About Tor: Testimonial: Why do I use Tor?
About Tor: Testimonial: Why do I use Tor?
Testimonial: Why do I use Tor?
[Image: The author’s TBB ready to work.]
Publication date: 2022-04-12
Update 2022-04-14: Just a little Dr. Cornell West to round things out.
Update 2022-04-21: An adjustment in the description of GNU/Linux operating systems has been made based on feedback from a member of the Tor community.
Update 2022-07-15: The Transparency appendix has been added.
Review
An index to this article series and its component parts is provided in the introduction to Part 1. Many terms used in this article have been introduced in preceding sections. Please make use of both parts 1 and 2 to inform yourself.
During Part 2 arguments against using Tor were explored, and most were discounted as unworthy. Nonetheless, one major weakness of Tor was identified, the funding attack. To this was added the collection of known attacks against Tor in the "Thirteen Years" paper.
Introduction
It is difficult to know the current status of all aspects of these attacks. One can be confident that more technical attacks against the Tor network are being developed in public and private, and its seems very likely that some variants of the Sybil attacks are still viable.
Finally, it would be remiss for the NSA to not have the ability to attack Tor and deanonymize targets as requested. Their mechanisms to do this need to be carefully guarded.
NSA personnel are very good at what they do. So are other agencies like UK's GCHQ and Russia's equivalent for signals intelligence. Interestingly, this Russian SIGINT agency is nameless, echoing the old colloquial name for the NSA — No Such Agency. It seems the Chinese have been making headway in their capacities too. It is highly likely that they all have their own variants of attacks against Tor, with other agencies like the French, German and whoever else, also capable.
If these intelligence agencies can attack Tor, which is almost certainly more secure than a commercial VPN, and if both of these are more secure than doing nothing (riding bareback), what can be done?
Threat Modeling
A member of the NSA once described one of TorProject’s core team members as "a worthy adversary". This tells us that the NSA are very interested in being able to attack Tor, and rightly so. It is their mission: Signals Intelligence.
Now we meet what is known in Information Security research as "Threat Modeling" or "Threat Analysis".
The core concept is choosing what level of security one wishes, in whatever domain, car driving or using the internet, for example. One needs to decide who or what are one’s biggest threats so that one can decide where safety or security measures need to be applied. Thanks to Ralph Nader, we have seat belts in cars (in the USA). This does not mean that one can ignore other drivers on the road, but does greatly reduce the severity of injuries suffering during an accident. Alcohol greatly reduces reaction times. So, one can quickly form a small collection of effective tactics; don’t consume drugs which impact your driving skills or drive when tired, do watch other drivers and wear a damn seat belt! What of the “internet”?
I see no point in trying to defend myself against the NSA or any of these signals intelligence agencies. I will lose that battle very quickly. Actually, I give up.
I choose a different "battle". My "threat actors" are the commercial surveillance systems which try to collect my on-line behaviour.
Their first goal may be to monetize the collected information via customized advertising or selling it to some other organization. We know that they provide data to government intelligence groups (see the PRISM program reported on by journalists from leaks provided by Edward Snowden).
One way the collected data can be used against me is in a legal case via a method known as parallel construction. As a law abiding citizen, I'm not too concerned about this. Nonetheless, any lawyer will tell you that if you are arrested, provide your name, ask what you are being charged with, and then shut up, except for demanding legal representation. The advice is "don't give them information without legal counsel". I extend this to how I use the internet; Tor reduces information leakage against most observers.
Does the NSA have attacks against Tor? Absolutely. Are they going to share these techniques with Amazon or Google? Definitely not. The commercial organisations don’t have good enough “OpSec” skills to guard the valuable attack techniques.
Here, my "Threat Analysis” lines are drawn.
An Evolving Response
Close to a decade ago in 2013 I was still working in IT and was just beginning to spread my wings in looking at the world from a larger perspective. I was encouraged by many things.
