I don't put on my journalistic hat I get a nice pair of handcuffs so it's very important to have journalistic protection so that we can inform you about these things So for example, it is the case that x-key score rules We published some of them not we tore but me and this set of people at the top of this Byline here in NDR some of you know NDR. It's a very large German publication I also published with their spiegel as a journalist in this case We published x-key score rules where we specifically learned an important lesson and the important lesson was even if you were a journalist Explaining things exactly technically correctly people will still get it wrong. It's just not the journalists that get it wrong It's the readers Very frustrating people decided that because the NSA Definitely has x-key score rules that is rules for surveilling the internet where they're looking at big traffic buffers tempura For example the British surveillance system that is built on x-key score with a probably week-long buffer of all internet traffic That's a big buffer by the way Doing these x-key score rules running the across that traffic set They would find that people were connecting to directory authorities One of those directory authorities is mine actually quite ironically and then Sebastian Hahn and other people in this audience And so people said oh don't use tour because the NSA will be monitoring you That is exactly the wrong takeaway Because there are x-key score rules on the order of tens of thousands from what we can tell So everything you do is going through these giant surveillance systems And what you learn when you monitor someone using tour is that they're using tour potentially in that buffer Which is different than they learned for sure that you were going to the chaos computer clubs website or that you were going to a dating site So it's the difference between they learned some teeny bit of information about you that you're using an anonymity system Versus they learned exactly what you were doing on the internet now if there were only a few x-key score rules at all And it was just that about tour then that conclusion people reach would be correct But it's exactly not true the x-key score system is so powerful that if you have a logo for a company So anyone here that runs a company and you put a logo inside of a document The x-key score system can find that logo in all the documents flowing across the internet in real time and alert someone That someone has sent a doc doc or a PDF with that image inside of it and alert them So that they can intercept it So the lesson is not don't use tour because x-key score may put your metadata into A database in the so-called corporate repositories the lesson is holy shit There's this gigantic buffering system, which has search capabilities that even allow you to search inside of documents Really really advanced capabilities where they can select that traffic and put it somewhere else Use an anonymity system and also look they're targeting anonymity systems even in the United States which At least for the NSA. They're not supposed to be doing those kinds of things. They literally were caught lying here They're doing bulk internet surveillance even in the United States using these kinds of systems That's really scary But the real big lesson to take away from that is actually that they're doing this for all the protocols that they can write fingerprints for And they have generic languages where they can a generic language Where they can actually describe protocols and so we published a number of those we NDR And I would really recommend you read and understand that but the lesson again is not oh no They're going to detect you're using tour. We've never said that tour can for example protect you against someone seeing that you're using it Especially in the long term, but rather the point is Exactly the scariest point this mass internet surveillance is real and it is the case that it is real time and It's a real problem If you're using tour they see that you're using tour if you're not using tour They see exactly where you're going you end up in the list of people who went to this website or this website or used this service or sent This document and the diversity of tour users is part of the safety Where just because they know you're using tour doesn't tell them that much One of the other things I've been wrestling with after looking at a bunch of these documents lately is the whole How do we protect against pervasive surveillance and this is an entire talk on its own? We've been doing some design changes. We've pushed out some changes in tour that protect you more against Pervasive surveillance we've for the technical people out there We've reduced the number of guard relays that you use by default from three to one So there are fewer places on the internet that get to see your tour traffic. That's a good start One of the other lessons we've been realizing the internet is more centralized than we'd like So it's easy to say. Oh, we just need more exit relays and then we'll have more protection against these things But if we put another exit relay in that same data sensor in Frankfurt that they're already watching That's not actually going to give us more safety against these pervasive surveillance adversaries Something else I realized so we used to talk about how tour does these two different things. We've got anonymity We're trying to protect against somebody trying to to learn what you're doing and we've got circumvention Censorship