Slashdot Mirror
EFF Promotes Freenet-like System Tor
The submitter continues "It also allows you to install Tor-aware apps, such as an HTTP proxy (for private browsing), or maybe private P2P? Unlike Freenet, it doesn't use massive encryption (as far as I can tell) and relies more on something called onion routing to randomly bounce requests between other Tor proxies, thus obfuscating the IP of the original client. So it allows you to browse regular Internet sites! Maybe it should be considered more of an 'open-source' Anonymizer? But I don't know if it's actually Open Source - you can download the source (and compile it yourself) but I don't know if the developers are letting anyone else touch their code. They are, however, looking for contributors and other forms of help. And, finally, they're hoping people will start running Tor servers!" It's open source, however contributions are handled.
The EFF is a light in a dark wilderness. How amazing that a group of people so talented, experienced, and dedicated to digital liberty can come together and accomplish so much. Episode #74 of This American Life features EFF co-founder John Perry Barlow's touching account of a romance that blossomed between him and a wonderful woman he met at a convention. (Computer geeks take heed... play this story for a girl you fancy and see if it softens her heart.)
You are in error. No-one is screaming. Thank you for your cooperation.
If they really want to sniff you, what is to stop them from sniffing at that unavoidable first hop?
I'm sure this network will be used to share protected speech and not copyrighted binaries.
</sarcasm>
If it's not encrypting and just passing packets around then it sounds like the AT&T research Crowds proxy they were distributing a while ago. (it used to live at this page but I see it's gone now.)
Trolling is a art,
Unlike freenet, which I have tried to use for years and never got it to work properly, this actually works. Five minutes after I installed TOR i'm actually surfing the internet, anonymously, at decent speeds. Unlike freenet, i'm not stuck in a chatroom while someone tells me... Just wait 4-5 days for your node to associate with the network....
TOR is great, go EFF, making me proud to be a member!!!!
Two questions come immediately to mind:
1) Can spam be sent through Tor?
2) Can spammers collect data by running a Tor server of their own?
I checked the site's FAQ but couldn't find answers there.
Besides, getting rid of anonymity would help with the spam crap.
In fact, I don't see anything positive in anonymity.
Well, so much for that. *badaboom*
An imperfect plan executed violently is far superior to a perfect plan. -- George Patton
Seems like a great system, but I just cant understand this statement: "Currently, Tor development is supported by the Electronic Frontier Foundation. Tor was initially designed and developed as part of the U.S. Naval Research Laboratory's Onion Routing program with support from ONR and DARPA."
*Puts on tinfoil-hat* isn't the guys at *.mil making their jobs harder by doing this? anonymous "terrorists" communicating freely without any traces, or do they already have this covered in the system? a honeypot?
The DMCA prohibits circumventing a protection on a copyrighted work. Encryption only qualifies as a "protection device" if the person doing the encryption is the holder of the copyright. You can't "protect" what you do not own.
I don't know if the DMCA contains precisely this language, but it's certainly the way it would be interpretted in court.
I'm more interested in the case of using encryption to protect a computer virus. Since the author of the virus actually is the owner of the copyright on the viral code, then the encryption should qualify as a copyright protection device under the DMCA. Law enforcement officials who decrypt the virus to reverse engineer it would be in violation of the DMCA.
Just a quick FYI, TOR is an onion routing system, meaning that the data is passed between TOR proxies until it reaches it's destination. This means that eventually you still need to fetch the data from a server, which means that the server can still be put under attack or taken down.
FreeNet is much more robust as you inject content and then it is stored in many nodes. Thus, it can't be taken down. Furthemore, in FreeNet different parts of the data are obtained from different sources, preventing more work that could be done with traffic analysis.
To say that TOR is like FreeNet is to seriously discount the features of FreeNet. TOR is a system for running Onion proxies. FreeNet is a completely anonymized hosting and content distribution system.
My Slashdot account is old enough to drink...
... it must be intended primarily for satirical content.
Let me get this straight. As a TOR node, my computer will request information from regular web sites unencrypted. This means that when someone requests e.g. child porn on the network, and my node is chosen to retrieve it, my IP will be the one logged?
You are in for a world of hurt if you run a TOR node. Since you are perfectly aware of all plain HTTP requests your node makes, you are likely to stand trial for contributory copyright infringement, import/export/distribution of child porn, conspiracy to [whatever] and so on. Since I assume by default it doesn't log anything to give you someone to blame it on, they pin it on you.