[Video: NSA whistleblower Edward Snowden: 'I don't want to live in a society that does these sort of things', The Guardian, 2013-07-09]
A Brief Aside
Some people like to attack Mr. Snowden as a dupe in a "limited hangout" type operation. I disagree. He has been eloquent and consistent in the principles for which he stands. However, I find Pierre Omidyar's influence on numerous leak collections to repress their full disclosure as a far more penetrating analysis. This is not just the "Snowden archive" via First-Look Media, but also the "Panama Papers" and other large leak collections via the International Committee of Investigative Journalists (ICIJ). As an example of just how bad this gets you have Vladimir Putin depicted on front page graphics when his name is not even mentioned in the Panama Papers. Looking from the other side, somehow no single USA citizen is identified in the entire massive archive of a tax haven only a few hours flight away from the USA.
An Act of Protest
My concerns about privacy actually began much earlier, though I was not aware at the time. It all really begins with the crimes of 9/11 and the response in the passing of the USA PATRIOT Act. An often unobserved and usually silent community protested at a small but very dangerous element of the legislation. Its all about "business records"; an easing of the ability of the USA government to access records of people's behaviour as recorded by organizations with which they interact.
The Act was introduced to the USA House of Representatives by Jim Sensenbrenner (R-WI) on October 23rd 2001, 42 days after the 9/11 crimes, also following the Anthrax Attacks. It took the concerned citizens of this almost never heard from important public service community about a year to convince themselves that they had a duty to perform; to warn the public about what was being done in their name and what that meant for the privacy of their own intellectual pursuits.
It was librarians who were the vanguard of protesting the USA PATRIOT Act. They were protesting Section 215 which allowed for increased records searches, which meant to the librarians that the government could ask to learn what books a citizen had borrowed from a library and have a legal right to receive those records. This is anathema to a librarian.
Having already learned about Tor, and being concerned by the revelations coming from the Snowden material as reported by journalists, the protests by the librarians also came into view.
Just a couple years previously the protests in northern Africa and the Middle East had erupted, the "Arab Spring" as it was called. My younger self was encouraged to provide cover traffic for people working as human rights advocates in difficult circumstances. I also saw internet surveillance as exactly the same thing as a government requisitioning people's borrowing records from libraries.
The Internet is our digital library
My interest in Professor (of constitutional law) Lawrence Lessig led me to learning of another modern visionary, Aaron Schwartz. I was quite shocked to learn of his suicide in January 2013 and the reasons behind it. He leaves us with a collection of impressive innovations.
[Image: Aaron Schwartz, 2009. “There is no justice in following unjust laws. It’s time to come into the light and, in the grand tradition of civil disobedience, declare our opposition to this private theft of public culture.” Source.]
I use RSS every day, and publish my work using Creative Commons. Wikileaks were an early adopter of a variant of SecureDrop, a method to securely receive leaks from whistleblowers. Most large media outlets now run a SecureDrop service which itself uses the Tor network. Schwartz was aware of the importance of digital privacy, and deeply concerned by the “locking up” via academic publishers of so much knowledge which could benefit the developing world. In the tragedy of his death, we lost a true visionary.
Having grown a little in the following 10 years from Aaron's suicide and the Snowden revelations, I recognize that when using Tor I am providing cover traffic to government operatives, and the horsemen of the Infopocalypse. I am still a believer in freedom of communication, and am resolutely still on the side of the Librarians.
For me, the use of Tor serves multiple purposes, one in protest, and the others in solidarity.
I do not believe that any government has a right to know what I am reading on-line. Crazy me even takes small steps like the running of a local DNS resolver to reduce the volume of clear text requests to translate the names we use for sites into the numbers which our computers use. The tactic does not limit visibility of what I am visiting with non-Tor browsers, but how frequently my computer wishes to translate the names to numbers. My ISP (Internet “Service” Provider) should thank me for this, as I am reducing the load on their translation services.
If the government needs to know my Internet browsing habits, they should go to a court, provide probable cause evidence, and the court can issue a warrant. This will do them little good, as outlined previously, as the records don't exist in Tor to be requisitioned. Thus, they'll ask the court to be able to surveil (infect) my computing hardware, which is a much higher bar, and is exactly how most people have been publicly "deanonymized" using the Tor network.