circumvention. We're trying to protect against somebody trying to prevent you from going somewhere But it turns out in the surveillance case They do deep packet inspection to figure out what protocol you're doing to find out what you're up to and in the censorship case They do deep packet inspection to figure out what protocol you're using to decide whether to block it So it's actually these fields are much more related than we had realized before and It took us a while I'm really happy that we have these documents to look at so that we have a better understanding of how This global surveillance and censorship works long ago so in 2007 I ended up doing a talk at the NSA to try to convince them that we were not the bad guys And you can read the notes that they took about my talk at the NSA because they're published in the Washington Post So I encourage you to go read what the NSA thought of my talk to them That same year I ended up going to GCHQ to give a talk to them to try to convince them that we were not the bad people And I thought to myself I don't want to give them anything useful I don't want to talk about anonymity because I know they're going to try to break anonymity So I'm going to give them a talk that has nothing to do with anything that they should care about I'm going to talk about the censorship arms race in China and DPI and stuff like that that they shouldn't care about at all Boy, were we wrong? So the other thing to think about here There are a bunch of different pluggable transports that could come in handy against the surveillance adversary We have so far been thinking of pluggable transports in terms of there's somebody trying to censor your connection They're doing DPI or they're looking for addresses and they're trying to block things One of the things we learned from this past summer's documents Imagine an adversary who builds a list of all the public tour relays and then they build a list of all the IP addresses That connect to those tour relays now They know all the bridges and many of the users and now they build a list of all the IP addresses They connect to those IP addresses and they go a few hops out and now they know all the public relays All the bridges all the users all the other things that are connected to tour And they can keep track of which ones they should log traffic for for the next six months rather than the next week That's a really scary adversary Some of the pluggable transports we've been working on could actually come in handy here So flash proxy is one of the ones you heard about in last year's talk The basic idea for flash proxy is to get users running web browsers to volunteer Running web RTC or something like that to basically be a short-lived bridge Between the censored user and the tour network so the idea is that you get millions of people running browsers and then you can proxy from inside China or Syria or America or wherever the problem is through the browser into the tour network, but from the surveillance perspective Suddenly they end up with an enormous list of millions of people around the world That are basically buffering the tour user from the tour network So if they start with this list of IP addresses and they're trying to build a list of everything now They end up with millions of IP addresses that have nothing to do with tour And they have to realize at the time they're watching that they want to go one more hop out So I don't know if that will work But this is an interesting research area that more people need to look at How can we against an adversary who's trying to build a list of everybody who has anything to do with tour? How can we have tour users not end up on that list? What sort of transports or Tunneling through Google app spot or other tools like that can we use to break that chain? So it's not as easy for them to track down where all the users are Okay silk road to we've had a lot of questions about I think it's called operation on a miss I actually talked to an American law enforcement person who was involved in this and he told me From his perspective exactly how it happened Apparently the silk road to guy wrote his name down somewhere so they brought him in and started asking him questions and As soon as they started asking him questions. He started naming names and they counted up to 16 names And they went and arrested all those people and collected their computers and then they put out a press release saying that they had an amazing tour attack So there are a couple of lessons here One of them is yes. It's another case where OPSEC failed but the other lesson that we learned is these large law enforcement adversaries are happy to use Press spin and lies and whatever else it takes to try to scare people away from having safety on the internet This is a really to me Especially if I take off my tour hats and put on my journalistic hat as if I can actually take off hats and so on but It's really terrifying that journalists don't actually ask hard questions about that. You know the The Europol people that spoke to the press they talked about this as if they had some incredible attack They talked about Odei. They talked about how you know, they had broken tour. You're not safe on the dark web We don't even use the term dark web. That's how you know that they're full of shit, but it's it's That's sort of like when people have torn all caps torn all caps dark web that kind of stuff It's just a bad sign But the way they talked about it It was clear that they as far as we can tell they don't have that