One thing I'm curious about Tor: What are the incentives for running a node?
If there are no monetary incentives, then how does it achieves decentralization? Also, what stops a malicious actor with enough resources (a government) from controlling a big portion of the network?
People can do things altruistically - there doesn't always need to be a bitcoin-style monetary incentive. Lots of people run exit nodes because they believe in privacy and freedom of information.
That said, you're absolutely right about large entities being able to control a large number of nodes, which is why a great number of nodes are controlled by governments trying to do so and also prevent foreign adversaries from being able to.
For a few years Oniontip [1] allowed tipping Tor relay operators with Bitcoin. In my opinion that was a quite nice combination of technologies, as it allowed to anonymously tip operators of a service providing anonymity on the internet.
[1]: https://github.com/DonnchaC/oniontip
Bit coin is not anonymous. It is literally a ledger of every transaction ever made. Monero is what you want if you value anonymity.
I mean, bitcoin is a lot more anonymous if you host your own wallet and don't cash out through an exchange (or don't cash out at all) - you're just a number. That's definitely not the modal use case today (where its primary use is as a vehicle for ~~gambling~~financial speculation denominated in dollars), but was a lot more common 10 years ago when that project was created.
Or you just use a crypto currency with anonymity build in.
Sure, but that was probably pretty hard to do ten years ago when this was being developed, because, y'know, Monero didn't exist yet (or had only existed for a few months and had no users)
Also, bitcoin actually was more private back then, because KYC rules were much more lax.
I used to do that. But I've ultimately decided that the prospect of fighting accusations of abuse or crimes committed through my network wasn't that enticing. Proponents will try to downplay the risks by using vague ideological nonsense like "don't worry, an IP doesn't legally represent a person ;)" which, even if true, won't prevent a rather unpleasant ordeal.
Running a relay is likely fairly low-risk and still a good thing for the network, though.
There are no incentives for running a Tor node except altruism and the perhaps nebulous claim that by doing so you will be making the network better.
There is nothing stopping a state actor controlling a large percentage of nodes thus increasing the likelihood that your anonymous communications are nothing of the sort.
But warring state actors competing with each other on that offers me some protection.
Assuming they compete. If I were a state entity with a vested interest to compromise tor, I would cooperate with peers to that end, enemies or not. It is in every state's interest to have protocols in place for conditional cooperation with hostile states. At the agency or team level, these protocols can be quite effective.
After all, the field agents probably meet once or twice a year at some math/CS conference in France anyway.
And this is why governmental privacy is unethical... All should be open to peer review. For the people, and for the world.
I don't see how this would help. Such protocols may not even be written down, but rather implicitly passed from mentors to mentees in security agencies. I am all for government transparency, but no amount of transparency will reveal that a cluster in Utah is in direct link with a cluster in St. Petersburg is in direct link with a cluster in Kiyv to provide unmasking services to their administrators.
These administrators can then launder the information to their respective agencies by means of any number of play-pretend activities you can write up for the transparency committee. The agency doesn't even need to (officially) know.
Aren't there ways to filter out untrusted nodes?
(Edit: I say this, but in reality I also think it's pretty safe to assume most are government controlled)
You can connect through a locally running node, which reduces latency to some degree.
There are no incentives. I'm pretty sure the vast majority does it for altruistic reasons. At least all those I've met. Many run relays with spare resources they pay for anyway. Others rent a cheap VPS to run a relay. $10 gives you a surprisingly large amount of bandwidth if you avoid the cloud like the plague.
Governments have other possibilities. Why should they run a relay if they can force the ISP to mirror the traffic of all relays to them?
Can you expand on that last bit? I don’t understand how this compromises the entire network or any individual user. The ISPs only have layer 3 data in plaintext. We can perform timing/throughput analysis attacks against individuals, but not the entire network. These operations are VERY expensive/difficult.
Not an expert at all but from my understanding a traffic correlation attack doesn't require someone to run the relay he just needs to see what traffic enters and leaves it. So the German BND for example can just go to Hetzner (15% Tor traffic) and ask them to mirror the traffic of all relays to them. They don't have to run any relays themselves.