To quote a fictional pirate: I am good with it. Expend your resources on me. I am interested in many topics, particularly geopolitics and alternate histories. Maybe the persons tasked with watching my communications may learn a little! I know there are many more interesting targets for law enforcement amongst the four horseman types who use Tor. Actually, they are providing cover traffic for me! It is interesting how things turn.
[Image: a rotation of M.C. Escher’s Mobius Strip II (Red Ants)]
The solidarity issues are of principle. I believe in the principle of unmonitored human interaction. Tor is one way of doing this on-line. I believe in the principle, and understand how Tor works. Its architecture of privacy by design, as opposed to privacy by promise, is my deciding factor. If one really wants unmonitored communication, make a date. Leave all electronics behind and take a walk in a park, or on a beach, or go sailing! Be free as the birds. There is no “secure communication” on the internet, though some methods leak less information than others.
I am a strong believer in Free Software. The Tor developers have embraced this understanding that software needs to be openly published. It needs to be able to be independently reviewed. I place no trust whatsoever in a commercial VPN provider who does not publish their code, and publish reference to the log retention laws which they are required to comply with by the national government in which they are registered.
For these reasons I use Tor, every day, for many things. I've built a little software collection of tools which enable me to easily download pieces of content that I wish to read, view or listen to via Tor. These are not TBB type things. They are customizations of core GNU/Linux tools to use Tor as an anonymity providing transport.
I will be offering this little tool collection to my readership in support of their independence to do what they wish with their computers. This will be a "publication" of the tools. They are already licensed using GPLv3. Actions speak louder than words, and its time for me to "vote with my feet".
This exploration of Tor will serve as a preface to this upcoming publication of my little toolset, for whatever it is worth. I do not expect people to use my tools if they have not first been able to learn about Tor itself, including its history, governance and weaknesses.
Informed, they can decide for themselves.
Seeing the Landscape
If one begins using Tor one begins to see the "Internet" in a new light. Many sites just outright block Tor. Many others use a form of defence against attacks provided by capable network technology companies like Cloudflare. I'm certain that some site attacks have come from the Tor network. The really big attacks come from co-opted, or even leased, botnets (botnet == a network of computers that have been infected with software that allows them to be controlled by a remote actor, or actors, hence “robot” computers).
Why and How are "IT Service" Companies Blocking Tor?
The "how" is simple. Tor provides a method (the Directory Servers, which we meet in the technical annex) for all of its relays to be queried, and one piece of information provided is whether that relay can operate as an exit (final) relay, a point of egress. It is therefore very easy to identity these addresses and block them.
[Image: the USA State Department does not wish for people using Tor to be able to view their publications. This is very interesting, because they actually fund Tor, as we saw in the part 2.]
Even independent media organisations do this:
[Image: the excellent Consortium News site uses “MediaTemple” as a contractor to provide security (firewall) services, and they block Tor.]
Not everyone follows this practice.
The Kremlin's choice is to allow Tor, but to not use encryption (no "https"). This is a different political choice about information control and surveillance.
Because there is no "https" there is neither encryption nor integrity. That is, every network observer can see the full traffic exchange, and you have no confidence that what you receive is what the Kremlin website sent. Any intermediary can both see and modify the traffic sent to the final relay and neither you nor it will have any idea about it. The Kremlin is choosing to be able to deliver different information to different participants, as opposed to blocking some participants. I am not claiming that the Kremlin does this, merely that it is technically trivial.
As for "why" this Tor blocking is being done, for a small site like Tom Dispatch, they are well served by having some network defenses in place. They may not understand what is being done, which is a deligitimization of Tor by commercial operators.
A way around these Cloudflare type defense operations is to customize a Firefox browser, or even Google Chrome, to use Tor, rather than using the superior TBB. This means that the defence against fingerprinting is absent. Your browser is "tested" (fingerprinted) and the network defense organisation learns about (identifies) your browser, though you are allowed to access the site. This is a very poor choice, thus please do not do this. This image is included to highlight what occurs.