I would honestly never run a TOR node. If I did, I would firewall it to only allow connections to other TOR nodes, i.e. be a pure leech on the network. Anything else is to expose yourself for a wide range of legal disasters. Freenet had this right. You must not know what you are transmitting. This idea is fundamentally flawed and I'm amazed that the EFF would support it.
And beyond that, from the brief techincal discussion, you have a single point of failure in the directory server. Gather a small botnet, compromise the server and present the botnet as the routing nodes. You control all the keys, you decrypt everything. Or just a simple DDoS attack, so you don't find any nodes to route through. Overall, I'm not impressed.
Kjella
Live today, because you never know what tomorrow brings
Hi there! I'm Chris Palmer from EFF. I am working with the Tor developers, so I know a bit about it. I'll try to clear up some questions and misconceptions people seem to have.
:)
:) Tor works. It is stable, many bugs have been fixed, and the protocol is moderately stable. Tor does not crash randomly or eat all your memory. What's in flux is bigger picture items, such as "How can we reduce our dependency on the central directory server" and "Wouldn't a GUI configuration tool be nifty?"
1. Spam? Well, spammers already have much better tools than Tor. Namely, botnets. The Tor network currently doesn't support the kind of bandwidth usage spammers can chew up. By their willingness to break the law, spammers and criminals already have good tools to hide their network origin. Tor doesn't really help them. Plus, the default Tor exit policy is to block port 25.
2. Free/open source? Yes, three-clause BSD. EFF would not financially support a non-free/open source project!
3. Do you have to trust the nodes? You have to trust the entry node and the exit node. The entry node can be on your own computer, which I highly advise people to do. It's easy to install on all platforms, so that shouldn't be a hurdle. As far as trusting the exit node: Yes, the exit node can see the plaintext of your communications. That is why you should always use end-to-end encryption, anyway! Remember, all normal Internet routers in your route can read your traffic; Tor is actually BETTER because traffic is strongly encrypted (AES, multiple times) while inside the Tor network.
So, you actually have to trust Tor a bit less than regular Internet routes.
Use encryption.
4. Is it like Freenet/Crowds/Anonymizer? Yes, and no. It is like somewhat like those systems in goals, but the design is different. For example, unlike Freenet, Tor helps you talk to the real Internet. Unlike Anonymizer, Tor uses a whole network of proxies, not a single proxy; and the proxies are generic SOCKS proxies, not specifically HTTP.
5. Version number is too low. Is this alpha software? Roger and Nick are very modest.
6. Is there a backdoor? Well, you tell me. The source code is open. Is there a backdoor in other free software you like?
7. Minimum bandwidth requirement? For exit and middleman nodes, yes, you should have a reasonable pipe and a stable machine. "Reasonable" pipe can mean a good DSL connection. Crappy nodes can degrade the network for those poor saps whose circuit goes through one. That is why the directory server operators won't list your server unless it meets basic stability and bandwidth requirements.
I mean, why do you even need something like this? If you don't have anything to hide, there shouldn't be a problem with your internet chats being monitored.
BTW, click here
UTF-8: There and Back Again
As someone who has watched, helped with, and discussed various anonymous networks from Pipenet through Onion routing and Tor I can give you the quick summary for why NRL was interested in anonymous browsing (because when they first came out with the Onion network stuff it really was a surprise.)
.mil or .gov site.
Sometimes, government agencies would prefer it if web queries did not show up in the server's logs as coming from a
Just knowing what someone is reading or researching is a good source of intel, some government agencies see more benefit to this than the downside of potential terrorist uses.*
Jim
* anyway, if you work for a big governement agency you have the resources to treat these sorts of networks like a big black box and link up the endpoints. This is a fatal flaw to _all_ real-time anonymous networks. A big attacker can treat all of the fancy games you play in the middle of network as noise and just link up "message X went into dark network at time T and a message close to the size of message X came out of the network at time T +1, followed by a similarly linkable message going back the other way..."
Somebody quick! Make a FireFox extension that adds a button to the toolbar that says "Switch to TOR mode" or something to that effect.
It would be nice if TOR were easy to turn on and off within a given browser or other http-aware client. I can't see need the for use TOR 100% of the time, especially since there is a performance hit. And it seems like it would be a pain in the ass to have to reconfigure the browser's proxy settings each time you want to use TOR for browsing/downloading.
I'd take a crack at it myself, but I'm no code monkey. I'm a documentation nerd. If anybody wants to develop this, let me know and I'll do the docs and help files.