Alt227 has a point but the Tor network is centered around a handful countries where traffic is cheap and there aren't that many huge IXs and Tier 1 ISPs where much of the traffic flows through.
I'm not saying that this is done but it's IMHO more likely than state actors running thousands of relays.
I think we have the same understanding. I read this as
“a state actor has the physical capabilities/resources to perform an attack that determines Alice was speaking to Bob.”
I totally agree. Im just pointing out that we still have layer 5 encryption to protect the contents of our messages. Also at that point, if you’re so important they would just grab a warrant and raid your home.
Governments dont have authority outside of their borders. They cannot force foreign ISP to give over the same information. Therefore they could only mirror nodes on IP addresses issued to companies in their country.
Governments will just get other governments to let them tap their fiber.
(with the understanding that I'm only speaking for what I found, not for the Tor project or the relay community)
Most of the people I spoke to saw themselves as providing a service - they wanted to help do something to bring a particular kind of future Internet about and found it rewarding to be a part of that. A number of them found the act of running a relay interesting and fun in itself - something they could get better at. Plus, membership of the relay community itself (especially now) is a kind of shared experience of community - and that's attractive to people in itself.
In terms of malicious actors, Tor does a lot to avoid this, from hunting down bad relays actively, monitoring the network as best as it can, continuously developing the algorithms which select routes through the network, and other mechanisms, like forcing relays to operate for a while before they get trusted with a lot of connections.
If there is a mechanism to block , let’s say, CSAM, then the same mechanism can be used to block dissident political speech, no?
AFAIK there is no mechanism for content blocking. The "bad relays" are relays that deanonymize, store, delay, or in any other way hamper user's traffic.
Couldn't running an exit node be a cover for other activity? One that provides a reasonable doubt as to whether it was the operator or some other actor who did something unsavory from an IP address?
I thought there was a classic statement from the Tor developers that you shouldn't do this, but the closest that I found on the site is the part about not running an exit node from home (as it might make law enforcement more interested in seizing your home computer).
This question
https://support.torproject.org/relay-operators/#relay-operat...
also seems to imply that it might be useful to run a node to provide cover for your own traffic (though not an exit node in your home), but that it isn't known for sure how useful that is.
I think the core argument against your suggestion is (1) having your devices more likely to be seized is just plain harmful to you; (2) if you're personally doing something that law enforcement cares about, having your devices more likely to be seized increases you risk that they could discover that by seizing those devices; and (3) there may be traffic analysis techniques that law enforcement could use to distinguish between your own traffic and your exit traffic, like trying to correlate inbound Tor circuit activity with exit traffic, and attributing the traffic to you if it couldn't be matched up with an inbound circuit.
This is a bad idea because the police will break down your door based on IP.
It might be a good idea in a prosecution to raise reasonable doubt. Few people are willing to play punching bag for the police to find out. Also the general technical skill of the average cop and prosecutor is quite low.
It costs my ISP resources but I pay a flat rate. That would have value to me.
if enough customers of the ISP do this, they will no longer charge a flat rate. It's just that some people manage to consume resources that other customers don't atm.
You are workng for the FBI.
Nothing at all stops that, and there's scarce incentive for independent node operators. Indeed, it is commonly surmised that many node operators have a hidden incentive: they're explicitly trying to control enough nodes to deanonymize traffic because they are law enforcement agencies.
I have no significant knowledge of how TOR works, so I might be off the mark here. Perhaps one incentive is that by running your own node, you can utilize it as an entry or exit node for your own activities over TOR. By controlling either the entry or the exit node, you know that a bad actor does not control both of the nodes involved in your own usage. Just a thought. Maybe this strategy is flawed somehow. Please chime in and correct me if you see a flaw in this strategy.
You learn a lot, make friends and enemies, and get privileged access to a node.
It's also a bit like picking up trash when you're out for a walk, it's just a nice and proper thing to do to make society a better place to live in.
By running a node you maintain tor you might use yourself. If tor goes away, you won't be able to use it.