But they really hyped it as much as they possibly could I mean it is effectively And I think it is even technically a psychological operation against the civilian population They want to scare you into believing that tour doesn't work because in fact it does work and it is a problem for them So any time they can ever have some kind of win at all They always spin it as if they're great powerful adversaries and it's us versus them and that's exactly wrong It is not us versus them because we all need anonymity We all absolutely need that and they shouldn't be treating us as adversaries They in fact are also tour users quite ironically So it is interesting though because they know that they haven't done that But they don't want you to know that they haven't done that in fact they want you to know the opposite Of course, we could be wrong. They could have some super secret exploit, but as far as we can tell that just is not the case so What's to be learned from this we used to think it was just American law enforcement that were scary jerks Now it's also European. I don't know if that's the right lesson, but Hopefully some of you will go and work at your poll and tell us what's really going on Speaking of hidden services, we have a new design in mind that will have some stronger crypto Properties and make it harder to enumerate hidden services It won't solve some of the big anonymity questions that are still open research questions But there are a lot of improvements we'd like to make to make the crypto more secure and Performance changes and so on and we've been thinking about doing some sort of crowd funding kickstarter like thing to make hidden services work better We've got a funder who cares about understanding hidden services, but that's not the same as actually making them more secure So we'd love to chat with you after this About how to make one of those kick starters actually work, right? So if you have questions, we have a some amount of time for questions And while you line up the microphone and tell you a quick story So if you have questions, please line up at the microphone so we can do this This is a this is a picture of a man who is assassinated in San Francisco. His name is Harvey milk anybody here ever hear of Harvey milk Great Harvey milk was basically the first out gay politician in I think the United States he was a city council member in San Francisco and This was during a huge fever pitch uproar where basically it was the battle between our people who are gay people or not What he said is go home and tell your brothers your mothers your sisters your family members and your co-workers that you're gay Tell them that so that when they advocate for violence against gay people when they advocate for harm against you That they know they're talking about you Not an abstract boogeyman, but someone that they they actually know and that they love We need every person in this room every person watching this video later to go home and talk about how you needed Animity for five or ten minutes how you needed it every day to do your job. We need people to reach out Now there's a sad story with Harvey milk Which is that he in mayor, Moscone of San Francisco were actually killed by a very crazy person that was also in city government And in the traditional American tradition of extreme gun violence He was shot and killed and that person actually got away with it the so-called twinkie defense So we're not trying to draw that parallel Just to be clear. Please don't shoot us and kill us not even funny unfortunately, but To understand that we are really under threat a lot of pressure There's a lot of pressure We get pressure from law enforcement investigation agencies to backdoor tour and we tell them no and that takes a Lot of stress and dumps it on us and we need support from a lot of people to tell them to back off It can't just be us that say that or we will lose someday and There are also very scary adversaries that do not care at all about the law not that those guys care about the law But really don't care about the law at all And we need people to understand how important anonymity is and to make sure that that goes into Every conversation So really go home and teach your friends and your family members about your need for anonymity This lesson from Harvey milk was very useful It is the case that now in California where there was a huge fever pitch battle about this that you can for example Be gay and be a school teacher. That was one of the battles that Harvey milk helped win So with that I think that we have time for Yeah, we have like 10 minutes left for a question. So thank you so much for the talk. It's really inspiring Thank you for keeping up the work Really although you do this every year it never gets old and I thank you every year You give people the chance to leave the Congress with a feeling of hope and purpose So thank you so much for everything you do and every minute you spend on this project So we started with a question from the internet You'd like to take a few questions from the internet all at once if possible so we can try to answer them as quickly as possible All right. So the first one yesterday you said that SSH is broken So what should we use to safely? Administrate our tall relays. Ah, that's great. So first first of all Next set of questions. So the next one is how much money would be needed to get independent from government funding? And is that even desired? Do you want me to do both sure? Okay? Okay first question consider using a tour hidden