If one manually adds the fingerprinting defense by prohibiting JavaScript (via the Firefox add-on NoScript) one is then denied access. Thus, the "network defence" is not a defence, but a fingerprinting attack. (Avoid this by using the Internet Archive.)
A far, far superior strategy is to use the “Wayback machine” provided by The Internet Archive and paste in the URL one wishes for to obtain access to the article/data. As a bonus one can also see different versions of the article/data over time.
[Image: an example of using the Wayback Machine provided by Internet Archive as the superior strategy to avoid the fingerprinting attacks used by network defence organisations like Cloudflare.]
The reality which emerges is that you are in a constant "battle" between one's desire to access information, and a desire to not identify oneself or the "books one has borrowed from the digital library".
The contours of the field become clear.
Youtube
An even more instructive example is Youtube.
A wonderful tool, youtube-dl, has been developed and is maintained. [Add: an even better derivative, yt-dlp, has been developed.] It allows one to download content from Youtube and many other distribution sites such as SoundCloud. It can also be customized to connect to the local Tor proxy (Onion Proxy, or OP, as its known). This allows one to download videos from Youtube over Tor.
Technically, on GNU/Linux, it looks like this:
$ youtube-dl --proxy socks5://127.0.0.1:9150 [URL]
Youtube will provide various technical and non-technical version of NO! If one continues to try, during which new Tor circuits are used, one will eventually succeed. The number of required attempts varies between one and ten or more. Removing the "technical" NO is something that youtube-dl developers work on via probing Youtube's access mechanisms to work around these blocks. Hats off to the youtube-dl developers! [Add: and the folks at yt-dlp.]
Not too long ago, the corporate copyright scumbags behind RIAA tried to get GitHub to ban youtube-dl from using its code repository hosting by using the egregrious DMCA copyright provisions. There was such a backlash from the technical community, that Microsoft, who had recently purchased GitHub, had to back down. Interestingly, this was actually a battle about the morality of a tool, which we deconstructed earlier in the "Refutations" article.
Youtube, or more specifically Google, or maybe even Alphabet Inc., wants to learn everything. It will sometimes play an advertisement as a revenue source. It will offer you a button, a "Skip Add in ..." countdown. It wants to know when you click that button. It wants to know how much of the video you watch. It wants to know if you skip around during the video, or pause it. It wants to know everything.
Youtube-dl dramatically reduces what Youtube/Google/Alphabet get to learn. They only learn which IP address downloaded the video. If one also uses youtube-dl over Tor they only learn that someone using Tor downloaded that video. Playback is local, skipping around is instant so long as the place to be skipped to has already been downloaded, and there are no advertisements either. This is why Alphabet Inc. and its subsidiaries have this constant ongoing battle with youtube-dl; it denies them most of their "useful" information. They, of course, will claim that it denies the content creator the earnings which Google actually receives and then passes a very small fraction of to the creator. This is surveillance capitalism.
The battle between surveillance and information availability is constantly moving. It can be quite instructive to be "close to the front lines" to see how it is playing out. Tor is one mechanism of being there.
This can be very frustrating, especially initially. One needs to "steel" oneself, and understand the struggle within which one is minor participant.
The Politics of Technology
A humility of experience informs me that attempting to impose once's technical understandings on others, via coercion or whatever technique, is counter productive.
People do what they do for good reason or just from habit. They are free to choose their own behaviour, irrespective of how one feels about the utility or wisdom of the choice. Equally, one is free to describe ill-informed decisions as such, though targeting individuals and shaming them is not only unhelpful, but demeans oneself. Engage in respectful, compassionate debate, not ad hominem attacks.
Information Access
To return to "OpSec", if one is using a mobile phone to access on-line content, one has chosen the weakest position, though it is likely convenient. A mobile phone is a surveillance device in and of itself, and on it one can only install software chosen by a conglomerate of corporations, under the control of a gatekeeper. One can learn how to eradicate these software restrictions from the phone. However, this is a challenging technical pursuit, so almost nobody does it. Even then it is still a surveillance device reporting your real-time position to a collection of mobile service transmitter/receiver stations. These records are available to law enforcement via warrants, or signals intelligence via less obvious means. Recall: your real-time position data is recorded and is available; where you are every minute of every day when the mobile phone still has a battery in it.
