On Wed, Aug 22, 2012 at 2:11 AM, Roger Dingledine <a...@mit.edu> wrote: > I think your numbers may not be right (there are a lot of other subtleties > to the calculation), but your point is still generally correct.
There are some subtleties, mainly the restriction on distinct families in a circuit — you can account for them in a spreadsheet, or by writing a proper analysis program, but I doubt that it will result in more than a few percents difference (just speculating, maybe it's more). Doing some heuristic search for intercepted nodes selection (a few high-bandwidth Exit-only or Guard-only nodes) will probably push the estimates in the other direction. > For more details calculating diversity, see > https://blog.torproject.org/blog/research-problem-measuring-safety-tor-network This quote: “They only use relays with the Guard flag for their first hop. They read weighting parameters from the consensus and use them to avoid Guard-flagged nodes for positions other than the first hop and avoid Exit-flagged nodes for positions other than the last hop, in proportion to how much capacity is available in each category.” — is this actually true? Are Guard+Exit nodes never used as guard nodes? Or even only used as middle nodes (depending on how one reads the first sentence)? I didn't see something like that in the code. > Really? Across jurisdictions? And for 'all traffic of those relays'? > I don't want to downplay the risk too far, but I think you overestimate > "unsophisticated law enforcement operations". Ok, maybe I overestimate LE — different countries have different standards. Let's consider extra-legal attacks. You mentioned [1], which looks at intercepting IX traffic. IX links are probably considered a part of vital national infrastructure wherever they are located (similarly to telcoms), so it would be extremely hard for a non-LE adversary to install their (extremely expensive) equipment or software in the relevant facilities. However, consider what would be needed to intercept all traffic from the /28 networks mentioned here, managed by ~20 VPS hosting providers (I don't think I noticed anything residential, but intercepting that would be much easier). Let's say you have a million dollars to spare. Allocate $50k for each of the hosters, and budget another $50k for some smooth salesperson type who will fly to each hosting facility / office, befriend an infrastructure admin with beer / hookers / coke, and offer him $50k for shadowing traffic from VPSes of interest to your own VPS (which might be possible to do purely in software in most cases, probably). I think it's doable, whether you are just curious and want your own international surveillance operation, or treat it as a data mining investment (there is probably a lot of interesting traffic going through Tor, if you know what to look for). It is also quite cheap for the effect. [1] http://freehaven.net/anonbib/#murdoch-pet2007 > Well, do you have an alternative design that scales adequately to 6 or > 7 figures of users, provides roughly-real-time browsing and other TCP > connections, works on the Internet that we have, and has better traffic > confirmation resistance? For one, everyone should contribute as a relay. This also has the potential to improve the users community, and advance hidden service resources as a result. “Internet that we have” is also problematic, because Internet is too hierarchical. I think that EFF should promote large-scale ISP-independent mesh networks, instead of caring so much about the ability of some CIA-funded NGO activists to get on Facebook. > Or said another way, how well do other usable low-latency anonymity > systems hold up to ongoing wiretaps at 25 arbitrary network locations? I > believe the answer is 'mostly less well than Tor'. Other anonymity systems don't care much about accessing clearnet. I am not even sure whether I2P, for instance, has any active outproxies at the moment, and they do fine, since they provide what the users need — community, ability to religiously tweak the console panel, integrated file sharing, etc. > It would be interesting to see your stats on as AS level rather than > a /24 netblock level. I don't think it would change the top-25 list much, since. for instance, all /28 networks there belong to different /16 classes. Maybe something like Amazon EC2 could creep in, but I doubt that. But it's difficult to say definitely, e.g: $ cut -d' ' -f1 nodes | sort -u | wc -l 1595 (IPs) $ cut -d' ' -f1 nodes | cut -d. -f1-3 | sort -u | wc -l 1461 (/24 networks) $ cut -d' ' -f1 nodes | cut -d. -f1-2 | sort -u | wc -l 984 (/16 networks) > I think we still do a pretty good job explaining the risks and limitations > of using a system like Tor, e.g. in each Tor talk. I don't think it matters much. Technical people are skeptical to begin with. Non-technical people are irrational (e.g., if to judge from experience with activists described on liberationtech mailing list) — they will keep everything in plaintext and use unencrypted connections even when told explicitly that it's dangerous. From my experience, warnings only work when you show people something that will cause a cognitive dissonance. I.e.: “don't email exams” doesn't work, whereas “here is the exam you wrote for tomorrow, and here is the student who stole it from your mailbox” works well. It seems that Tor is not yet at the point where one can show such examples, although someone with a few million $ to spare or to invest might to just that (see above). -- Maxim Kammerer Liberté Linux: http://dee.su/liberte _______________________________________________ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