Transistors and Beer!!
...maybe I'll just dig up the link to what happened with the JAP proxy network, providing pretty much exactly the same service:
Net anonymity service back-doored
Basicly, they were given the choice of backdooring it or shutting it down. Yes, the whole network. They did install a backdoor (still with source), got found out but they didn't exactly have much trust left.
Can someone explain to me why the exact same will not happen to this service? Any reason why TOR servers would have greater legal immunity? I don't see it, at least.
Kjella
Live today, because you never know what tomorrow brings
I don't think this system will be usable for piracy. Have you ever used <hat foil="tin">Freenet</hat>? Because of all the hopping though random nodes, "random" routes and encrypted traffic it's quite slow.
Take the example of the average "anonymous proxy" on the internet. After someone finds the proxy, it usually takes about 5 to 10 hours before the proxie's bandwith is completely saturated making it unusable. Even if Tor is to loadbalance all it's nodes, it's still going to be SLOW with the added encryption etc. Remember kids, using proxies that are close to you isn't anonimity but asking for problems with the law (usually why people want to use anonymous proxies is to avoid problems their employer/government could create).
Lastly, most anonymous networks are unreliable by nature. Freenet is unreliable because it drops "unpopular" keys and their content in favour of popular keys. Anonymous relays (eg mixmasters) are known to drop messages at random.
Tor already provides the means for people to run a tor node as only a router (add the line: reject *:* in your torrc), not an exit node. Hence, your IP will never download kiddie porn or anything like that.
Tor is great. I've been playing with it for a while - the sheer simplicity of setup makes it fantastic, and it's highly amusing to go to whatismyip.com half a dozen times and get different IPs.
Once I get the firewall box I want set up I plan to make one port link directly into Tor, so that anything plugged into that port is shunted 100% into the Tor network. Right now you've sort of got to trust that your program really is punching everything through the SOCKS proxy - not all programs are really reliable about that, plus the program can still see your IP if you're not behind a firewall.
Breaking Into the Industry - A development log about starting a game studio.
It's a method for the transportation of data - it in no way encourages any specific type of traffic. I could mention several straw-men arguments about telephones and vehicles that also could be used for horrible child crimes...
Relative anonymity isn't inherently destructive - nor is the anonymity offered here absolute. Conventional methods of online social investigation will still catch the people you imagine, as there is still a source and destination. With child crimes in particular, the investigation should move offline as soon as possible anyway as soon as suspicions arise.
People who attack and cruelly manipulate children deserve punishment - the rest of the world does not need to close entire realms of technology down for the sake of that punishment. The nerds of the world shouldn't be forced to think about punishing criminals when they make their tools any more than car manufacturers.
Ryan Fenton
...but what exactly is the incentive to actually help the TOR network? Seems to me that you can just leech as much as you want, give nothing. And each byte I download gets multiplied by as many nodes as I route through. Right now, it would appear they have a small userbase and mostly volunteer providers. What would happen if it got exposed to say, the slashdot userbase? Or people in general?
Kjella
Live today, because you never know what tomorrow brings
As a civil libertarian I love the idea, and I would be happy to run a Tor server if I could restrict what filetypes I pass through. I'm not interesting in helping people pass kiddie porn or pirated movies through my server (which I assume would be a primary use of this), so I would want to restrict it to text and html mimetypes. I looked through the FAQ and documentation and didn't see any mention of this.
Any developers here that can comment on if a feature similar to this is planned for a future release?
501 Not Implemented
Fine. Then allow the child pornographers to distribute their "product" - and bust them at other phases of their operation.
Tell me this. How many child pornographers are busted when someone trades illegal pictures? Not illegal picture-traders, the actual people who TAKE the pictures?
By blocking the flow of information, you can only bust the picture-traders. And you get a nice excuse to bust anyone else whom you can reasonably define as a "terrorist" or other undesirable.
Bust the guys taking the pictures, at the source. When you get a kid who's been abused in this way, they can lead you to the picture taker.
The excuse of "needing better tools for law enforcement" is very often used as an excuse to abridge civil rights.
Child pornographers are bad. And should be stopped wherever their found. But I'm not ready to accept that we, as a civilization, can afford to eliminate anonymous speech. When we have better rules (that are enforced) to protect whistleblowers and dissidents, then maybe we can do away with anonymity.
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
By this argument, you could never own an apartment, rental house or hotel, because child abuse could be committed on your property.