When one moves to using a computer for information access, one could choose a Microsoft Operating System (OS) or an Apple OS. The former gives on more freedom of software choice, but since Windows 10 the OS is itself a surveillance platform. While Apple do provide some legal protections for USA citizens against their surveillance practices, one's choice of "official" software is again limited. One could learn how to compile software or install it from "third party" repositories. Expect little help from Apple in this pursuit. Apple took on the “it just works” mantra from Microsoft, and maintaining that across a very wide variety of software is difficult and expensive; thus the reduced software availability, a “convenience”.
Another set of choices are available, the GNU/Linux operating systems. They are stable. They provide equivalent software in functionality. They free you from having to make compromising political decisions. They have better upgrade paths than commercial software. Their software choices are wider. Their graphical interfaces are similar to those of commercial competitors which means that learning to use them is easy. There are wide public networks to help you, from on-line communities to local physical support groups. If you engage one of those local support groups, you’ll find out that they actually want to help. They are not an automated answering machine, but are someone just like you. They chose to learn and they received the same help that they are now willing to provide you.
Free Software, to quote Richard Stallman, is:
free as in speech, not as in beer
The StarOffice to LibreOffice Story
The StarOffice collection of software, which mimicked that from Microsoft, was developed by Sun Microsystems. Sun was later purchased by Oracle who thus acquired the software. Oracle so badly mismanaged the political goals of the core software developers that they, using the Free Software license under which the software had been published, just left the organisation and took the software with them. Over time two variants of what was StarOffice emerged, one still under the influence of Oracle, "OpenOffice". The "Free Software" developers called theirs "LibreOffice" to state their political objectives.
Free is a terrible term, one of Stallman’s greatest errors. It means both freedom, and gratis. "Open" is fine, and describes the desire of software developers to embrace a collaborative methodology and to publish their code. "Through many eyes are software errors more quickly identified." This describes a software development methodology rather than a political position. The core objective is better software faster. There is a sense of “freedom” in it, in that the license grants the core freedoms of which Stallman has spoken often. The core objective is “better code”.
The StarOffice core developers chose "Libre", which is to say free as in freedom. Their software is, of course, "open" which embraces the software methodology. But the name using “Libre” declares their political position.
When one chooses between software options, from LibreOffice to OpenOffice to Microsoft Office or many other choices like Google Chrome or Firefox, one is actually making a personal and political choice. While the GNU Public License was Stallman's great innovation (or "hack"), he was generally asking a much more political question:
Do you control the software, or does the software control you?
[Image: Richard Stallman, a wonderful picture (good job, photographer!) used in an attack piece on Stallman published by Wired Magazine.]
This question of software choice has expanded over time, just as Moxie Marlinspike describes in the video provided in the first article of this series. Today, the question is not just of software, but of hardware too. The hardware question involves esoteric things like “Trusted Platform Modules” and is well outside of the current discussion. The topic is both fascinating, if one is interested in these types of things, and important even if one is not.
As an aside, the communications software, Signal produced by the 501c3 non-profit of the same name is another piece of “Libre” software which the author uses every day. With your phone connected to a computer one has the use of a full keyboard and in the same “call” one can speak, text, use video and/or screensharing. Moxie Marlinspike is the creator of Signal.
The Politics of Information Control
One is not free if one cannot see the chains that bind one.
[Quote: Someone must have said this. If not, I’ll claim it.]
This is true of software and hardware. But, these are small fry on the political front.
Information control is much more important; a topic which Caitlin Johnstone and many other commentators have been championing for years. The distinction between controlling technology vs. controlling information is highlighted by the amount of effort placed into suppressing avenues of freedom of expression (censorship or ridicule) or information access (blocking Tor or other technologies).