service and Then SSHing into that tour hidden service composition of cryptographic components is probably very important and Detail about SSH. We don't know what is going on. We only know what was claimed in those documents That's a really scary claim this creates a political problem the US Congress and other Political bodies should really be asking the secret services if they really have a database called caprios where they store SSH Decrypts and how they populate that database because that is critical infrastructure We can't solve that problem with the knowledge that we have right now, but we know now there is a problem What is that problem? So composition of those systems? It seems to be the documents say that they haven't broken the crypto and tour hidden services So put those two together And also consider that cryptography only buys you time It really isn't the case that all the crypto we have today is we're going to be good Maybe in a hundred and fifty years if sci-fi quantum computers ever come out and they actually work Shores algorithm and other things really seem to suggest we have a lot of trouble ahead In the second part about money. Yeah, we would love to replace government funding I mean at least I would but that isn't to say that we don't respect that there are people that do fund us to Do good things we do take money from agencies who for example the Department of Human Rights of labor and labor at the state department They're sort of like the advertising arm for the gun running part of the State Department as Julian Assange would say and they Actually care about human rights. They care that you have access to anonymity It's weird because the State Department the rest of it might not care But we really really would like to offset that money, but we'd like to grow We'd like to be able to hire a hundred people in this room to work on this full time because the planet needs anonymity but that requires that we find that money and The best place at the moment is by writing grant proposals and that is how we have in fact done that and that allows us also to Operate openly so we don't have for example clearances and we try to publish everything we can about it And if you ever write a foyer We always tell the agency that has received the freedom of information or a request give the requester everything Give it all to them. We have nothing to hide about this. We want you to see that We want you to see that when a government agency has paid us money that we have done it for this line item and this line item And we've done it as well as we could do it and it is in line with the open research And we have really done a good thing that helps people So I'd love to diversify our funding. I'd love to have foundations I'd love to have the EFF model where individuals fund Because we do great things look at what we did over the past year And in fact right here look at we what we did over the past year. We've done some amazing things We're gonna do some more amazing things next year. We need your help to actually make all of this happen anybody here at Bitcoin millionaire Because we now take Bitcoin Just a short question is there a follow-up on the Thomas white Made tour talk mailing list thing so Thomas white runs a few exit relays Some of them are quite large. I'm very happy. He does that it is quite normal for exit relays to come and go He is in England and as far as I can tell England isn't it is not a very good place to be these days But he's trying to fix his country from inside, which is really great Basically the short version is it's not a big deal. He runs some exit relays somebody tries to take them down There are 6,000 relays in the network right now. They go up and down. It's normal This is related to the tall blog post the Thomas white thing where you said there's an upcoming It is unrelated Except for the fact that everybody was watching so then when he wrote a tour talk mail saying hey I'm concerned about my exit relays suddenly all the journalists said. Oh my god. They must be the same thing So no unrelated. There are a lot of people that have been attacking the tour network You've probably seen there have been denial of service attacks and things like that on the tour directory authorities This is what I was saying one or two slides ago when I said please tell people the value of tour and that you need it because When people do denial of service attacks when they see servers We really need in a peer-to-peer network way to throw up more relays to actually increase the bandwidth capacity to increase the exit capacity and it's very important to do that right I mean It's very very serious that those things happen But it's also important that the design of the network is designed with the expectation that these will steal computer systems That jerks will denial of service them and so on so if you can run an exit relay Thank you. Thank you for doing that next question First of all a quick shout out to your uni friend, please don't ask people to run arbitrary code over the internet Curl pipe as age is not good style. There's a deb that we're working on also that should be a lot better Yeah, apk get install uni probe will also work Do you have any plans of implementing IP version 6? Finally, so there is IPv so Linus Nordberg one of the Finest tour people I've ever met he in fact helped add IPv6 support Initial IPv6 support support to the tour network So for example, you can in fact exit through the tour network with IPv4 or IPv6 It is the case that the tour relays in the