> Does anyone have any comments on this paper? Any reassurance? Frankly, > this is scary.
Yes, it's absolutely scary, and should be obvious. There's only maybe 3200 fingerprints out there. Heck, even the local computer club in a major city could raise enough funds to deploy a handful of early guards, then drop enough cloud nodes [1] on the net to make the odds of compromise quite worthwhile... certainly enough for a DefCon/CCC style executed proof of concept / vulnerability paper. [1] Rent for a day or so > I nominate this paper as a founding reason why Tor should permit users > to increase the number of relay nodes used in each circuit above the > current value of 3... I'd love to have it be arbitrarily selectable from say 0-25 via the control port and config, with a default of 3. People already do that with patches, might as well shit it. And, as in my post about torrent and non-bandwidth resources, a small subset of 'power users' using more than 3 hops wouldn't seem to cause much transactional load to the TorNet. Rather, their choice would likely only hurt their own bandwidth and latency. I'd also nominate the issue, and others, as further reason Tor should ship by default as a non-exit relay... and yes, with a nice info screen and a disable button. There is absolutely no reason not to think the opponent has not already clandestinely and sufficiently flooded the net with the current nodebase. The only workable defense is to deploy the users as countermeasure and hope that however many users there are... 10k, 100k, 250k? etc, as time goes by... will make flooding cost prohibitive. Think of it this way... millions of users willingly and knowingly turn their PC's into Bittorrent piece servers every day. Want proof, check out the stats on thepiratebay.org. They happily risk extensive and conclusive monetary civil suit against them. That's nuts, but they do it anyways. There are currently very few laws [as opposed to contracts [2]] in the world that would prohibit running a non-exit [or even an exit] relay. And any other inquiries would outright fail due to common carrier. Or at most be relegated to contributory or neglect... a much nicer outcome than the suit above. Given the risk is less, it would seem to be well rationalized, justified and proper to therefore ship as a non-exit relay by default. And reap the benefits. I'm NOT advocating use of anon networks for any less than legitimate purposes. Rather, that anon networks aren't just some robust grail for only the people that 'need it'. But that that exact same robust grail should be integrated by users into the whole variety of their daily online activities as desired, and offer back what they use according to their benefit. With other P2P applications, you're either required to be a provider or the protocol works against you if you're not. Which means to play, you have to pay. At least with Tor shipping as NErelay by default, they'd get a nice "we're helping by default and here's why" screen and a button to opt out. I'd announce it as a live enhancement trial to be brought out in the next few releases and see what happens in regards to user acceptance and net capacity. Provided scalability issues are addressed in preparation first. [2] Which are already ignored and broken by provider and subscriber respectively. *********************************************************************** To unsubscribe, send an e-mail to [email protected] with unsubscribe or-talk in the body. http://archives.seul.org/or/talk/