The ongoing persecution of Julian Assange by the USA and UK is a signature example of information control and the repression of someone who became a very real threat to that information control. There are different elements to this, from the exposure of USA war crimes in Iraq and Afghanistan (annoying, but minor) to collaborating with legacy media to disseminate the information (much more threatening). I maintain that Assange's biggest "crime" was publishing Vault 7, an overview of not CIA surveillance tools, but their attack tools.
The oppressors are happy to expend political capital and ditch their "Enlightenment" rhetoric to achieve their retribution.
Welcome to the present. There is no "4th estate".
Part 4
The technical annex provides a detailed overview of the operation of the Tor network.
Transparency
While employed by a university, I ran a Tor relay. After a year or so, the university’s top network engineer complained that this allowed persons to move, in a network sense, beyond their perimeter defenses. This was a valid concern, and the relay was adjusted to no longer provide the exit node role. It ran for at least 5 more years.
This was my contribution to Tor whilst able to provide it.
Sources
NSA Prism program taps in to user data of Apple, Google and others, Glenn Greenwald, Ewen MacAskill, The Guardian, 2013-06-07
DEA and NSA Team Up to Share Intelligence, Leading to Secret Use of Surveillance in Ordinary Investigations, Hanni Fakhoury, EFF, 2013-08-06
Before and After: What We Learned About the Hemisphere Program After Suing the DEA, Dave Maass, EFF, 2018-12-19
Graeme MacQueen Reveals The Anthrax Deception, James Corbett and Graeme MacQueen, Corbett Report, 2019-05-25 (Video source is here).
Patriot Act, USA Government, the text
Patriot Act, Wikipedia.
Librarians Make Some Noise Over Patriot Act, Rene Sanchez, Washington Post, 2003-04-10
The USA PATRIOT Act, American Library Association, (last updated) 2006-12-30
Long Before Snowden, Librarians Were Anti-Surveillance Heroes, April Glaser, Slate, 2015-06-03
The Internet's Own Boy: The Story of Aaron Swartz, Brian Knappenberger, The Intenet Archive, 2014
Tom Dispatch, a wonderful site publishing generally anti-war articles
youtube-dl, the “publicity” site for the wonderful youtube-dl product
GitHub Reinstates youtube-dl After RIAA’s Abuse of the DMCA, ELLIOT HARMON AND MITCH STOLTZ, EFF, 2020-11-17
GitHub defies RIAA takedown notice, restoring YouTube-dl and starting $1M defense fund, Devin Coldewey, TechCrunch, 2020-11-16
Caitlin Johnstone, her Newsletter
Video Sources
Richard Stallman on FOSS, GNU and Freedom, Richard Stallman, Internet Archive, 2009-10-21
The above title is correct, as published by Internet Archive. It, however, does not describe what is being offered. This is Stallman’s testimonial on why he chose to build GNU, where it comes from, and the political choices he was forced to engage on the journey. The entire presentation is worth your time.
The presentation of a little under 2.5 hours is divided into 10 minute sections. One can scroll down in the video playing section and choose a part of the presentation. The “Archive’s” player will just move between sections automatically. Use the space bar to pause.
Using Tor, or not, to view this, you are likely to meet pauses between sections of the playback. Use a “Download” option on the right. Download the presentation in some archive, do something else, come back and unpack the archive and skip the “time” annoyance by planning and intelligence.
Patience is an old name, and a valuable personal attribute. Efficiency is not yet an old name, though it has some value.
Enjoy.
Dr. Cornel West: Philosophy in Our Time of Imperial Decay, Cornell West at the New School, via CounterPunch, 2022-04-13
Culture
… when inspiration arrives.
If you like what you read here, you can please the author by sharing it.
Do Not Subscribe: This blog does not issue "notifications" via Substack. Use RSS. The URL is the obvious: https://yesxorno.substack.com/feed .
Following @YesXorNo1 on Twitter is the next best alert mechanism.
Copyright and Licensing
This work is copyright to the blog's author with CC BY-SA 4.0 licensing. Have fun, reuse, remix etc. but give credit and place no further restrictions. Lets build culture.