network still all need IPv4 not just IPv6 My tour directory authority which runs in California. It has an IPv4 and an IPv6 address So if you have an IPv6 address, you can bootstrap you can connect to that You could do some interesting pluggable transport stuff as well So that is on the roadmap This is another example of if you really care about that issue Please send us your bitcoins and it would be really fantastic Because we really want that but right now you can use tour as a v4 v6 gateway You really can't do that and we really we would encourage that It's another example of some kind of neat feature of tour Which you would never think an anonymity system would have and in Iran right now where IPv6 is not censored because the soft the Censorship stuff they have from America and Europe didn't think to censor IPv6 Bridge right now in Iran that connects over IPv6 works great. Yeah next question. All right make for four So we heard lots of really encouraging success stories about tour working against a global passive Adversary, but we know that tour wasn't designed for this use case The question is what needs to happen in order for a tour to actually be able to handle this officially Is this just research or some more development work? There's a lot of really hard open research questions there So if you're so again, basically one of the issues is what we call the end-to-end traffic correlation attack So if you can see the flow over here coming into the tour network And you can see the corresponding flow over here coming out of it then you do some simple statistics and you say hey wait a minute these line up and There are a bunch of different directions on how to make that harder Basically what you want to do is drive up the false positive rate So you see a flow here and there are actually a thousand flows that look like they sort of match And maybe you can do that by adding a little bit of padding or delays or batching or something The research as we understand it right now means that you have to add hours of delay not seconds of delay That's kind of crummy. So another way of phrasing that Imagine a graph the x-axis is How much overhead we're adding and the y-axis is how much security we get against the end-to-end correlation attack We have zero data points on that graph We have no idea What the curve looks like there's also another point which is Roger has an assumption He says if we have a high false positive rate that that's a good thing. Well, maybe Maybe actually that's exactly the wrong thing Maybe the result is that a thousand people get rounded up instead of one The reality is that there is no system that as far as we know is actually safer than that Of course, we would say that we work on tour But as an example one of the x-key score things that I've seen in this research Which we published in the NDR story is that they were doing an attack on hotspot shield where they were actually doing traffic Correlation where they were able to de-anonymize VPN users because it was a single hop and then they were also able to do quantum insert to attack specific users using the VPN We haven't seen evidence of them doing that to tour that doesn't all that also doesn't mean that every VPN is broken It just means that VPN has a different threat model There's lots of attacks that are like that and the problem is the internet is a dangerous place So I mean banks he said at best he said in the future people will be anonymous for 15 minutes And I think he may have overestimated that depending on the attacker There's a conference called the privacy enhancing technology symposium pet symposium org Where all of the anonymous communications researchers get together each year to consider exactly these sorts of research questions So it's not just an engineering question. There's a lot of basic science left in terms of how to make these things harder All right, two last questions one from the internet. Okay, so does running a uni probe Involve any legal risks? Okay, so great. We can take different questions because we're gonna say talk to Arturo. All right, so microphone three Okay As a new tour relay operator, I've got yeah So I since about two months I run three relays rather high bandwidth and on two of these I had Well quite strange things happen one case a kernel crash in the inter e 1,000 driver the other one having the top of the rack switch just reboot Which is by the way a unit per switch. So I'm kind of concerned about this operational security You know, could you address that? Yeah, absolutely. So the short version of it is Agencies like the NSA depending on where you're located might compromise something like your juniper switch upstream They sit on zero days for critical infrastructure that includes core routers And switches, but it may not be such a big thing. It really depends on where you're located. It could also be that the hardware sucks and That the software is not good and when you of course are pushing let's say gigabits of traffic through it It falls over. It's really hard to know That's a really good question, which is very specific and kind of hard for us to address without data I'm sorry. I'm concerned that the Like a tag like this, you know, they could actually compromise the machine without knowing or compromise the exact uplink and this would actually be Viable attack like very low-key. You don't see it as an operator Maybe if you're not very careful and you can watch all the traffic going inside going outside the box It would be fantastic if you can prove that theory because of course if you can Maybe we can find other information that allows us to stop those types of things to happen Or for example can in some way allow us to fix the problems that are to be that are being exploited The reality is that general-purpose computers are quite frankly not very secure and special-purpose computers aren't doing much better I worry not only about active attacks like that But about passive attacks where they already have some sort of surveillance device upstream from you in your Co-location facility or something like that. So yes, these are all really big concerns One of the defenses the tour has is diversity around the world So hopefully they won't be able to do that to all of the relays, but yeah, this is a big issue We should keep talking about it All right I just want to come back to the to the second to the question before for a second because there was a question from the Internet so the people are not able to talk unicode guy. Hey, could you unique uni probe? Could you maybe answer the question like right now or maybe on Twitter or post a link or something because I happen to believe That's a very important question. You remember the question if they're a legal risk. Yeah Well, I mean the thing is that we we don't really know Like what are the who was it that was asking the question the internet are the internet, okay? So So I guess we we can't know all of the legal risks involved with in every country It is definitely the case that in some countries you may get in trouble for visiting some websites that are considered illegal So what what I can I can go in more detail into this if you come later to noisy square at six Ah the internet can come shit. Okay, so a Lot of jerks in that The the the short answer is that you should look at the test specifications that are written in English and they Have at the bottom some notes that Detail what can be some of the risks involved, but we we are not lawyers. So we we don't Know what what are the risks for all of the countries? so you should probably speak to somebody that Knows about these things in your country and it's experimental software and You know, there are not many people that are doing this. So we We generally can't can't say Hope that answers your question. Thanks a lot. Yeah, thanks. All right. I guess just a summer to be careful whatever you do all right, so Jake was just asking if maybe we could just gather a couple of questions And then ask about them outside. Did I get that right? So if everyone is at the microphone Disperse to the correct microphone if you could just ask all your questions then everyone else who's here that wants to hear the Answers will know that you should stick around and talk to us afterwards We won't answer all these questions unless there's a really burning one But that way the guys that are standing at the microphone or the gals that are standing at the microphone or other Can actually ask them right now and if you're interested come and find us right afterwards We're going to probably go to the tea house upstairs. So I maybe I shouldn't have said that So we're going to do right like this we're going to rush through this I just got to hear a lot of interesting questions, but no answers if you want to hear the answers Stay tuned and don't switch the channel So we take a couple of questions microphone five and be quick about it regards in regards to robustness and the Mozilla partnership Are there any thoughts about incrementally replacing the C++ infrastructure with rust eventually microphone for Is it open microphone for can you compare? Torah with JAP from to the Dresden in aspects of enormity Okay, the other guy at microphone four To your knowledge has anyone got into trouble for running a non exit relay And do you have any tips for people that want to help by running a non exit relay? Okay, microphone one two guys. I have a question or other Suggestion for for the funding problematic. Have you you're teaming up with Mozilla? Have you ever considered like producing your own smart phones because there's a huge margin? I also think there is a problem like why most people don't use a crypto or cryptographic Cryptography is because it's there's no like easy to use out of the box cool product That's like that goes out that has a story or anything like marketing or Apple. All right the other guy at microphone one So a couple of minutes before the talk started on someone did a civil attack on tour and we should fix that ASIP So, please don't disappear for the next few hours So when they took down so growth they took a lot of Bitcoins with them. I wonder what the government is doing with the large amount of anonymized cash They option it off they sell it next question and I think they should give it to you. All right last question agree so to combat against the misinformed journalist thing why not have a Dashboard very prominently displayed on the tour project at listing all of the academic open like known problems with tour and always have the Journalists go there first to get the source of information rather than misunderstanding academic research Fantastic, so if you found any of these questions interesting and you're also interested in the answers stick around go to noisy squares Speak to these two guys and get all your answers other than that you heard it a brilliant times But go home start a relay my friends and I did two years ago after Jake's keynote is really not that hard You can make a difference and thank you so much for Roger and Jake as every year